Document Destruction: Understanding Your Risks And The Violations That May Follow

By in ,

e

By: JoEllen Barton, SecurShred. February 2013

Have you created a document destruction policy for your organization yet? If not, than you should. Federal and State regulators have created regulations to help protect an individual’s privacy and identity. All businesses big and small that collect, store, and/or handle personal information are required by law to properly handle, dispose, and/or store these records. You and your company could be held accountable for not complying with these regulations. Failure to adhere to these regulations could cost your company thousands if not millions of dollars in violations and civil or criminal penalties.

If you have, are your employees following through with proper procedures and protocols? When was the last time an in-house audit was performed? Do you leave it up to your employee(s) to decide what is “shred worthy” or does your company have a “shred all” policy?

Everyday lawyers, hospitals, financial institutions, and schools are being prosecuted for improper handling of confidential documents, if these companies can get this wrong, could your company also be non-compliant in your handling of these records? There are many forms and definitions of what is considered personal information. States define personal information differently and have written their rules and regulations accordingly.  Below is a brief overview of VT, NY, and MA regulations, as well as, Federal regulations that you need to be aware of. For more detail information click on the links.

State Regulations
Vermont
  –  9 Vt. Stat. §2445
Defines personal information, as it relates to, describes, or is capable of being associated with a particular individual. Records are defined as paper, spoken word or anything that has been electromagnetically transferred.  Superior courts shall have jurisdiction over all enforcement. (1)

New York –  N.Y. Gen. Bus. Law §399-H
Defines personal information in extensive detail. The court may impose a civil penalty of not more than five thousand dollars. (1)

MassachusettsMass. Gen. Laws Ch. 93I, §2
Targets both paper-based and electronic data. Failure to disclose breaches can result in civil or criminal penalties. (1)

Federal Regulations
Graham-Leach-Bliley

Created to protect consumers’ personal financial information held by financial institutions. Institutions will be subject to a civil penalty of not more than $100,000 for each violation. Officers and directors of the institution will be subject to, and personally liable for, a civil penalty of not more than $10,000 for each violation. The institution and its officers and directors will also be subject to fines in accordance with Title 18 of the United States Code or imprisonment for not more than five years, or both. (2)

FACTA (Fair and Accurate Credit Transactions Act)
Rule enacted in December of 2003 that requires businesses to properly dispose of and destroy sensitive consumer data. Federal fines up to $2,500 per violation and State fines up to $1,000.

Red Flag Rule
Every organization “that holds any consumer account, or other account for which there is a reasonably foreseeable risk of identity theft” to develop what it calls “reasonable policies and procedures for detecting, preventing, and mitigating identity theft. Federal fines up to $2,500 per individual incident and State fines up to $1,000 per individual incident. After regulator warning, 11,000 per individual incident. (3)

Sarbanes Oxley Act (SOX)
Created to enhance corporate responsibility, financial disclosures and combat corporate and account fraud. One major provision requires public companies to evaluate and disclose the effectiveness of their internal controls. This requirement drives the need for companies to have detailed information systems in place, including secure disposal of obsoletely business records.

Keeping current and compliant with all State and Federal regulations is important for the health of your company.  Company compliance is critical especially if you own a small business, all it takes is one fine to financially cripple your company and destroy its reputation.


Teaming up with a Document Destruction Partner

Document destruction companies are in the business of protecting company information. From paper to electronic media they can shred it all. All Information destruction companies though are not a like. Make sure you choose your Document Destruction Partner with care. The industry is growing very quickly and not all companies choose the hard road of becoming NAID Certified. Once a company obtains their certification there is also the task of staying compliant and keeping up with the certification.

Make sure the company you choose;

1. Knows all federal, state, and industry regulations that apply to your business
2. Is knowledgeable and able to help you create and implement a compliant information handling program.
3. Offers “cradle-to-grave tracking” for electronics and has a solid chain of custody that will ensure your sensitive information remain secure throughout its destruction process.
4.  Offers you a Document of Destruction at the completion of every service.

Don’t be afraid to ask questions!
Your reputation could be on the line. When choosing a company to partner with, ask as many questions as you can and do not be afraid to;

1. Perform an independent audit of your potential partner’s facilities and inspect their practices. There is nothing wrong with conducting your own audit of their processes.
2. Asking for at least three references similar to your own industry.
3. Make sure they are NAID Certified and not just a NAID member. Anyone can pay a membership fee and become a member. NAID Certified Businesses & Professionals have to go through training, testing, compliance tasks, background screenings, annual announced and unannounced audits and much more. The NAID (National Association of Information Destruction) Certification Program establishes standards for the secure destruction process including such areas as operational security, employee hiring and screening, the destruction process, responsible disposal and insurance.

We encourage you to watch this video: NAID AAA Certification “Beyond the Claims and Promises”
http://www.youtube.com/watch?v=DXhPeQ905_k&feature=youtu.be
Routine service and/or one time purging?
Now that you have established that your company, in order to be in compliance, needs a document management system, it is time to look at what services you need and what will work best with your organization.

Routine service; Lockable containers that can be placed about your organization.

These containers can be used for many purposes depending upon the department. The accounting/human resources department may want an executive type lockable console where they can place paper documents. Your IT department may use a lockable executive console to store old hard drives waiting to be destroyed and recycled.  For organizations that produce a significant amount of paper, maybe a lockable tote the size of a garbage container might be better. Many companies that produce larger volumes of paper empty their consoles into these larger lockable totes and store them in a secure area until their scheduled service date.

Paper Box Purges
For companies that have a smaller volume of material, maybe a semi-annual or annual paper box purge service would work out better. A mobile shred truck can perform on-site shredding of these records in a matter of minutes. The service is fast, secure and in most cases you can watch your confidential material being shredding through a camera located on the side of the truck (most state-of-the-art mobile shredding trucks have this camera installed).  In conjunction to routine paper service larger companies that have record retention policies in place will schedule an annual record purging at an off-site location.

On-site shredding or off-site shredding
Which service you choose depends upon your document management policy and/or state or federal regulations that pertain to your organization. Some organizations create very strict policies were not only does the shredding have to be performed on-site but also needs to be witnessed by a representative of the organization.

For those companies that do not have such strict requirements, off-site shredding is a great option. You still receive the same security and service.
Bottom line
Many companies offer a range of services that make partnering with an information destruction company beneficial. Save time, money, and storage space by choosing a company that offers paper destruction and recycling, hard drive and backup tape destruction and recycling, computer recycling, document imaging conversion and records storage. You can schedule routine pickups of electronics to be destroyed and recycled, as well as, boxes to be added to storage. Saving time spent by an employee(s) gathering these materials and taking them to the local waste facility. Increasing productivity by keeping the records that need to be stored/kept, in a facility that offers 24/7 monitoring, is climate controlled, has a state-of-the-art inventory control system that allows for quick and easy retrieval of records. No more having an employee spend hours searching through boxes in an unsecured off-site storage location. On paper it may seem like you are saving money by keeping your records in a “locked” storage locker, but when you realistically add in an employee’s time spend sifting through boxes for a record(s) and the risk of un-securely transporting boxes back and forth between locations, it can add up very quickly.

SecurShred is AAA NAID Certified for on-site and off-site destruction of paper/printed media, computer hard drives & non-paper media. Services include; paper destruction and recycling, hard drive and backup tape destruction and recycling, electronics recycling, document imaging and off-site record and backup tape and hard drive storage. Our service territory covers all of Vermont, Northwestern Massachusetts, New Hampshire, and Northern New York.

Contact Securshred, Monday through Friday from 8:30am to 4:30pm for more information about our services, to receive a free quote or to schedule a pickup. [email protected] | 877-863-3003 x2

Source:
(1) National Conference of State Legislatures – http://www.ncsl.org/issues-research/telecom/data-disposal-laws.aspx

(2) Ecora.com – http://www.ecora.com/Ecora/whitepapers/IDRS_GLBA.pdf

(3) Ascpa – http://www.ascpa.org/Content/38354.aspx