Industry View
Why Information Must Be Destroyed
The inability to discard worthless items even though they appear to have no value is known as compulsive hoarding syndrome. Ben Rothke explains why it's a bad habit in the world of IT security
By Ben Rothke, CISSP, PCI QSA
Another relevant regulation around disposal is the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Enacted in June 2005 requires businesses and individuals to take appropriate measures to dispose of sensitive information derived from consumer reports. Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule, a part of FACTA that calls for the proper disposal of information in consumer reports and records to protect against unauthorized access to or use of the information.
The Rule applies to people and both large and small organizations that use consumer reports, including: consumer reporting companies, lenders, insurers; employers; landlords; government agencies; mortgage brokers, car dealers; attorneys; private investigators; debt collectors; individuals who pull consumer reports on prospective home employees, such as nannies or contractors; and entities that maintain information in consumer reports as part of their role as a service provider to other organizations covered by the rule.
A benefit of having a formal document destruction process and using product such as the Media Disposal Toolkit is that since you are doing document destruction properly, your organization does not have to worry about every new regulation, as such practices are likely compliant with whatever new regulation comes out.
Hard copies should be destroyed on a formal and regular basis
Imagine you are the manager of a large medical practice which is being sued after 10,000 pages of medical records found their way into the hands of an investigative reporter or thief. When asked by the plaintiff's lawyer how you get rid of hard copies, an answer such as "Lenny the computer guy does it whenever he can" is akin to pleading guilty. In contrast, "We have an outside bonded, National Association of Information Destruction (NAID) certified company empty our security containers and shred the contents on a weekly basis" will likely shield you from significant liability.
The issue also is not necessarily how often the data is destroyed; rather whether it is done on a formal basis, based on risk factors specific to the organization. As part of effective oversight, a formal system of information destruction must be created and implemented. If data destruction is indeed performed in a formal, documented manner, and your destruction schedule is done on a scheduled basis; the plaintiff's lawyers will have much less to use, which could likely be judged positively by a jury.
Two good examples of formalized procedures are the Confidential Document Handling Procedures from Purdue University and the Iowa State University Document Destruction Operating Plan. A Google search will give you many more, which you can use as a base for your program.
data loss prevention
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
