Why it’s a bad habit in the world of IT security
The inability to discard worthless items even though they appear to have no value is known as compulsive hoarding syndrome. If the eccentric Collyer brothers had a better understanding of destruction practices, they likely would not have been killed by the very documents and newspapers they obsessively collected.
While most organizations don’t hoard junk and newspapers like Homer and Langley Collyer did, they do need to keep information such as employee personnel records, financial statements, contracts and leases and more. Given the vast amount of paper and digital media that amasses over time, effective information destruction policies and practices are now a necessary part of doing business and will likely save organizations time, effort and heartache, legal costs as well as embarrassment and more.
In December 2007, the Federal Trade Commission announced a $50,000 settlement with American Mortgage Company of Northbrook, Illinois, over charges the company violated the FTC’s Disposal, Safeguards, and Privacy rules by failing to properly dispose of documents containing consumers’ credit and personally identifiable information. In announcing the settlement, the FTC put all companies on notice that it is taking such failures seriously.
A $50,000 settlement might seem low when measured against the potential for financial harm to individuals as a result of the company’s negligence, but in addition to the negative PR for American Mortgage, the settlement includes an obligation to obtain an audit, every two years for the next 10 years, from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. Any similar failures by this company during the next decade will be met with more severe punishment. That, indeed, is a very costly lesson.
In today’s litigious environment, there are a plethora of aggressive lawyers who would love to devour your organization for failure to take due care around document and media destruction.
This article will look at the key areas to ensure that your organization does not fall prey to such lawyers when it comes to the physical destruction of documents and records. The next article will go into the details around the destruction of digital documents and digital media.
Every organization has data that needs to be destroyed
Besides taxes, what unites every business is that they possess highly sensitive information that should not be seen by unauthorized persons. While some documents can be destroyed minutes after printing, regulations may require others to be archived from a few years to permanently. But between these two ends of the scale, your organization can potentially have a large volume of hard copy data occupying space as a liability, both from a legal and information security perspective.
Depending on how long you’ve been in business, the number of physical sites and the number of people you employ, it’s possible to have hundreds of thousands, if not millions, of pages of hard copy stored throughout your company — much of which is confidential data that can be destroyed.
The National Association of Corporate Directors provides some excellent guidelines in their Record Retention and Document Destruction Policy. From trademark registrations, safety records, to retirement and pension records and much more, there is a lot that needs to be retained. But once that retention period is over, much of those documents can be destroyed. Below is a partial list of the types of information that absolutely should be shredded when no longer needed:
• Account records
• Activity sheets
• Bank statements
• Bids and quotes
• Business plans
• Canceled checks
• Client lists
• Contact lists
• Corporate tax records
• Customer records
• Disciplinary reports
• Educational reports
• Expense reports
• Financial statements
• Formulas, product plans and tests
• General service information
• Health and safety reports
• Internal reports
• Legal Documents
• Lottery tickets
• Magnetic media
• Maps and blueprints
• Marketing plans
• Medical records
• Microfilm / microfiche
• New product information
• Payroll documents
• Performance appraisals
• Personnel files
• Plastic credit and ID cards
• R&D reports
• Sales forecasts
• Specification drawings
• Strategic reports
• Supplier POs
• Supplier reports
• Supplier specifications
• Test scores / class rosters
• Training information
• Treatment programs
• Encryption key management information
Besides the regulatory and ethical issues around keeping those hard copies secure, the reality is that many of your competitors would love to get their hands on the documents that you are throwing out. And even if your competitors are not combing through your dumpsters, others may do so and attempt to sell your secrets to your competitors.
For those who think that dumpster diving is security threat of the past, check out Steve Hunt’s fascinating video Scoring big in corporate dumpster diving. He recently did a dumpster dive in Chicago and found confidential wire transfer information, a laptop, and others treasures in the dumpster. His adventure took all of three minutes and he astutely advises companies to do their own dumpster diving tests.
In addition, the current recession means that organizations may have to deal with disgruntled and angry employees as well as those who think their job or company will soon be eliminated. With that, the risk of misuse of sensitive information is even greater.
Simply put, effective document destruction practices prevent information from falling into the wrong hands. Perhaps the most pervasive example of this is credit card charge receipts, which are retrieved from trash bins by dumpster divers often with the intent of using the information for online or telephone orders. Many businesses discard such payment information without effective destruction controls. If such controls are not used, the information unearthed from the post-fraud investigation could be extremely embarrassing to explain to customers, and it could also turn into a PR nightmare or an expensive legal problem.
Just trash it all: The Enron approach
Once made aware of the need many organizations take a knee-jerk reaction by gathering all stored hard copies and simply disposing of them. But that does not solve the problem for a number of reasons.
First, there are legal and regulatory requirements that mandate that paper documents be retained for specific periods of time. Additionally, throwing things directly into the dumpster exposes companies to dumpster divers. As detailed above, dumpsters can be a great source of information.
There is another reason why the trashing of daily records without appropriate destruction is dangerous. If you simply throw out trash and it gets into your competitors’ hands, they can easily correlate and learn about your business activities.
By way of example, SIM software can take seemingly disparate log items and correlate them into an active attack; so too with your trash. Your daily activities are similarly manifest in your trash. From daily activities, phone records, travel plans, RFP submissions, memos, and much more, your business can be exposed if this information is not properly destroyed.
If Enron is the poster child for inappropriate document destruction, those organizations seeking to do document destruction precisely should consider obtaining the Media Disposal Toolkit from Network Frontiers. The toolkit contains everything an organization needs to know about data disposal. It includes a spreadsheet of unified common controls, work breakdown structure with processes and procedures and a data deletion management documentation on the policies and standards that organizations must adhere to in order to be in compliance with global regulatory mandates.
Various regulations must be taken into consideration also. For example, Sarbanes-Oxley addresses the destruction of business records and documents and turns intentional document destruction into a process that must be carefully monitored. If the process is not followed, executives can find themselves under indictment. Having formally documented data retention and policies are a requirement.
SoX raises the legal stakes for destruction of corporate documents and includes numerous provisions that create and enhance criminal penalties for corporate fraud and obstruction of justice. SoX section 1102 makes it a crime, punishable by fine and imprisonment for up to 20 years, to corruptly alter, destroy, mutilate or conceal a record, document or other object with the intent to impair the object’s integrity or availability or use in an official proceeding or to obstruct or impede an official proceeding. SoX section 802 states that “whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.”
Another relevant regulation around disposal is the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Enacted in June 2005 requires businesses and individuals to take appropriate measures to dispose of sensitive information derived from consumer reports. Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule, a part of FACTA that calls for the proper disposal of information in consumer reports and records to protect against unauthorized access to or use of the information.
The Rule applies to people and both large and small organizations that use consumer reports, including: consumer reporting companies, lenders, insurers; employers; landlords; government agencies; mortgage brokers, car dealers; attorneys; private investigators; debt collectors; individuals who pull consumer reports on prospective home employees, such as nannies or contractors; and entities that maintain information in consumer reports as part of their role as a service provider to other organizations covered by the rule.
A benefit of having a formal document destruction process and using product such as the Media Disposal Toolkit is that since you are doing document destruction properly, your organization does not have to worry about every new regulation, as such practices are likely compliant with whatever new regulation comes out.
Hard copies should be destroyed on a formal and regular basis
Imagine you are the manager of a large medical practice which is being sued after 10,000 pages of medical records found their way into the hands of an investigative reporter or thief. When asked by the plaintiff’s lawyer how you get rid of hard copies, an answer such as “Lenny the computer guy does it whenever he can” is akin to pleading guilty. In contrast, “We have an outside bonded, National Association of Information Destruction (NAID) certified company empty our security containers and shred the contents on a weekly basis” will likely shield you from significant liability.
The issue also is not necessarily how often the data is destroyed; rather whether it is done on a formal basis, based on risk factors specific to the organization. As part of effective oversight, a formal system of information destruction must be created and implemented. If data destruction is indeed performed in a formal, documented manner, and your destruction schedule is done on a scheduled basis; the plaintiff’s lawyers will have much less to use, which could likely be judged positively by a jury.
Two good examples of formalized procedures are the Confidential Document Handling Procedures from Purdue University and the Iowa State University Document Destruction Operating Plan. A Google search will give you many more, which you can use as a base for your program.
One of the most important aspects of a formal plan for information destruction is consistency. If an organization is inconsistent in what it destroys, this shows a lack of due diligence, in addition to the appearance to attempting to hide something.
As part of this formal process, realize also that there are many elements to data destruction that must be built into the process. One of them is the concept of a data destruction moratorium. The reason for this is that there are times when an organization must stop its data destruction activities. If a legal discovery request is received, policies must be in place to ensure that all organized and periodic data destruction activities must immediately be placed on hold until the Legal Department determines whether these destruction activities jeopardize sought-after data.
As to a formal process, there was a company that used a goat as their document shredder. While perhaps effective from a shredding perspective, it is clearly not a best practice approach, nor is it likely their lawyers signed off on that method. A goat eating away at paper is fine for the Far Side, but has no place in a formal document disposal process.
As the need for information destruction has caught on, the ubiquitous security containers are found in many organizations. It is a good idea to have such containers readily available so staff can easily dispose of information that is no longer needed.
Containers generally come in three sizes:
• Executive consoles: Generally used in high-profile environments. They have front loading which frees up the top space for office equipment and the doors swing open for easy removal and can be keyed alike. Approximate measurements 40″ by 19″ by 19″.
• Larges containers: 96 gallon security containers are used for heavy document production centers, purging sites, warehouses and high-traffic offices are especially popular for overflow conditions. Approximate measurements — 43″ by 24″ by 37.” They have the capacity to hold up to 15 boxes of paper.
• Bulk containers: Used for larger production centers, areas that generate large quantities of confidential data and some e-scrap material. Approximate measurements: 38″ by 43″ by 29″ and can accommodate up to 650-plus pounds of material.
As part of a security awareness program, make sure that employees are trained in the proper disposal and destruction of sensitive materials. You want to make sure that employees place papers in these designated locked destruction containers and not in trash bins, recycle bins, or other publicly-accessible locations. Also, make sure that they don’t place materials that don’t need to be shredded in these bins. Since many destruction companies charge by the bin or pound, placing documents in these bins that don’t need to be shredded is a waste of money.
Some organizations use these secure information containers only for sensitive, but not highly confidential or secret information. Some organizations have polices that require highly confidential or secret information, because it is so sensitive, to be immediately destroyed. This lessens the risk that someone could break into a locked destruction container, or even steal the whole container and then break into it at another location.
In-house or outsource?
Document destruction, like other services, can be done in-house or outsourced. Which is the best way to go? Like every decision, the correct answer is the proverbial — it depends.
There are two predominant types of shredding services available — plant-based (offsite) and mobile (on-site).
• Mobile-based shredding: Mobile shredders have the actual shredders on the truck itself. Mobile shredding companies provide bins or consoles for their customers and on scheduled days, the truck arrives at the place of business and the Customer Service Representative (CSR) collects the bins, or console bags, takes them to the truck, and shreds the material on the customer’s premises. After completion the CSR will typically leave a Certificate of Destruction. Since the shredding operation is done on the customer’s property, it is assumed to be more secure since nothing leaves unshredded. Often the customer will board the truck to ensure their sensitive material is indeed being destroyed.
• Plant-based shredding: This is a typical off-site service where the plant has large industrial shredders. On the scheduled day, the CSR collects the bins or console bags, places them in his secure truck and transports them back to the remote plant where the bins are unloaded into a secured area. The collected bins are later staged for shredding, which can occur days later. Some view this as an insecure method since the documents may be left unattended. One other major caveat is that plant-based shredders may sort the material to maximize its recycling value which can put your organization at risk. Some of these off-site shredding companies are simply glorified recycling companies that get top dollar for recycling paper, your paper. Since their staff will sort the documents, they have the opportunity to take them. So before you choose a plant-based service, make sure you investigate them accordingly.
When dealing with an outsourcer, ensure that they are National Association of Information Destruction (NAID) certified. NAID is an independent organization that certifies destruction companies. Its certification program checks a shredding company’s compliance in 22 critical areas, including everything from shred size to employee background checks. When it comes to something as critical as information destruction: caveat emptor. Unscrupulous shredding companies will claim to be NAID certified just to get your business. Make sure to ask for a copy of their NAID Certified certificate as proof of their standing. So what it depends gives you the right solution? There are potential security issues with both solutions. Mobile shredding is done with the CSR alone there and since the CSR is alone on the truck, they may have access to your confidential material.
With a plant-based approach, various plant employees have access to the material during the sort process. A paper sorter could conceal a sensitive document on his person and leave the property with it.
The bottom line is that either solution requires an amount of trust, but the final decision must be customer-based on what they feel the most secure solution is. This decision, like most, are a trade-off between level of security and cost.
A third solution is to do it yourself. While this may seem cheaper in the short-term, it can often be more expensive. And if you do it internally, there must be policies and procedures to ensure that destruction of sensitive information must be performed only with approved destruction methods including shredders or other equipment approved by the Information Security Department.
Irrespective if you use a mobile-based shredding or a plant-based shredding service, ensure that the service provider is NAID certified and that all documents are secured until they are destroyed. A good SLA is to make sure documents are completely destroyed within 24-hours and a Certificate of Destruction is provided upon completion of this process.
It is clear document destruction in today’s world must part of a good system of business processes. This article describes a start of the process. The next article will get into more technical areas such as shred size, digital media and more.
But the bottom line is that if your organization is not careful about what they don’t dispose of, it could become your competitors’ good fortune and your worst corporate nightmare.
Ben Rothke, CISSP, PCI QSA , CSO, February 24, 2009
Ben Rothke CISSP, QSA (firstname.lastname@example.org) is a Security Consultant with BT Professional Services and the author of “Computer Security: 20 Things Every Employee Should Know” (McGraw-Hill).