Why Information Must Be Destroyed

The inability to discard worthless items even though they appear to have no value is known as compulsive hoarding syndrome. Ben Rothke explains why it's a bad habit in the world of IT security

The inability to discard worthless items even though they appear to have no value is known as compulsive hoarding syndrome. If the eccentric Collyer brothers had a better understanding of destruction practices, they likely would not have been killed by the very documents and newspapers they obsessively collected.

While most organizations don't hoard junk and newspapers like Homer and Langley Collyer did, they do need to keep information such as employee personnel records, financial statements, contracts and leases and more. Given the vast amount of paper and digital media that amasses over time, effective information destruction policies and practices are now a necessary part of doing business and will likely save organizations time, effort and heartache, legal costs as well as embarrassment and more.

[See: Data Breaches Spark Hard Drive Shredding Boom]

In December 2007, the Federal Trade Commission announced a $50,000 settlement with American Mortgage Company of Northbrook, Illinois, over charges the company violated the FTC's Disposal, Safeguards, and Privacy rules by failing to properly dispose of documents containing consumers' credit and personally identifiable information. In announcing the settlement, the FTC put all companies on notice that it is taking such failures seriously.

A $50,000 settlement might seem low when measured against the potential for financial harm to individuals as a result of the company's negligence, but in addition to the negative PR for American Mortgage, the settlement includes an obligation to obtain an audit, every two years for the next 10 years, from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. Any similar failures by this company during the next decade will be met with more severe punishment. That, indeed, is a very costly lesson.

In today's litigious environment, there are a plethora of aggressive lawyers who would love to devour your organization for failure to take due care around document and media destruction.

This article will look at the key areas to ensure that your organization does not fall prey to such lawyers when it comes to the physical destruction of documents and records. The next article will go into the details around the destruction of digital documents and digital media.

Every organization has data that needs to be destroyed

Besides taxes, what unites every business is that they possess highly sensitive information that should not be seen by unauthorized persons. While some documents can be destroyed minutes after printing, regulations may require others to be archived from a few years to permanently. But between these two ends of the scale, your organization can potentially have a large volume of hard copy data occupying space as a liability, both from a legal and information security perspective.

Depending on how long you've been in business, the number of physical sites and the number of people you employ, it's possible to have hundreds of thousands, if not millions, of pages of hard copy stored throughout your company -- much of which is confidential data that can be destroyed.

The National Association of Corporate Directors provides some excellent guidelines in their Record Retention and Document Destruction Policy. From trademark registrations, safety records, to retirement and pension records and much more, there is a lot that needs to be retained. But once that retention period is over, much of those documents can be destroyed. Below is a partial list of the types of information that absolutely should be shredded when no longer needed:

  • Account records
  • Activity sheets
  • Advertising
  • Applications
  • Appraisals
  • Bank statements
  • Bids and quotes
  • Budgets
  • Business plans
  • Canceled checks
  • Client lists
  • Contact lists
  • Corporate tax records
  • Correspondence
  • Customer records
  • Disciplinary reports
  • Educational reports
  • Expense reports
  • Financial statements
  • Forecasts
  • Formulas, product plans and tests
  • General service information
  • Health and safety reports
  • Internal reports
  • Legal Documents
  • Lottery tickets
  • Magnetic media
  • Maps and blueprints
  • Marketing plans
  • Medical records
  • Microfilm / microfiche
  • New product information
  • Payroll documents
  • Performance appraisals
  • Personnel files
  • Plastic credit and ID cards
  • R&D reports
  • Sales forecasts
  • Specification drawings
  • Strategic reports
  • Strategies
  • Supplier POs
  • Supplier reports
  • Supplier specifications
  • Test scores / class rosters
  • Training information
  • Treatment programs
  • Encryption key management information

Besides the regulatory and ethical issues around keeping those hard copies secure, the reality is that many of your competitors would love to get their hands on the documents that you are throwing out. And even if your competitors are not combing through your dumpsters, others may do so and attempt to sell your secrets to your competitors.

For those who think that dumpster diving is security threat of the past, check out Steve Hunt's fascinating video Scoring big in corporate dumpster diving. He recently did a dumpster dive in Chicago and found confidential wire transfer information, a laptop, and others treasures in the dumpster. His adventure took all of three minutes and he astutely advises companies to do their own dumpster diving tests.

In addition, the current recession means that organizations may have to deal with disgruntled and angry employees as well as those who think their job or company will soon be eliminated. With that, the risk of misuse of sensitive information is even greater.

Simply put, effective document destruction practices prevent information from falling into the wrong hands. Perhaps the most pervasive example of this is credit card charge receipts, which are retrieved from trash bins by dumpster divers often with the intent of using the information for online or telephone orders. Many businesses discard such payment information without effective destruction controls. If such controls are not used, the information unearthed from the post-fraud investigation could be extremely embarrassing to explain to customers, and it could also turn into a PR nightmare or an expensive legal problem.

Just trash it all: The Enron approach

Once made aware of the need many organizations take a knee-jerk reaction by gathering all stored hard copies and simply disposing of them. But that does not solve the problem for a number of reasons.

First, there are legal and regulatory requirements that mandate that paper documents be retained for specific periods of time. Additionally, throwing things directly into the dumpster exposes companies to dumpster divers. As detailed above, dumpsters can be a great source of information.

There is another reason why the trashing of daily records without appropriate destruction is dangerous. If you simply throw out trash and it gets into your competitors' hands, they can easily correlate and learn about your business activities.

By way of example, SIM software can take seemingly disparate log items and correlate them into an active attack; so too with your trash. Your daily activities are similarly manifest in your trash. From daily activities, phone records, travel plans, RFP submissions, memos, and much more, your business can be exposed if this information is not properly destroyed.

If Enron is the poster child for inappropriate document destruction, those organizations seeking to do document destruction precisely should consider obtaining the Media Disposal Toolkit from Network Frontiers. The toolkit contains everything an organization needs to know about data disposal. It includes a spreadsheet of unified common controls, work breakdown structure with processes and procedures and a data deletion management documentation on the policies and standards that organizations must adhere to in order to be in compliance with global regulatory mandates.

Regulatory issues

Various regulations must be taken into consideration also. For example, Sarbanes-Oxley addresses the destruction of business records and documents and turns intentional document destruction into a process that must be carefully monitored. If the process is not followed, executives can find themselves under indictment. Having formally documented data retention and policies are a requirement.

SoX raises the legal stakes for destruction of corporate documents and includes numerous provisions that create and enhance criminal penalties for corporate fraud and obstruction of justice. SoX section 1102 makes it a crime, punishable by fine and imprisonment for up to 20 years, to corruptly alter, destroy, mutilate or conceal a record, document or other object with the intent to impair the object's integrity or availability or use in an official proceeding or to obstruct or impede an official proceeding. SoX section 802 states that "whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both."

Another relevant regulation around disposal is the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Enacted in June 2005 requires businesses and individuals to take appropriate measures to dispose of sensitive information derived from consumer reports. Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule, a part of FACTA that calls for the proper disposal of information in consumer reports and records to protect against unauthorized access to or use of the information.

The Rule applies to people and both large and small organizations that use consumer reports, including: consumer reporting companies, lenders, insurers; employers; landlords; government agencies; mortgage brokers, car dealers; attorneys; private investigators; debt collectors; individuals who pull consumer reports on prospective home employees, such as nannies or contractors; and entities that maintain information in consumer reports as part of their role as a service provider to other organizations covered by the rule.

A benefit of having a formal document destruction process and using product such as the Media Disposal Toolkit is that since you are doing document destruction properly, your organization does not have to worry about every new regulation, as such practices are likely compliant with whatever new regulation comes out.

Hard copies should be destroyed on a formal and regular basis

Imagine you are the manager of a large medical practice which is being sued after 10,000 pages of medical records found their way into the hands of an investigative reporter or thief. When asked by the plaintiff's lawyer how you get rid of hard copies, an answer such as "Lenny the computer guy does it whenever he can" is akin to pleading guilty. In contrast, "We have an outside bonded, National Association of Information Destruction (NAID) certified company empty our security containers and shred the contents on a weekly basis" will likely shield you from significant liability.

The issue also is not necessarily how often the data is destroyed; rather whether it is done on a formal basis, based on risk factors specific to the organization. As part of effective oversight, a formal system of information destruction must be created and implemented. If data destruction is indeed performed in a formal, documented manner, and your destruction schedule is done on a scheduled basis; the plaintiff's lawyers will have much less to use, which could likely be judged positively by a jury.

Two good examples of formalized procedures are the Confidential Document Handling Procedures from Purdue University and the Iowa State University Document Destruction Operating Plan. A Google search will give you many more, which you can use as a base for your program.

One of the most important aspects of a formal plan for information destruction is consistency. If an organization is inconsistent in what it destroys, this shows a lack of due diligence, in addition to the appearance to attempting to hide something.

As part of this formal process, realize also that there are many elements to data destruction that must be built into the process. One of them is the concept of a data destruction moratorium. The reason for this is that there are times when an organization must stop its data destruction activities. If a legal discovery request is received, policies must be in place to ensure that all organized and periodic data destruction activities must immediately be placed on hold until the Legal Department determines whether these destruction activities jeopardize sought-after data.

As to a formal process, there was a company that used a goat as their document shredder. While perhaps effective from a shredding perspective, it is clearly not a best practice approach, nor is it likely their lawyers signed off on that method. A goat eating away at paper is fine for the Far Side, but has no place in a formal document disposal process.

Security containers

1 2 Page
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies