Identity theft – it’s a multibillion-dollar swindle that has the potential to plague any business, from large corporations to small family-operated companies. In today’s 24/7 news cycle, there is always a story about a hack, or an attempt at one. We have become almost numb to the stories about data breaches where cyberattackers retrieve social security numbers, accounts numbers and more. IT companies are working overtime to protect the infrastructure of the companies and organizations they are charged with safeguarding. The “outlaws” are getting smarter and more convincing, and it takes a full-time effort to stay ahead of the cyber threats.
Most of what we hear on the news deals with IT cyberthreats, but what is often overlooked in the discussion is an even more basic, fundamental location where sensitive and secure information is stored … on paper and on small portable electronic devices. The very same potential for human error that leads to cyberhacking exists for sensitive information stored on paper. A mere one or two pieces of personal information left in an office trash bin is all that is required to steal an identity; given that, the importance of securely shredded documents cannot be overstated.
Consider, even as we as a society attempt to migrate more toward a “paperless” state, that there are still many instances where highly sensitive information is stored in paper format. Consider, too, what could happen if, at a healthcare facility for example, sensitive medical records stored on paper were discovered in the trash by someone who shouldn’t have access. The same holds true for financial institutions, real estate offices, auto dealerships and more. Despite the increase in electronic transactions, there is still a lot of information saved to paper.
The type of information businesses discard daily is monumental. Financial statements, net worth information, partnership agreements, detailed memorandums about wills and testaments, and more. Any and all of this information contains the ammunition necessary to raid an individual’s financial, health and other personal records. In a perfect world it wouldn’t happen, but let’s be realistic. Even those sworn to protect the sensitive information they routinely discard can slip up – a blunder that could land highly confidential information into the wrong hands, and have your organization facing fines and remediation expenses.
Let’s not forget the U.S. Supreme Court has declared that someone can legally dig through your trash if it is left in a public dumpster or trash bin. Once the trash is placed there, that person or company has essentially forfeited their ownership rights to the items, as the property is now in the public domain. This implies that someone could legally sift through your company’s trash or recycling looking for confidential information … and that someone could include a corporate competitor. Target markets and prospect information, long and short-term strategies, research and development materials, product designs, partnership arrangements; even with just one or two of these critical confidential items, a competitor could sabotage the future of your company. All that money, time and effort spent on plans for a new product or service could fly literally out the window and directly into the hands of someone conducting corporate espionage.
A story in a Connecticut newspaper was written by reporters who went “undercover” and rifled through the dumpster of a prominent institution, then identified an individual by name in their story, saying, “John Smith, we know how much you earn, where you work, what your Social Security number is, and how much you pay each month for your car loan. We know this because we went through a dumpster outside of your bank.” That one “dumpster diving” news story certainly encapsulated the need for security measures when disposing of any sensitive information, whether personal or corporate.
Liability for violations of privacy rests squarely on the shoulders of the regulated businesses, including but not limited to attorneys, retail stores financing consumer goods or issuing their own credit cards, insurance companies, mortgage brokers, real estate agents, tax preparation services, credit unions, credit bureaus, banks, management consulting and counseling firms and the list goes on.
These businesses are obligated to establish procedures to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of the records or information that could result in substantial harm or inconvenience to any customer. Regulations such as HIPAA, Graham Leach Bliley, the California Consumer Privacy Act, Sarbanes Oxley and the Payment Card Industry Data Security Standard all have one common message – keeping paper documents past their useful life is a liability. Improper disposal and the potential for unauthorized disclosure opens up the originator to legal suits, due to breach of confidentiality. Yet it would be naïve to believe that every medical facility, attorney, mortgage company, etc. complies with the regulations 100% of the time.
As a result of such regulations, (in addition to the fact that it just makes common sense) an increasing number of companies are turning to shredding services that provide locked bins and consoles to collect sensitive documents for transport back to the shredding company where they are destroyed. Some such services also offer on-site mobile shredding. As with any service partner, it’s always wise to conduct research before forming a relationship.
The need to defend against assaults on private information also extends to another form of “written” material – hard drives. Degaussing, a demagnetizing process to erase a hard drive or tape, is a slow and expensive process to accomplish correctly. Simple erasing or wiping of electronic media is no longer an acceptable method of securely obliterating stored data. Identity thieves can collect confidential information by mining it from discarded hard drives; even hard drives that are reformatted can often be restored using special software. Companies that dispose of sensitive, confidential data without using a secure method expose themselves to unnecessary risk and costly government fines. Even if it appears hard drives and other disposable media have been wiped clean, they may still hold information that could prove damaging if in the wrong hands. The sole guaranteed method to securely dispose of retired hard drives and tapes is to shred them into infinitesimal pieces. There exist a number of shredding service firms that in addition to permanently destroying paper documents can also destroy hard drives, tapes and other media containing sensitive information.
Threats to the security of any business or organization can frequently be traced to some sort of human error that is not intentional, but often due to a lack of or lapse in proper protocol training. As our methods of keeping records have migrated from paper to electronic, there has been less focus on paper trails, creating a boon for criminals knowing who, how and when to target. Don’t allow your company to be a victim of these offenders; destroy their efforts by properly destroying your valuable data. One of the best pieces of advice you can offer your company and clients is that in addition to the IT and software solutions they employ to protect their infrastructure, they should never forget where stored information begins: on paper and on electronic devices. We all have a hand in helping our clients protect their information.
Rick Carey is general manager of Destruction.com, a Datasafe Information Security company.