The inability to discard worthless items even though they appear to have no value is known as compulsive hoarding syndrome. If the eccentric Collyer brothers had a better understanding of destruction practices, they likely would not have been killed by the very documents and newspapers they obsessively collected.
While most organizations don’t hoard junk and newspapers as Homer and Langley Collyer did, they do need to keep information such as employee personnel records, financial statements, contracts and leases and more. Given the vast amount of paper and digital media that amasses over time, effective information destruction policies and practices are now a necessary part of doing business. They will likely save organizations time, effort and heartache, legal costs, embarrassment, and more.
In December 2007, the Federal Trade Commission announced a $50,000 settlement with American Mortgage Company of Northbrook, Illinois, overcharges the company violated the FTC’s Disposal, Safeguards, and Privacy rules by properly disposing of documents containing consumers’ credit and personally identifiable information. In announcing the settlement, the FTC put all companies on notice that it took such failures seriously.
A $50,000 settlement might seem low when measured against the potential for financial harm to individuals due to the company’s negligence. Still, in addition to the negative PR for American Mortgage, the settlement includes an obligation to obtain an audit every two years for the next 10 years from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. Any similar failures by this company during the next decade will be met with more severe punishment. That, indeed, is a very costly lesson.
In today’s litigious environment, there are a plethora of aggressive lawyers who would love to devour your organization for failure to take due care around document and media destruction.
This article will look at the key areas to ensure that your organization does not fall prey to such lawyers regarding the physical destruction of documents and records. The next article will go into the details around the destruction of digital documents and digital media.
Besides taxes, what unites every business is that they possess highly sensitive information that unauthorised persons should not see. While some documents can be destroyed minutes after printing, regulations may require others to be archived from a few years to permanently. But between these two ends of the scale, your organization can potentially have a large volume of hard copy data occupying space as a liability, both from a legal and information security perspective.
Depending on how long you’ve been in business, the number of physical sites and the number of people you employ, it’s possible to have hundreds of thousands, if not millions, of pages of hard copy stored throughout your company — much of which is confidential data that can be destroyed.
The National Association of Corporate Directors provides some excellent guidelines in their Record Retention and Document Destruction Policy. From trademark registrations, safety records to retirement and pension records and much more, there is a lot that needs to be retained. But once that retention period is over, much of those documents can be destroyed. Below is a partial list of the types of information that absolutely should be shredded when no longer needed:
For those who think that dumpster diving is a security threat of the past, check out Steve Hunt’s fascinating video Scoring big in corporate dumpster diving. He recently did a dumpster dive in Chicago and found confidential wire transfer information, laptops, and other treasures in the dumpster. His adventure took all of three minutes, and he astutely advises companies to do their own dumpster diving tests.
In addition, the current recession means that organizations may have to deal with disgruntled and angry employees and those who think their job or company will soon be eliminated. With that, the risk of misuse of sensitive information is even greater.
Simply put, effective document destruction practices prevent information from falling into the wrong hands. Perhaps the most pervasive example of this is credit card charge receipts, which are retrieved from trash bins by dumpster divers, often with the intent of using the information for online or telephone orders. Many businesses discard such payment information without effective destruction controls. If such controls are not used, the information unearthed from the post-fraud investigation could be extremely embarrassing to explain to customers. It could also turn into a PR nightmare or an expensive legal problem.
Once made aware of the need, many organizations take a knee-jerk reaction by gathering all stored hard copies and simply disposing them. But that does not solve the problem for several reasons.
First, legal and regulatory requirements mandate that paper documents be retained for specific periods of time. Additionally, throwing things directly into the dumpster exposes companies to dumpster divers. As detailed above, dumpsters can be a great source of information.
There is another reason why the trashing of daily records without appropriate destruction is dangerous. If you throw out trash and get into your competitors’ hands, they can easily correlate and learn about your business activities.
By way of example, SIM software can take seemingly disparate log items and correlate them into an active attack, so too with your trash. Your daily activities are similarly manifest in your trash. From daily activities, phone records, travel plans, RFP submissions, memos, and much more, your business can be exposed if this information is not properly destroyed.
If Enron is the poster child for inappropriate document destruction, those organizations seeking to do document destruction precisely should consider obtaining the Media Disposal Toolkit from Network Frontiers. The toolkit contains everything an organization needs to know about data disposal. It includes a spreadsheet of unified common controls, a work breakdown structure with processes and procedures, and data deletion management documentation on the policies and standards that organizations must adhere to comply with global regulatory mandates.
Various regulations must be taken into consideration also. For example, Sarbanes-Oxley addresses the destruction of business records and documents and turns intentional document destruction into a process that must be carefully monitored. If the process is not followed, executives can find themselves under indictment. Having formally documented data retention and policies are a requirement.
SoX raises the legal stakes for the destruction of corporate documents and includes numerous provisions that create and enhance criminal penalties for corporate fraud and obstruction of justice. SoX section 1102 makes it a crime, punishable by fine and imprisonment for up to 20 years, to corruptly alter, destroy, mutilate or conceal a record, document or other objects with the intent to impair the object’s integrity or availability or use in an official proceeding or to obstruct or impede an official proceeding. SoX section 802 states that “whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States, or about or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.”
Another relevant regulation around disposal is the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Enacted in June 2005 requires businesses and individuals to take appropriate measures to dispose of sensitive information derived from consumer reports. Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule, a part of FACTA that calls for the proper disposal of information in consumer reports and records to protect against unauthorized access to or use of the information.
The Rule applies to people and both large and small organizations that use consumer reports, including consumer reporting companies, lenders, insurers; employers; landlords; government agencies; mortgage brokers, car dealers; attorneys; private investigators; debt collectors; individuals who pull consumer reports on prospective home employees, such as nannies or contractors; and entities that maintain information in consumer reports as part of their role as a service provider to other organizations covered by the rule.
A benefit of having a formal document destruction process and using a product such as the Media Disposal Toolkit is that since you are doing document destruction properly, your organization does not have to worry about every new regulation, as such practices are likely compliant with whatever new regulation comes out.
Imagine you are the manager of a large medical practice that is being sued after 10,000 pages of medical records found their way into the hands of an investigative reporter or thief. When asked by the plaintiff’s lawyer how you get rid of hard copies, an answer such as “Lenny, the computer guy does it whenever he can” is akin to pleading guilty. In contrast, “We have an outside bonded, National Association of Information Destruction (NAID) certified company empty our security containers and shred the contents weekly”, which will likely shield you from significant liability.
The issue also is not necessarily how often the data is destroyed; rather, whether it is done on a formal basis, based on risk factors specific to the organization. As part of effective oversight, a formal system of information destruction must be created and implemented. If data destruction is indeed performed formally, documented manner, and your destruction schedule is done on a scheduled basis, the plaintiff’s lawyers will have much less to use, which could likely be judged positively by a jury.
Two good examples of formalized procedures are the Confidential Document Handling Procedures from Purdue University and the Iowa State University Document Destruction Operating Plan. A Google search will give you many more, which you can use to base your program.
One of the most important aspects of a formal plan for information destruction is consistency. If an organization is inconsistent in what it destroys, this shows a lack of due diligence, in addition to the appearance of attempting to hide something.
As part of this formal process, also realize that there are many elements to data destruction that must be built into the process. One of them is the concept of a data destruction moratorium. The reason for this is that there are times when an organization must stop its data destruction activities. If a legal discovery request is received, policies must be in place to ensure that all organized and periodic data destruction activities must immediately be placed on hold until the Legal Department determines whether these destruction activities jeopardize sought-after data.
As to a formal process, there was a company that used a goat as their document shredder. While perhaps effective from a shredding perspective, it is clearly not a best practice approach, nor is it likely their lawyers signed off on that method. A goat eating away at the paper is fine for the Far Side but has no place in a formal document disposal process.
As the need for information destruction has caught on, the ubiquitous security containers from companies such as Shred-it are found in many organizations. It is good to have such containers readily available, so staff can easily dispose of information that is no longer needed.
Containers generally come in three sizes:
Executive consoles: Generally used in high-profile environments. They have front-loading, which frees up the top space for office equipment, and the doors swing open for easy removal and can be keyed alike. Approximate measurements 40″ by 19″ by 19.”
Large containers: 96-gallon security containers are used for heavy document production centres, purging sites, warehouses, and high-traffic offices, especially for overflow conditions. Approximate measurements — 43″ by 24″ by 37.” They have the capacity to hold up to 15 boxes of paper.
Bulk containers: Used for larger production centres, areas that generate large quantities of confidential data and some e-scrap material. Approximate measurements: 38″ by 43″ by 29″ and can accommodate up to 650-plus pounds of material.
As part of a security awareness program, ensure that employees are trained in the proper disposal and destruction of sensitive materials. You want to make sure that employees place papers in these designated locked destruction containers and not in trash bins, recycle bins or other publicly accessible locations. Also, make sure that they don’t place materials that don’t need to be shredded in these bins. Since many destruction companies charge by the bin or pound, placing documents in these bins that don’t need to be shredded is a waste of money.
Some organizations use these secure information containers only for sensitive but not highly confidential or secret information. Some organizations have policies that require highly confidential or secret information because it is so sensitive to be immediately destroyed. This lessens the risk of breaking into a locked destruction container or even stealing the whole container and then breaking into it at another location.
Document destruction, like other services, can be done in-house or outsourced. Which is the best way to go? Like every decision, the correct answer is the proverbial — it depends.
There are two predominant types of shredding services: plant-based (off-site) and mobile (on-site).
With a plant-based approach, various plant employees have access to the material during the sorting process. A paper sorter could conceal a sensitive document on his person and leave the property with it.
The bottom line is that either solution requires trust, but the final decision must be customer-based on what they feel the most secure solution is. This decision, like most, is a trade-off between the level of security and cost.
A third solution is to do it yourself. While this may seem cheaper in the short term, it can often be more expensive. And if you do it internally, there must be policies and procedures to ensure that the destruction of sensitive information must be performed only with approved destruction methods, including shredders or other equipment approved by the Information Security Department.
Irrespective if you use a mobile-based shredding or a plant-based shredding service, ensure that the service provider is NAID certified and that all documents are secured until they are destroyed. A good SLA is to make sure documents are destroyed within 24-hours, and a Certificate of Destruction is provided upon completion of this process.
It is clear document destruction in today’s world must part of a good system of business processes. This article describes the start of the process. The next article will get into more technical areas such as shred size, digital media and more.
But the bottom line is that if your organization is not careful about what they don’t dispose of, it could become your competitors’ good fortune and your worst corporate nightmare.
Source: https://www.csoonline.com/article/2123705/why-information-must-be-destroyed.html
Copyright © 2024 MM Century Sdn. Bhd. | 201101002965 (931103-X) | All Rights Reserved.