We wish to convey our deepest thanks to all our veterans. Thank you for your service and for your sacrifice.

By Josh Hartwell, CSDS

We are in an information age. We find ways to gather as much information as we can and then find ways to push it right back out again. We deal with so much information that we are seeing an increase in the amount of laws that guide us on how to protect the information. There is a law for medical information, consumer information, financial information, plus other federal and state laws.

It should be obvious with all the information protection laws out there that this is a subject that all business owners/managers should take time to look at. Unfortunately there are many small businesses, and big businesses for that matter, that have ZERO clues about how to manage their information, let alone how to properly destroy it.

C’mon! You’re a consumer. You know how it is; you’re out shopping for a new product, maybe looking to upgrade a service you have and then, “WHACK!”, you are hit with a request for your information; most notably your name and email. At this point you are mostly concerned with spam. But what about the organization that has more information than just your email?

Your bank has your address, social security number, bank account number, credit card number, plus they have a copy of your signature. Oh, by the way, so does your doctor, lawyer, and accountant. Your utility company has your address, social security number, and bank info too. If you have ever paid a bill over the phone they now have your credit card number too.

Identity thieves look for all the information that you gave to everyone above. Kind of makes you wonder how all these people protect your information and how they screen the people they let have access to it doesn’t it?

At this point the unsettling feeling of doubt and potential chaos should be setting in…good. This is EXACTLY how people feel about giving YOU their information.

To calm your customer’s nerves you can start by looking at your information, what you collect, how you store it, and how you properly destroy/discard it. Specific privacy laws and regulations have particulars about what you can and cannot do with private information.

Take a moment to look at what you collect and why. How do you use the information? Can you do business without collecting it? Get involved with it. Don’t just put up a canned “privacy statement” that you copied from someone else’s website.

Look at how you protect the information. What safeguards do you put on the protection of the information? Do you know how long you need to keep the information? Do you know what you do with the information when you no longer have need for it? You need to develop a security model for your information.

Think of your information gathering, usage, storage, and disposal as a pipeline. The basic principle of a pipeline is that it has one point of entry and one point of exit. It can get more complicated with multiple points of entry and multiple points of exit. The pipe itself keeps everything inside together, prevents it from spilling out all over the place, and channels it to a destination.

Your information is much the same way. You have points of entry: web forms, office forms, order forms, purchases, applications, credit checks, etc. that all feed your information pipeline. You have users that need to tap into that pipeline in order to use the information.

Example: You sell a product online. Your online shopping cart gathers the purchasers name, billing address, shipping address, and credit card information. It also captures what product was bought. This system dumps the information into the pipeline. Your fulfillment house needs to be able to tap into that pipeline somehow so it can send the purchaser the order.

At every place in your pipeline where you have input or output is a fitting. The fitting is the software, file cabinet, desk drawer, internet, etc. that allows access to the information. Just like in traditional plumbing, if there’s a leak it’s at the fitting. At these fittings is where security needs to be addressed.  The amount of information security you place depends on the amount of damage that could be caused if the information were to be compromised.

Security is best applied in layers. Don’t just put a lock on a file cabinet, control who has keys and who can reproduce the key. Don’t just password protect your accounting software, control who has access to the system it resides on. You should also control who can put information into your pipeline and who can take information out of it.

Think of the input/output control of information as flow valves. Some valves are two-way, others are one-way. Two-way valves in your information pipeline allow information to be read and written in both directions. One-way valves only allow the information to be read. Printers are an example of one-way valves. You can get information off of a printer, but you can’t put information back through it. One-way valves can be placed on electronic documents by giving users read only permissions.

The flow of information is moving toward obsolescence. Think about this: When growing up, how many planets did we learn there were in our solar system? Hopefully you answered nine. Now we learn there are only eight. Did aliens come and vaporize the ninth planet? No. Science, in its finite wisdom, relabeled Pluto as a dwarf planet. (Sorry Pluto, you’ll always be a planet to me.) Now all those notes, text books, tests, etc. are all obsolete. The information is of no value anymore. Well at least the section on how many planets there are.

Information only has value as long as there is usefulness applied to it. Once the usefulness is depreciated or depleted the information is dismissed or discarded. With paper documents we typically change the information and print out a new form. The old one…well hopefully it is discarded properly. One has to carefully realize the extent of the information that is on the paper. If a client changes a phone number then the old form would be depreciated, but not necessarily depleted. The person probably has the same name and social security number.

Example: When a woman gets married her last name will be changed. Her bank account numbers, cell phone, social security number, driver’s license number all stay the same.

Nowadays most businesses use computers to keep track of customers’ information. A quick tap of the keys, a click to save, and you’re done updating the customer’s information.  That is not the case when considering paper documents. When paper documents get superseded they need to be properly destroyed.

Now we get to what you have been waiting for. Actually with my use of headers you could have skipped to this part. If you didn’t, congratulations! You show an elevated care of protecting people’s privacy and you should get a raise!

We are not going to try to reinvent the wheel here. The below definition comes from the Information Destruction Compliance Toolkit put out by the National Association for Information Destruction (NAID). They have knighted me a Certified Secure Destruction Specialist. As such I am able to freely share this information with you.

“Destruction – The point-in-time at which a unit of information-bearing media is modified to a condition in which the information cannot be restored, reconstructed, retrieved or accessed in the absence of heroic or extraordinary measures.”

The goal of proper destruction is that if you held the document in your hand you would not be able to read it in it’s entirety without first having to take extreme measures to put it all back together again. This also leads to say that you need to make sure you know who is handling your documents at every point in the pipeline.

There are different methods for doing document destruction – pulping, burning, and shredding.

There’s only one good way…

Shredding is the only viable method for proper document destruction because it is the only one that can be completed at the office level, has true economics of scale, AND can be verified.

Ways to not consider…

We discard pulping right away because it is not a viable option for an office.  Burning is not a good option either. It takes forever to burn paper, there needs to be a separate source of heat, and the smoke is unbearable.

I have been told by business owners that they take their documents to the dump to have them buried. First of all, burying documents is NOT destroying documents. The thought is that they decompose. Let’s look real quick at this process here.

First you take your documents to a trash man who has no background check. Most landfills have prisoners on work-release working there; and they hire convicted felons. Then you are going to leave them alone with them? Oh but you watch them put some dirt on top? NO…you just left your documents fully intact with felons and prisoners. Not smart.

The idea is that the documents decompose and thereby are environmentally friendly destroyed. Unfortunately that is not the case at all. In order for decomposition to take place there needs to be two elements present – moisture and oxygen. Our landfills have neither. The purpose if a landfill is not to decompose garbage. It is to isolate garbage from the surrounding environment. Check out this article from earth911.com for more info (http://earth911.com/news/2009/03/30/the-lowdown-on-landfills/).

As mentioned before there are many different laws that require the protection of private consumer information. Frankly I am not going to copy verbatim what each law says regarding the protection of information. That would be a long and dry document to read. Instead I will list some of the more note worthy laws and how it would most likely affect your business.

• Economic Espionage Act (EEA) – Denies legal protection if an organization does not take reasonable steps to protect their proprietary information
• Health Insurance Portability & Accountability Act (HIPAA)/ Information Technology for Economic and Clinical Health Act (HITECH) – Mandates the protection of health information, requires data breach notification, and provides for mandatory fines
• Gramm-Leach-Bliley (GLB) – Safeguards Rule within GLB requires policies and procedures for protecting personal financial information
• Regulation S-P – Requires written policies and procedures specifically for information disposal
• Fair and Accurate Credit Transaction Act (FACTA) – Final Disposal Rule specifies incineration, shredding, and erasure as prescribed destruction method
• Red Flags Rule – Requires the protection of discarded information that could foreseeably result in identity theft

If you want to know specifically which laws affect your business call us for a consultation.

Proper document destruction is more than just the method of destruction; it involves the security leading to the destruction, the actual destruction process, and the documentation of the destruction. You need to be able to produce verifiable evidence that the destruction was completed showing who, what, where, when, and how.

Every business needs to have a document destruction policy. This policy should cover: Who is responsible for creating/approving/modifying the policy; Who is responsible for implementing the policy; Who is responsible for training employees on the policy; What types of media have recorded data; How is the media going to be destroyed; How is the policy going to be audited.

If your business does not have a document destruction policy or the one you have is not as in-depth as what is described above then you need to call us right away. It’s time to get piece of mind on your information management practices…

About the Author

Josh Hartwell is the Senior Vice-President of Associated Records, Inc. He has been in information protection for the past 14 years. Josh is a Certified Secure Destruction Specialist through the National Association for Information Destruction.

Dumpster Diving: Thieves literally go through trash cans and dumpsters looking for anything with personal information on it. These include bills, memos, statements, credit card offers, etc.

Skimming: Thieves use a small electronic device that records your credit/debit card number when it is processed.

Phishing: Thieves try to get your personal information by pretending to be companies that may already have it. They use emails and pop-up messages to lure you in.

Changing Your Address: Thieves use change of address forms to send your mail to a new location of their choosing.

“Old-Fashioned” Stealing: Thieves steal wallets and purses, mail, employee records, etc. They get these by lifting them or bribing people with access.

Business Prevention

Have a good data security plan:

• Take stock in what personal information you have stored in files and on computers.

• Scale down by keeping only what you need to conduct business.

• Lock it physically and electronically.

• Shred what you no longer need.

• Plan ahead with how you will respond to security incidents.

Personal Prevention

Safeguard your information:

• Shred paperwork with personal information before you discard it.

• Protect your Social Security Number. Do not carry your Social Security card. Give it out only if absolutely necessary – never write it on a check.

• Do not give out personal information before you know who you are dealing with.

• Never click on links sent in unsolicited emails. Type in web addresses. Use and keep your firewalls, anti-spyware, and anti-virus software up-to-date.

• Use passwords that are at least 8 characters long, have upper and lowercase letters, and include symbols and numbers. (Example: Pa$$w0rd, note: do not use this password)

• Lock your personal information in a secure place, especially if you have roommates, employ outside help, or are having work don on your house.

We are going to be close for Labor Day. We hope you have the day off too! We’ll get back to it on Tuesday September 6th.

Blessings!

We have the best customers…so we have to get the best shelving.

Let’s do the math there… Two-thirds of the respondents to the survey have employees that are NOT trained on how to safely and securely manage your information. That is a lot! A stupidly high amount.

Here at Associated Records, we have tools to help you write your policies and train your employees. Our tools are easy to use because we do most of the work for you.

We have compiled a list of questions that can be used to help you begin to get a handle on your files.

We guarantee that once you answer all these questions you will start to see the big picture in your organization’s document life-cycle.

1. Why are new files created in my office?
2. How are my office files primarily organized?
3. How do my files get filed?
4. Where are my files filed?
5. How are my files characterized?
6. Who determines how my files are characterized and how they get filed?
7. Do I have a policy for handling missing files?
8. Is there a general understanding in my work place on the work flow of files?
9. When do files go to the inactive storage area?
10. Is there a system in place to track which files/boxes are in inactive storage?
11. Is there a system in place to track files/boxes retrieved from inactive storage?
12. Do I utilize off-site storage?
13. How often are files/boxes retrieved from inactive/off-site storage?
14. How many files/boxes are retrieved from inactive/off-site storage for the period above?
15. Who retrieves files/boxes from inactive/off-site storage?
16. Does my company have a written records retention policy?
17. Does my company have a legal basis for having a records retention policy?
18. How are the retention periods determined?
19. Is there a designated person who oversees the retention of my records?
20. How often is my records retention schedule audited?
21. Who audits my records retention schedule?
22. Does my company have a written document destruction policy?
23. Does my company have a legal basis for having a document destruction policy?
24. How are the retention periods determined?
25. Is there a designated person who oversees the destruction of my records?
26. How often is my document destruction audited?
27. Who audits my document destruction?
28. I understand the following laws that impact the business I am in.

We have put together a question worksheet to help you answer these questions. Our worksheet also has a bonus True Cost Analysis to help you calculate what you are spending now on file storage and document destruction. You can get the worksheet here.

It spells out what is to be destroyed, when it is to be destroyed and how it should be destroyed. This creates a standardization of destruction for a company, giving the act of shredding documents ethical reform to a now vital business practice.

Before a destruction policy can be fully implemented a company must first determine what documents it has, or will create, and how long to keep them.

Creating a retention schedule for all documents whether paper or electronic standardizes what is kept, for how long, and why.

Our report “Would an auditor find an effective document retention and destruction policy in your office? Do you know what one is?” will give you more information. You can get your free copy here.