There are several inconsistencies in this proposed regulation, as well as some requirements that are overly specific.

Inconsistencies include:

1.   Definition of “shredding.”  This definition also includes a description of a particular type of shredder (cross-cut) which should be either a part of it’s own definition or part of a more descriptive sentence placing it in the context of “shredding.” 

2.   As “electronic shredding” is a viable choice, the term should also be included in the definition to distinguish it from paper or other hard media shredding.  For example, Wikipedia defines it as:

“In computing, file shredding or file wiping is the act of deleting a computer file securely, so that it cannot be restored by any means. This is done either using file shredder software, or by issuing a "secure delete" command, as opposed to a "delete" command from the operating system.”  (en.wikipedia.org/wiki/Shredding)

3.      The Purpose includes two terms that are not defined – “pulped” and “burned.”

4.      The Purpose states that “Public records… that contain Social Security numbers… .”  The Government Data Collection and Dissemination Practices Act (Code of Virginia §2.2-3800 et. seq.) defines other personal information that must also be kept private as well as how Social Security numbers must be safeguarded.  While section B5 alludes to protecting this other defined personal information, this proposed regulation does not include its protection in all the requirements.  It should.  This will also entail revising the title of the proposed regulation. 

5.      Section A states that paper records must be shredded by cross-cut shredder then states that the shredder must reduce the paper to “strips” no wider than 3/8 inches.  This can be confusing.  It would be better to say “that reduces the paper to a size no wider than 3/8 inches.”

6.      Section A should include the requirement that an employee shall witness the destruction of materials containing medical information as required by the Health Information Portability and Protection Act (HIPPA) if shredding is done through a contractor or other agency or department.

7.      Section B3 states data on disks, tapes and other magnetic storage devices must be overwritten, but section B3a states the same media must be shredded or exposed to a powerful magnetic field.  One requirement needs to be set.  Either eliminate one or the other, or combine them into one.

Overly specific requirements includes:

1.      Section B1 states that “use of software programs that overwrite the data… multiple times… must be utilized.”  By context, this requirement is also placed on “back-up tapes, floppy disks, tapes, and other magnetic storage devices” in sections B2 and B3. This simply is not necessary in modern computer systems to provide the level of protection needed for this type of data.  NIST 800-88 (Recommendations of the National Institute of Standards and Technology, September, 2006) states that “studies have shown that most of today’s media can be effectively cleared by one overwrite.” 

NIST 800-88 also separates file disposal into four categories.  Category two “clearing” is defined as:

“A level of media sanitization that would protect the confidentiality of information against a robust keyboard attack. Simple deletion of items would not suffice for clearing. Clearing must not allow information to be retrieved by data, disk, or file recovery utilities. It must be resistant to keystroke recovery attempts executed from standard input devices and from data scavenging tools. For example, overwriting is an acceptable method for clearing media.

There are overwriting software or hardware products to overwrite storage space on the media with non-sensitive data. This process may include overwriting not only the logical storage location of a file(s) (e.g., file allocation table) but also may include all addressable locations. The security goal of the overwriting process is to replace written data with random data. Overwriting cannot be used for media that are damaged or not writeable.”

This level of disposal is adequate for most state and locality systems containing social security numbers and other defined “personal information.”

2.      Section B2 places this multiple overwrite requirement on backup tapes unnecessarily.  Correctly defining backup tapes in the regulation as “created as redundant datasets used to restore systems only in the case of emergencies, that are overwritten on a regular basis” will suffice.  Backup tapes meeting this definition are constantly overwritten as they are rotated through a scheduled backup process.  If tapes are used for retention or other purposes, then section B3 would cover them.