Most businesses have routine occasion to discard confidential data about their business operations or personal client information acquired through commerce. Data sets and reports such as customer lists, price lists, sales statistics by state or product line, drafts of bids, responses to RFPs, and internal correspondence contain information about business activity which would interest any competitor.
Every business is also entrusted with information that must be kept private in order to be in compliance of certain industry privacy policies. Employees and customers have the legal right to have their data protected, if it is not customers will certainly blow the whistle and flee to a competitor that can ensure proper data security.
Without the proper safeguards, paper based information ends up in the dumpster where it is readily, and legally, available to anybody outside of your organization. The trash is considered by business espionage professionals as the single most available source of competitive and private information from the average business. Organizations that discard private and proprietary data without first properly destroying the paper, exposes itself to the risk of criminal and civil prosecution, as well as the potential costly loss of business.
The following discussion offers creative solutions for crafting guidelines and policies that will minimize the risks previously discussed. Whether you are in charge of IT, HR, or business operations, your business will benefit through the implementation of sound data security practices.
The period of time that business records are stored should be determined by a retention schedule that takes into consideration their useful value to the business and the governing legal requirements. Ideally, no record should be kept longer than this established retention period.
Failure to adhere to a program of routine destruction of stored records exposes a company to the potential accusation it exhibits suspicious disposal practices. This could be negatively construed in the event of litigation or audit. Additionally, Federal Rule 26 of the Federal Law Code (Duty to disclose and general provisions governing discovery) requires, in the event of a law suit, each party provide all relevant records to the opposing counsel within 85 days of the defendants initial response. If either of the litigants does not fulfill this obligation, it may result in a summary finding against them. By destroying records according to a set schedule, a company appropriately limits the amount of materials it must search through to comply with this law. Limiting the scope of search for documents will minimize the cost of maintaining the repository of documents.
From a risk management perspective the only acceptable method of discarding stored records is to destroy them by a method that ensures that the information is obliterated. Documenting the exact date that a record is destroyed is a prudent and recommended legal precaution.
Trash based security breaches are more common today than ever before. In fact, one of the oldest security and privacy problems is the unsecure disposal of personal information. The rate of data growth both in digital and print formats is astounding. According to a recent IBM report, the exponential data growth increases the pressure on scarce IT resources. The typical enterprise experiences 42 percent annual increase in data volume. Very few organizations have reliable procedures or practices for disposing of data so that new information accumulates on top of generations of stale data.
As electronic data along with print information volumes continues to grow, there are more opportunities for disposal related data breaches to occur. To quantify and help assess the scope of the problem we simply need to look to the news for a few recent data breach events:
In Maine the Maine Veterans Hospital was investigated after confidential medical records were found in a dumpster.
In Indiana personal documents that contained prescriptions for a powerful pain medication and patient information were discovered in a dumpster near the Indianapolis Medical Center.
In Chicago a bankruptcy law firm dumped sensitive client information into a public dumpster where it was readily available to anyone.
In Phoenix a passerby found hundreds of documents from gym memberships with credit card information and other personal data overflowing a dumpster.
Paper based security breaches are also global in nature. In Australia, according to a recent study by the National Association for Information Destruction (NAID), 30% of organizations are unaware of their obligations when it comes to destroying personal information.
What are the most common information disposal security mistakes?
Organizations on occasion donate print documents containing personal information on them to outside groups, like pre-schools and community groups for use as scrap paper.
Organizations place print documents containing personal information into unsecured dumpsters without shredding them is an ongoing and perhaps the most problematic security breach.
The increasing frequency of security breaches due to poor disposal policies has led to a growing number of laws explicitly covering document disposal as well as specific legislative bills proposed at the state and federal level.
The Disposal Rule (part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) has been in effect since 2005. It has many very specific disposal requirements for all types of businesses conducting various types of credit checks.
Besides the fact that secure information disposal is now a legal requirement for all businesses of all sizes, it simply makes sense to dispose of information securely as an effective way to prevent privacy breaches. By having effective disposal policies, procedures, and supporting technologies in place businesses demonstrate reasonable due diligence. What should you do if the organization you work for currently has no disposal policies? Here’s an action plan get you started:
Assign overall responsibility for information security and privacy compliance to a position or department within your organization. This should include responsibility for disposal of information in all forms. The IT department is a likely candidate for most companies as they typically have direct access to data in all forms.
Perform a disposal risk assessment to determine exactly how your organization currently disposes of all types of information. Then craft new information disposal policies and procedures, or update existing ones, based upon the results of the disposal risk assessment.
Shred paper based documents, do not just toss it should be an important part of your overall data security management policy. When either customer information or employee information is ready for the trash, it should be properly shredded if it contains information your organization does not want made public. Documents that contain names, Social Security numbers, date of birth, savings account balances, credit card numbers, stated individuals’ health conditions, or other personal information should always be shredded.
Also shred trash bound documents that could potentially help your organization’s competition. Items such as customer lists, sensitive pricing information, strategic planning documents and trade secrets should be shredded, not tossed into the recycle bin.
Be especially diligent if you deal with information from consumer reports. The Fair Credit Reporting Act protects credit reports and credit scores as well as reports relating to employment background, check writing history, insurance claims, residential or tenant history, and medical history. Anyone who handles this type of information must follow strict disposal guidelines that may include burning, pulverizing, or shredding the paper documents so that the information cannot be read or reconstructed.
There are many options for shredding documents. There are cross cut shredders in the $60-$2500 price range. Alternatively there are outsourced shredding services that will pick up locked bins of sensitive documents, shred them onsite for a fee based on quantity. They will then cart away the shredded paper and provide a certificate of destruction.
If you choose to shred what features should you look for in an office shredder?
Next Generation In House Document Shredding
You want to look for a feature rich shredder that is simple for you and your organization to use. Ideally, the shredder should have superior auto feed technology built in so you do not have to sit there and hand feed the documents. The shredder should accommodate crumpled paper, double sided color printed paper, glossy paper, multiple sheets folder over, paper clips, staples, junk mail and DVDs. It should also be very quiet and secure with lock draw technology.
One shredder that works well is the AutoMax 500C Shredder from Fellowes. It can quietly and securely continuously shred 500 sheets of paper into 5/32” x 1-1/2” cross-cut particles. This provides a security level of P-4, high enough to safeguard most companies in most industries.
Recent investments in the development of new document shredding technology now makes the shredding process faster and more secure than ever before. Previously, organizations had to dedicate valuable employee resources to hand feeding documents into a single sheet shredder.
For example, the Fellowes organization has introduced document “load, lock and walk away” shredding capabilities to their AutoMax product line of large volume, auto-feed commercial shredders. These enhancements make the internal disposal of large quantities of confidential information a much easier task to accomplish. CIOs currently sending documents off-site for shredding should take a look at the potential cost savings and security benefits of shredding documents in house with a shredder such as the AutoMax 500C.