Why Shred
Facts about
information disposal
Every Business Has
Information That Requires Destruction.
All businesses have
occasion to discard confidential data. Customer lists, price
lists, sales statistics, drafts of bids and correspondence,
and even memos contain information about business activity
which would interest any competitor. Every business is also
entrusted with information that must be kept private.
Employees and customers have the legal right to have this
data protected.
Without the proper
safeguards, information ends up in the dumpster where it is
readily, and legally, available to anybody. The trash is
considered by business espionage professionals as the single
most available source of competitive and private information
from the average business. Any establishment that discards
private and proprietary data without the benefit of
destruction, exposes itself to the risk of criminal and
civil prosecution, as well as the costly loss of business.
Stored Records Should
Be Destroyed On A Regular Schedule.
The period of time that
business records are stored should be determined by a
retention schedule that takes into consideration their
useful value to the business and the governing legal
requirements. No record should be kept longer than this
retention period.
By not adhering to a
program of routinely destroying stored records, a company
exhibits suspicious disposal practices that could be
negatively construed in the event of litigation or audit.
Also, the new >Federal Rule 26< requires that, in the event
of a law suit, each party provide all relevant records to
the opposing counsel within 85 days of the defendant's
initial response. If either of the litigants does not
fulfill this obligation, it will result in a summary finding
against them. By destroying records according to a set
schedule, a company appropriately limits the amount of
materials it must search through to comply with this law.
From a risk management
perspective, the only acceptable method of discarding stored
records is to destroy them by a method that ensures that the
information is obliterated. Documenting the exact date that
a record is destroyed is a prudent and recommended legal
precaution.
Incidental Business
Records Discarded On A Daily Basis Should Be Protected.
Without a program to
control it, the daily trash of every business contains
information that could be harmful. This information is
especially useful to competitors because it contains the
details of current activities. Discarded daily records
include phone messages, memos, misprinted forms, drafts of
bids and drafts of correspondence. All businesses suffer
potential exposure due to the need to discard these
incidental business records. The only means of minimizing
this exposure is to make sure such information is securely
collected and destroyed.
Recycling Is Not An
Adequate Alternative For Information Destruction.
To extract the scrap value
from office paper, recycling companies use unscreened,
minimum wage workers, to extensively sort the paper under
unsecured conditions. The acceptable paper is stored for
indefinite periods of time until there is enough of a
particular type to sell.
There is no fiduciary
responsibility inherent in the recycling scenario. Paper is
given away or sold and, by doing so, a company gives up the
right to have a say in how it is handled. There is, also, no
practical means of establishing the exact date that a record
is destroyed. In the event of an audit or litigation, this
could be a legal necessity. And, further, if something of a
private nature does surface, the selection of this unsecured
process could be interpreted as negligent. For all these
reasons, the choice of recycling as a means of information
destruction is undesirable from a risk management
perspective.
If environmental
responsibility is a concern, materials may be recycled after
they are destroyed or a firm can contract a service that
will destroy the materials under secure conditions before
recycling them. Any recycling company that minimizes the
need for security has its own interests in mind and should
be avoided.
A Certificate Of
Destruction Does Not Relieve A Company From Its Obligation
To Keep Information Confidential.
Any company contracting an
information destruction service should require that it
provide them with a signed testimonial, documenting the date
that the materials were destroyed. The "Certificate of
Destruction", as it is commonly referred, is an important
legal record of compliance with a retention schedule. It
does not, however, effectively transfer the responsibility
to maintain the confidentiality of the materials to the
contractor.
If private information
surfaces after the vendor accepts it, the court is bound to
question the process by which the particular contractor was
selected. Any company not showing due diligence in their
selection of a contractor that is capable of providing the
necessary security could be found negligent.
And, from a practical
standpoint, if proprietary or private information is lost or
leaked by the fraud or negligence of a vendor, the
obligations of that vendor are irrelevant. The firm whose
information falls into the wrong hands stands to lose the
most, either from loss of business, prosecution or
unfavorable publicity.
Since a business cannot
transfer it s responsibility to maintain confidentiality, it
must be certain that it is dealing with a reputable company
with superior security procedures. Unfortunately, there are
those information destruction services that provide
certificates of destruction while having no semblance of
security and, in some cases, no destruction process
available to them. Anyone interested in contracting a data
destruction service is advised to thoroughly review their
policies and procedures, conduct an initial site audit and
conduct subsequent unannounced audits. On-site document
destruction is also an option in most cities.
Most Records Storage
Companies Do Not Have The Equipment To Provide Shredding
Services.
Many commercial records
storage facilities offer records destruction as a service to
their customers. However, in a survey conducted by the
National Association for Information Destruction, a majority
of the commercial storage firms were found lacking the
equipment necessary to provide the service themselves. It is
a common practice in that industry to subcontract the
destruction of the records. In some cases, disreputable
storage firms were
found misleading their
customers by charging for secure records destruction, while
the materials were being sold to a recycling company for
scrap.
Any business using a
commercial records storage firm should inquire as to the
nature of the destruction services that are available. It is
an unacceptable risk to permit a storage firm to select a
subcontractor to provide the records destruction service.
The owner of the records is ultimately responsible for their
security and, therefore, should be selecting the vendor
directly.
Internal Personnel
Should Not Be Responsible For Destroying Certain
Information.
Common sense dictates that
payroll information and materials that involve labor
relations or legal affairs, should not be entrusted to lower
level employees for destruction. But, beyond that,
competition sensitive information is best protected from
them as well. It has been established, time and again, that
low wage employees often have the economic incentive to
capitalize on their access to it. The only acceptable
alternatives are to have the materials destroyed under the
supervision of upper management or by a carefully selected,
high security service.
Information Protection
Is A Vital Issue To Senior Management.
Top executives from 300
companies ranked the security of company records as one of
the top five critical issues facing business. When asked
which issues required immediate attention and policy
development, the security of company records ranked second
only to employee health screening.
Courtesy The National
Association for Information Destruction, Inc.
|
