Safe Document Transfer: How to Secure the Paper Chain
Learn how your sensitive records can get from dank, dusty basement to cavernous, temperature-controlled storage facility without incident. Rule number one: Don't think!
February 27, 2008 — CSO —
Let’s move some valuable documents. Or a box of them. Maybe it’s proprietary research on a new drug. Maybe it’s the confidential testimony of an athlete in a steroids investigation. Maybe it’s the personal documents of a recently deceased, celebrated author. Who knows? The point is, if the cliché is true that information is currency, or even more valuable than currency, then when we move it around, it must be secured like money. Maybe better than that.
To understand both the risks and the security used all along the chain of custody, we visited with Joe DeSalvo, the head of security for information handling company Iron Mountain. DeSalvo will be the first to tell you that, no matter what security you put in place, incidents can happen. Indeed, this past fall, Iron Mountain suffered an incident in which personal data of financial aid applicants and their parents was lost due to an employee error. Prior to DeSalvo’s arrival, Iron Mountain suffered some other high-profile losses of backup tapes.
DeSalvo was brought in to reduce such incidents to as close to zero as possible. For the past 16 months he’s been creating a security program to that end. The program is a smooth blend of training, automation and technological innovation.
One of the principles behind DeSalvo’s program is, surprisingly, to reduce thinking. It seems counterintuitive, but it points to the difference between evaluating risk and incident response. The former is all about thinking, and conjuring up scenarios. The latter, though, is a rigid response protocol based on that previous thinking. And the more the risks can be thought about beforehand, the less thinking will be required in the event that an incident occurs.
“We’re trying to eliminate think points,” he says. “We don’t want people to have to make decisions.” In other words, the more that technology and process can dictate what the person transferring documents should do, the more DeSalvo can reduce the risk of human error, which is, in the end, the biggest pool of risk to navigate in chain-of-custody scenarios. Drivers shouldn’t even have to think about whether they left a door open. So, if they did, an alarm would sound and the truck wouldn’t start. Period.
On the other hand, DeSalvo also wants his drivers to be aware of their environment. Every pickup spot brings both predictable and unpredictable risks that the driver must be aware of and know how to handle. Drivers on a busy, one-way city street, for example, know they need to understand their parking options and to look for suspicious loiterers, while the driver pulling into an office park understands that companies other than his client, perhaps competitors, might share that space.
What’s more, other threats must be addressed, some as simple as wind blowing open a box and scattering paper. “Routine things present great challenges,” says DeSalvo.
DeSalvo offered an inside look at the entire chain of custody, from pickup point, to the truck itself, to the massive storage facility where many of these documents end up. Read on to learn about the risks along the way and the security used to offset them.
The Risk: Parking. In cities like New York, says DeSalvo, this is a major concern. Not only can it wreak havoc with schedules if a driver is parked in or simply can’t find a parking spot, but it also might force him to park farther away. That increases the time that documents are exposed to accidents or smash-and-grab heists during transfer from the client site to the truck.
The Mitigation: Drivers are trained to know how far away they can park and often gather intelligence, making notes of the best spots and times to make transfers for regular clients. In some cases, says DeSalvo, in places like New York, pickups are scheduled for 4 a.m. to avoid traffic and parking concerns.
The Risk: Suspicious loiterers. This heist risk is different and more limited than transferring money. Money is valuable to anyone, whereas documents are not. Still, corporate espionage is serious business, and depending on the documents’ value, it needs to be addressed.
The Mitigation: The best way to mitigate this risk is to make it difficult for strangers to interrupt the pickup process. Drivers are also trained in looking for suspicious characters and have highly detailed procedures to follow in the event of a confrontation.
The Risk: Weather/environment. Drivers need to be aware of their environment. Anything from scaffolding, wet cement and jackhammers, to rain and, yes, wind. Next to a lost or stolen document, a damaged one is the second-worst outcome during transfer.
The Mitigation: Risk avoidance rules here. If drivers can keep their distance from these factors, they do. Sometimes they can’t. Rain falls everywhere, and wind is unavoidable. Drivers have had to dodge blocks of snow falling from roofs or awnings. You might be surprised at the kinds of freak accidents that could damage documents. Drivers are trained to be aware of all these elements. In addition, they are given tools to protect documents from the elements: straps to secure boxes from the wind and covers to protect them from the rain.
The Risk: The client. DeSalvo notes that clients themselves can be careless with documents, leaving them in unguarded hallways or with other boxes of documents such that it’s hard for the driver to tell which are the ones designated for pickup. Client site mix-ups are a major concern in the chain of custody.
The Mitigation: Tricky, because it’s not usually good business to criticize a client. If a driver finds himself wending through a basement full of boxes to get to his boxes, he is encouraged to “train” the client in best practices to ensure a clean transfer, suggesting where and how to prepare the documents and why that will decrease the chances of a failure. Additionally, wireless scans of documents’ receipts are matched to scans of work orders to increase accuracy of what’s picked up.
Here, the technology takes over, and “think points” are drastically reduced. DeSalvo is trying to make his trucks as foolproof as possible.
The Truck (a)
The risk: Unsecured vehicle. Since documents from many pickups are in the vehicle, it is at its most vulnerable when the driver is inside a building procuring the current documents. The biggest risks are having documents easily taken out of the truck or having the truck itself stolen. Damage to the truck either through weather or vandalism is also a concern.
The mitigation: DeSalvo uses an entire portfolio of devices and techniques to prevent this risk from becoming an event. Included:
- Dual-key ignition (b). Without the second factor of authentication, the vehicle will not start. If the truck’s cargo area is not secure, the vehicle won’t start.
- Alarms, including a proximity alarm that sounds if a driver moves a certain distance away from an unsecured vehicle, and time-control alarms, which sound if something is unsecured for a specified amount of time.
- Smart latch (c). The backdoor latch is weighted and designed to be incapable of getting stuck between locked and unlocked, preventing the truck from being accidentally left open.
- The black box (d), an electronic brain fixed to the truck, controls alarms, differentiates their sound, time-controls door locks and records alarm events, among other tasks.
The risk: Drivers present two risks. The smaller risk is malfeasance—a driver purposely exploiting the information he’s charged with transferring. The larger risk is the biggest one to address: human error, including losing or damaging boxes of documents, or allowing documents to be lost or stolen from the vehicle.
The mitigation: Process, not technology, is central to this part of DeSalvo’s risk program. It costs more for a job that may otherwise be handled by low-wage drivers not trained in document handling, but the premium is offset by the risk reduction. What’s included to limit the risk of employee error:
- Background checks. Deep research to limit chances a bad apple is hired.
- Intense training, which ingrains proper document handling techniques in drivers’ heads so they can perform their jobs without even thinking.
- Ignorance of documents being handled; drivers are not allowed to know details about what they’re transferring. In this way, a bad actor can’t determine what’s worth stealing, and well-meaning drivers won’t be able to make value judgments about what they’re handling and thus subconsciously treat one transfer as less important than another. The lack of knowledge means every document pickup could include an original copy of the Constitution and must be treated that way.
- Empty cabs. Drivers are forbidden from putting any documents in the cabs of their trucks, ever, for any reason. This avoids a smash-and-grab problem and also protects the driver from liability for a lost document (or implicates him if he doesn’t follow procedure).
- Capture and transmission of transaction data. Drivers must reconcile codes on documents with codes stored in the inventory system at the home office before a job is complete. If documents expected to be picked up aren’t scanned or if the driver doesn’t get a signature from the customer, his wireless scanner alerts him that the job is not done.
The final point of risk is the storage facility itself, where the documents go to live until they’re needed or they reach their predetermined age of destruction. Proprietary inventory software tells floor workers where the documents should be stored
The Facility (f)
The risk: Employee theft of documents
- Ignorance. Again, employees know only the metadata about documents and not what the documents themselves contain.
- Surveillance. Cameras and motion detection, including perimeter sensors and sensors in 96-square-inch HVAC ducts (for detecting animals). All entrance and egress points are alarmed, including roof hatches, and glass has break sensors. DeSalvo declined to put cameras at the truck bay because this spot had been shown to be low risk. It’s out in the open and documents stay there only temporarily. DeSalvo thought it high cost, low benefit. This decision may be revisited.
The risk: Fire. At this facility, in central Massachusetts, fire is the highest risk to documents. Obviously, fire damages or destroys paper, but even a small fire that sets off sprinklers can create water damage.
The mitigation: Early-warning fire and smoke detection and fire suppression. Notable are the “transverse flue sprinklers” that can suppress fires inside the narrow gaps between shelves.
Read more about data protection in CSOonline's Data Protection section.
Other stories by Scott Berinato