Include "machine-readable" in the definition of electronic record.

Iclude a definition for "media".

In the very last paragraph, reference is made to "or other privacy-protected information" in addition to Social Security numbers.   This should be added into the paragraph that begins "Public records, regardless of media" as "that contain social security numbers OR OTHER PRIVACY-PROTECTED INFORMATION must be shredded...."

"Social Security" refers to the specific Social Security program, and should therefore be capitalized.

Section B, #2: The very idea that IT shops in every political subdivision of the Commonwealth are actually going to time the overwriting/degaussing of privacy-protected information residing on back-up tapes to be simultaneous with the destruction of the privacy-protected information which those tapes actually back-up is almost certainly going to be laughed at by those IT shops.  I suggest the language be modified to simply assert that the back-up tapes should be overwritten, wiped, or degaussed to the extent necessary to ensure the irretrievability of the data on them, but that a more reasonable period of time be allowed for; 30 - 60 days, perhaps.

I am not pleased with the idea of requiring a cross cut shredder. In addition to the expense of purchasing one (I have no budget to do so, what with State budget cuts), I want to mention other problems associated with a large cross cut operation: It's a fine machine for in-office use wherein small amounts of shredding are required. In a major operation such as mine, shredding 25-30 tons yearly, cross cuts pose health and dust problems. VT had one over ten years ago and disposed of it, as operators had to wear masks and the dust and debris were unbearable, not to mention the noise level, requiring ear plugs. My EHHS folks were very pleased we swapped out for a strip shredder. While it's product is more easily reconstructed than the output of a cross cut, I have always felt the job is more than adequate. Let's put it this way: if I wanted a SS#, I can think of 1900 ways easier to acquire it than to try to reconstruct the record from a #60 bale containing approximately 5000 individual strip shredded records. I know there are other state records managers who share my view and are satisifed with strip shredding.  Jerry Palmer

I agree with Mr. Palmer's comments regarding the cross-cut shredder.   I also believe it would be overkill to require them. 

Karen Linett

SHREDDING: The federal government has approved the following filter screen hole sizes of 3/32, 1/8, or 4 mm as being secure.

DEFINITIONS: 1) Pulped, burned, records custodian, and magnetic erasing are not defined. 2) "Overwritten" is defined, however, I suggest defining "electronic erasing" or "file wiping". 3) "Shredding" contains two definitions - (a) the action, and (b) the type of machine to use. 4) "Electronic record" is defined but maybe just "Records" should be defined so as to include the paper records metioned in section 30.

OTHER:  

SECTION 20: 1) Purpose, lists various methods of destruction but they are not defined in Section 10 and not offered as an option in Section 30. [purpose means: intent, intention, meaning, mission].

SECTION 30:  1) subsection A contains two different topics - (a) how to destroy paper records, and (b) responsibilities of the records custodian. I suggest separating them. 2) subsection A, second paragraph last sentence states "The agency contracting for the shredding retains responsibility..." Since there is no security, or guarantee, I would change it to read that an employee of the agency shall witness the destruction of materials if done off-site, or through a contractor. 3) subsection B suggests electronic records have a different retention life than paper records. I may be wrong, but most electronic and paper records should have the same retention life, being that one is the same as the other aside from the medium. 4) subdivision 1 of subsection B says files stored on a computer must be deleted and overwritten. However, subdivisions 2 and 3 say back-up tapes, floppy disks, or other magnetic storage devices only have to be overwritten. I may be wrong, but a 'file' can refer to a single document or part of the agencies file scheme (computer). 5) subdivision 5 of subsection B mentions privacy-protected information. Maybe the Title of Chapter 120 should include: ... SECURITY NUMBERS AND PRIVACY-PROTECTED INFORMATION. 6) subdivision 3 of subsection B says that data... on flopy disks, tapes and other... must be overwritten - B.3.a. says disks, tapes and other... must be shredded or exposed to a magnetic field. QUESTION: are they saying the data shall be overwritten and the medium it is on shall be shredded? or are there two different procedures - or something?

ALSO: change the word 'must' to 'shall' and consider spending more time on this chapter.

Section 17 VAC 15-120-30, B Electronic records Procedure #2 requires that “back-up tapes must be overwritten at the same time as all other copies are destroyed.  Tapes shall be held no longer than the conclusion of the retention period for the information contained in the tape.”  Procedure B, #5 introduces “other privacy protected information”   The first two comments relate to Procedure #2 and the third comment relate to Procedure #5 of the regulation.<-xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

1. Are back-up tapes considered records or non-records-  If they are non-records, does the Library Board have the authority to issue regulations regarding the physical destruction of social security numbers on back-up tapes or does the Virginia Information Technology (VITA) establish back-up tape policies and procedures for state agencies-    

2. Assuming the answer to the first question is that the Library Board has this authority, VITA and local Information Technology departments probably have varying policies and procedures for tape back-up creation and rotation.  One typical procedure for many IT groups is to backup Microsoft Exchange and Windows Servers nightly from Monday through Thursday or Friday, retaining those tapes for 30 days.  The last tapes of the week, either those created on Friday or Saturday, are retained for 90 days.  The last tapes created during the month are typically retained for 12 months.  These procedures would result in back-up tapes containing social security numbers being retained for as long as a year after the record might have been destroyed. Would such tape back-up and rotation procedures be in violation of section 17 VAC 1-120-30, B #2 that requires that back-up tapes be “overwritten at the same time”-   I recommend changing the requirement to either “30 days” or “60 days”.

3. Section 5 is the first place that “other privacy protected information” is introduced.  While think it important to protect other private information, this regulation’s title indicates it is for the destruction of social security numbers and “other privacy protected information” appears to have been added here as an afterthought, with the user not provided any information about what constitutes other privacy protected information.  I recommend identifying the other private information that requires this stringent regulation, if such requirements are warranted, or limiting the regulation to social security numbers. 

Although other forms of destruction are mentioned in the first paragraph, it should be clarified that burning can be done for all the media below including CD's as an acceptable form of destruction for records containing SSN's and other "privacy protected information" if this is defined in the paper.  Adding "other privacy protected information" is not appropriate for this regulation unless you change the title and define what is meant by this statement. 

I concur with Mr. Breeden's comments about if back-up tapes are really considered a "record", and also the other's comments about it is impractical to require that they be erased at the same time as the destruction of the records.  Allowing a reasonable time within the destruction time frame seems more appropriate for back-up tapes especially since they may contain other information that is not yet eligible for destruction.  This would entail identifying what is eligible for destruction on the tapes from what is not - a difficult and time consuming task on back-ups.

There are several inconsistencies in this proposed regulation, as well as some requirements that are overly specific.

Inconsistencies include:

1.   Definition of “shredding.”  This definition also includes a description of a particular type of shredder (cross-cut) which should be either a part of it’s own definition or part of a more descriptive sentence placing it in the context of “shredding.” 

2.   As “electronic shredding” is a viable choice, the term should also be included in the definition to distinguish it from paper or other hard media shredding.  For example, Wikipedia defines it as:

“In computing, file shredding or file wiping is the act of deleting a computer file securely, so that it cannot be restored by any means. This is done either using file shredder software, or by issuing a "secure delete" command, as opposed to a "delete" command from the operating system.”  (en.wikipedia.org/wiki/Shredding)

3.      The Purpose includes two terms that are not defined – “pulped” and “burned.”

4.      The Purpose states that “Public records… that contain Social Security numbers… .”  The Government Data Collection and Dissemination Practices Act (Code of Virginia §2.2-3800 et. seq.) defines other personal information that must also be kept private as well as how Social Security numbers must be safeguarded.  While section B5 alludes to protecting this other defined personal information, this proposed regulation does not include its protection in all the requirements.  It should.  This will also entail revising the title of the proposed regulation. 

5.      Section A states that paper records must be shredded by cross-cut shredder then states that the shredder must reduce the paper to “strips” no wider than 3/8 inches.  This can be confusing.  It would be better to say “that reduces the paper to a size no wider than 3/8 inches.”

6.      Section A should include the requirement that an employee shall witness the destruction of materials containing medical information as required by the Health Information Portability and Protection Act (HIPPA) if shredding is done through a contractor or other agency or department.

7.      Section B3 states data on disks, tapes and other magnetic storage devices must be overwritten, but section B3a states the same media must be shredded or exposed to a powerful magnetic field.  One requirement needs to be set.  Either eliminate one or the other, or combine them into one.

Overly specific requirements includes:

1.      Section B1 states that “use of software programs that overwrite the data… multiple times… must be utilized.”  By context, this requirement is also placed on “back-up tapes, floppy disks, tapes, and other magnetic storage devices” in sections B2 and B3. This simply is not necessary in modern computer systems to provide the level of protection needed for this type of data.  NIST 800-88 (Recommendations of the National Institute of Standards and Technology, September, 2006) states that “studies have shown that most of today’s media can be effectively cleared by one overwrite.” 

NIST 800-88 also separates file disposal into four categories.  Category two “clearing” is defined as:

“A level of media sanitization that would protect the confidentiality of information against a robust keyboard attack. Simple deletion of items would not suffice for clearing. Clearing must not allow information to be retrieved by data, disk, or file recovery utilities. It must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. For example, overwriting is an acceptable method for clearing media.

There are overwriting software or hardware products to overwrite storage space on the media with non-sensitive data. This process may include overwriting not only the logical storage location of a file(s) (e.g., file allocation table) but also may include all addressable locations. The security goal of the overwriting process is to replace written data with random data. Overwriting cannot be used for media that are damaged or not writeable.”

This level of disposal is adequate for most state and locality systems containing social security numbers and other defined “personal information.”

2.      Section B2 places this multiple overwrite requirement on backup tapes unnecessarily.  Correctly defining backup tapes in the regulation as “created as redundant datasets used to restore systems only in the case of emergencies, that are overwritten on a regular basis” will suffice.  Backup tapes meeting this definition are constantly overwritten as they are rotated through a scheduled backup process.  If tapes are used for retention or other purposes, then section B3 would cover them.