What all small businesses need to know about proper document destruction…but don’t.

By Josh Hartwell, CSDS

We are in an information age. We find ways to gather as much information as we can and then find ways to push it right back out again. We deal with so much information that we are seeing an increase in the amount of laws that guide us on how to protect the information. There is a law for medical information, consumer information, financial information, plus other federal and state laws.

It should be obvious with all the information protection laws out there that this is a subject that all business owners/managers should take time to look at. Unfortunately there are many small businesses, and big businesses for that matter, that have ZERO clues about how to manage their information, let alone how to properly destroy it.

C’mon! You’re a consumer. You know how it is; you’re out shopping for a new product, maybe looking to upgrade a service you have and then, “WHACK!”, you are hit with a request for your information; most notably your name and email. At this point you are mostly concerned with spam. But what about the organization that has more information than just your email?

Your bank has your address, social security number, bank account number, credit card number, plus they have a copy of your signature. Oh, by the way, so does your doctor, lawyer, and accountant. Your utility company has your address, social security number, and bank info too. If you have ever paid a bill over the phone they now have your credit card number too.

Identity thieves look for all the information that you gave to everyone above. Kind of makes you wonder how all these people protect your information and how they screen the people they let have access to it doesn’t it?

At this point the unsettling feeling of doubt and potential chaos should be setting in…good. This is EXACTLY how people feel about giving YOU their information.

To calm your customer’s nerves you can start by looking at your information, what you collect, how you store it, and how you properly destroy/discard it. Specific privacy laws and regulations have particulars about what you can and cannot do with private information.

Take a moment to look at what you collect and why. How do you use the information? Can you do business without collecting it? Get involved with it. Don’t just put up a canned “privacy statement” that you copied from someone else’s website.

Look at how you protect the information. What safeguards do you put on the protection of the information? Do you know how long you need to keep the information? Do you know what you do with the information when you no longer have need for it? You need to develop a security model for your information.

Think of your information gathering, usage, storage, and disposal as a pipeline. The basic principle of a pipeline is that it has one point of entry and one point of exit. It can get more complicated with multiple points of entry and multiple points of exit. The pipe itself keeps everything inside together, prevents it from spilling out all over the place, and channels it to a destination.

Your information is much the same way. You have points of entry: web forms, office forms, order forms, purchases, applications, credit checks, etc. that all feed your information pipeline. You have users that need to tap into that pipeline in order to use the information.

Example: You sell a product online. Your online shopping cart gathers the purchasers name, billing address, shipping address, and credit card information. It also captures what product was bought. This system dumps the information into the pipeline. Your fulfillment house needs to be able to tap into that pipeline somehow so it can send the purchaser the order.

At every place in your pipeline where you have input or output is a fitting. The fitting is the software, file cabinet, desk drawer, internet, etc. that allows access to the information. Just like in traditional plumbing, if there’s a leak it’s at the fitting. At these fittings is where security needs to be addressed.  The amount of information security you place depends on the amount of damage that could be caused if the information were to be compromised.

Security is best applied in layers. Don’t just put a lock on a file cabinet, control who has keys and who can reproduce the key. Don’t just password protect your accounting software, control who has access to the system it resides on. You should also control who can put information into your pipeline and who can take information out of it.

Think of the input/output control of information as flow valves. Some valves are two-way, others are one-way. Two-way valves in your information pipeline allow information to be read and written in both directions. One-way valves only allow the information to be read. Printers are an example of one-way valves. You can get information off of a printer, but you can’t put information back through it. One-way valves can be placed on electronic documents by giving users read only permissions.

The flow of information is moving toward obsolescence. Think about this: When growing up, how many planets did we learn there were in our solar system? Hopefully you answered nine. Now we learn there are only eight. Did aliens come and vaporize the ninth planet? No. Science, in its finite wisdom, relabeled Pluto as a dwarf planet. (Sorry Pluto, you’ll always be a planet to me.) Now all those notes, text books, tests, etc. are all obsolete. The information is of no value anymore. Well at least the section on how many planets there are.

Information only has value as long as there is usefulness applied to it. Once the usefulness is depreciated or depleted the information is dismissed or discarded. With paper documents we typically change the information and print out a new form. The old one…well hopefully it is discarded properly. One has to carefully realize the extent of the information that is on the paper. If a client changes a phone number then the old form would be depreciated, but not necessarily depleted. The person probably has the same name and social security number.

Example: When a woman gets married her last name will be changed. Her bank account numbers, cell phone, social security number, driver’s license number all stay the same.

Nowadays most businesses use computers to keep track of customers’ information. A quick tap of the keys, a click to save, and you’re done updating the customer’s information.  That is not the case when considering paper documents. When paper documents get superseded they need to be properly destroyed.

Now we get to what you have been waiting for. Actually with my use of headers you could have skipped to this part. If you didn’t, congratulations! You show an elevated care of protecting people’s privacy and you should get a raise!

We are not going to try to reinvent the wheel here. The below definition comes from the Information Destruction Compliance Toolkit put out by the National Association for Information Destruction (NAID). They have knighted me a Certified Secure Destruction Specialist. As such I am able to freely share this information with you.

“Destruction – The point-in-time at which a unit of information-bearing media is modified to a condition in which the information cannot be restored, reconstructed, retrieved or accessed in the absence of heroic or extraordinary measures.”

The goal of proper destruction is that if you held the document in your hand you would not be able to read it in it’s entirety without first having to take extreme measures to put it all back together again. This also leads to say that you need to make sure you know who is handling your documents at every point in the pipeline.

There are different methods for doing document destruction – pulping, burning, and shredding.

There’s only one good way…

Shredding is the only viable method for proper document destruction because it is the only one that can be completed at the office level, has true economics of scale, AND can be verified.

Ways to not consider…

We discard pulping right away because it is not a viable option for an office.  Burning is not a good option either. It takes forever to burn paper, there needs to be a separate source of heat, and the smoke is unbearable.

I have been told by business owners that they take their documents to the dump to have them buried. First of all, burying documents is NOT destroying documents. The thought is that they decompose. Let’s look real quick at this process here.

First you take your documents to a trash man who has no background check. Most landfills have prisoners on work-release working there; and they hire convicted felons. Then you are going to leave them alone with them? Oh but you watch them put some dirt on top? NO…you just left your documents fully intact with felons and prisoners. Not smart.

The idea is that the documents decompose and thereby are environmentally friendly destroyed. Unfortunately that is not the case at all. In order for decomposition to take place there needs to be two elements present – moisture and oxygen. Our landfills have neither. The purpose if a landfill is not to decompose garbage. It is to isolate garbage from the surrounding environment. Check out this article from earth911.com for more info (http://earth911.com/news/2009/03/30/the-lowdown-on-landfills/).

As mentioned before there are many different laws that require the protection of private consumer information. Frankly I am not going to copy verbatim what each law says regarding the protection of information. That would be a long and dry document to read. Instead I will list some of the more note worthy laws and how it would most likely affect your business.

• Economic Espionage Act (EEA) – Denies legal protection if an organization does not take reasonable steps to protect their proprietary information
• Health Insurance Portability & Accountability Act (HIPAA)/ Information Technology for Economic and Clinical Health Act (HITECH) – Mandates the protection of health information, requires data breach notification, and provides for mandatory fines
• Gramm-Leach-Bliley (GLB) – Safeguards Rule within GLB requires policies and procedures for protecting personal financial information
• Regulation S-P – Requires written policies and procedures specifically for information disposal
• Fair and Accurate Credit Transaction Act (FACTA) – Final Disposal Rule specifies incineration, shredding, and erasure as prescribed destruction method
• Red Flags Rule – Requires the protection of discarded information that could foreseeably result in identity theft

If you want to know specifically which laws affect your business call us for a consultation.

Proper document destruction is more than just the method of destruction; it involves the security leading to the destruction, the actual destruction process, and the documentation of the destruction. You need to be able to produce verifiable evidence that the destruction was completed showing who, what, where, when, and how.

Every business needs to have a document destruction policy. This policy should cover: Who is responsible for creating/approving/modifying the policy; Who is responsible for implementing the policy; Who is responsible for training employees on the policy; What types of media have recorded data; How is the media going to be destroyed; How is the policy going to be audited.

If your business does not have a document destruction policy or the one you have is not as in-depth as what is described above then you need to call us right away. It’s time to get piece of mind on your information management practices…

About the Author

Josh Hartwell is the Senior Vice-President of Associated Records, Inc. He has been in information protection for the past 14 years. Josh is a Certified Secure Destruction Specialist through the National Association for Information Destruction.

Tags: FACTA, GLB, HIPAA, proper destruction, shredding

This entry was posted on October 10, 2011 at 8:53 pm. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Posted in FACTA GLB HIPAA HITECH Info Laws Policy Shredding by Josh Hartwell 1 Comment