Industry View

Why Information Must Be Destroyed

The inability to discard worthless items even though they appear to have no value is known as compulsive hoarding syndrome. Ben Rothke explains why it's a bad habit in the world of IT security

By Ben Rothke, CISSP, PCI QSA

Depending on how long you've been in business, the number of physical sites and the number of people you employ, it's possible to have hundreds of thousands, if not millions, of pages of hard copy stored throughout your company -- much of which is confidential data that can be destroyed.

The National Association of Corporate Directors provides some excellent guidelines in their Record Retention and Document Destruction Policy. From trademark registrations, safety records, to retirement and pension records and much more, there is a lot that needs to be retained. But once that retention period is over, much of those documents can be destroyed. Below is a partial list of the types of information that absolutely should be shredded when no longer needed:

• Account records
• Activity sheets
• Advertising
• Applications
• Appraisals
• Bank statements
• Bids and quotes
• Budgets
• Business plans
• Canceled checks
• Client lists
• Contact lists
• Corporate tax records
• Correspondence
• Customer records
• Disciplinary reports
• Educational reports
• Expense reports
• Financial statements
• Forecasts
• Formulas, product plans and tests
• General service information
• Health and safety reports
• Internal reports
• Legal Documents
• Lottery tickets
• Magnetic media
• Maps and blueprints
• Marketing plans
• Medical records
• Microfilm / microfiche
• New product information
• Payroll documents
• Performance appraisals
• Personnel files
• Plastic credit and ID cards
• R&D reports
• Sales forecasts
• Specification drawings
• Strategic reports
• Strategies
• Supplier POs
• Supplier reports
• Supplier specifications
• Test scores / class rosters
• Training information
• Treatment programs
• Encryption key management information

Besides the regulatory and ethical issues around keeping those hard copies secure, the reality is that many of your competitors would love to get their hands on the documents that you are throwing out. And even if your competitors are not combing through your dumpsters, others may do so and attempt to sell your secrets to your competitors.

For those who think that dumpster diving is security threat of the past, check out Steve Hunt's fascinating video Scoring big in corporate dumpster diving. He recently did a dumpster dive in Chicago and found confidential wire transfer information, a laptop, and others treasures in the dumpster. His adventure took all of three minutes and he astutely advises companies to do their own dumpster diving tests.

In addition, the current recession means that organizations may have to deal with disgruntled and angry employees as well as those who think their job or company will soon be eliminated. With that, the risk of misuse of sensitive information is even greater.

Simply put, effective document destruction practices prevent information from falling into the wrong hands. Perhaps the most pervasive example of this is credit card charge receipts, which are retrieved from trash bins by dumpster divers often with the intent of using the information for online or telephone orders. Many businesses discard such payment information without effective destruction controls. If such controls are not used, the information unearthed from the post-fraud investigation could be extremely embarrassing to explain to customers, and it could also turn into a PR nightmare or an expensive legal problem.

• Email
• Print
• Comments
• Digg This
• SlashDot

• Three months, three breaches at the Univ. of Florida-Gainesville
• Timeline: 4 Years of Data Breaches
• Lessons of ChoicePoint, 4 Years Later
• Heartland Data Breach Reflects Lack of Security Progress
• Hackers Steal Thousands of Wyndham Credit Card Numbers