Why Information Must Be Destroyed
The inability to discard worthless items even though they appear to have no value is known as compulsive hoarding syndrome. Ben Rothke explains why it's a bad habit in the world of IT security
By Ben Rothke, CISSP, PCI QSA
February 24, 2009 — CSO —
The inability to discard worthless items even though they appear to have no value is known as compulsive hoarding syndrome. If the eccentric Collyer brothers had a better understanding of destruction practices, they likely would not have been killed by the very documents and newspapers they obsessively collected.
While most organizations don't hoard junk and newspapers like Homer and Langley Collyer did, they do need to keep information such as employee personnel records, financial statements, contracts and leases and more. Given the vast amount of paper and digital media that amasses over time, effective information destruction policies and practices are now a necessary part of doing business and will likely save organizations time, effort and heartache, legal costs as well as embarrassment and more.[See: Data Breaches Spark Hard Drive Shredding Boom]
In December 2007, the Federal Trade Commission announced a $50,000 settlement with American Mortgage Company of Northbrook, Illinois, over charges the company violated the FTC's Disposal, Safeguards, and Privacy rules by failing to properly dispose of documents containing consumers' credit and personally identifiable information. In announcing the settlement, the FTC put all companies on notice that it is taking such failures seriously.
A $50,000 settlement might seem low when measured against the potential for financial harm to individuals as a result of the company's negligence, but in addition to the negative PR for American Mortgage, the settlement includes an obligation to obtain an audit, every two years for the next 10 years, from a qualified, independent, third-party professional to ensure that its security program meets the standards of the order. Any similar failures by this company during the next decade will be met with more severe punishment. That, indeed, is a very costly lesson.
In today's litigious environment, there are a plethora of aggressive lawyers who would love to devour your organization for failure to take due care around document and media destruction.
This article will look at the key areas to ensure that your organization does not fall prey to such lawyers when it comes to the physical destruction of documents and records. The next article will go into the details around the destruction of digital documents and digital media.
Every organization has data that needs to be destroyed
Besides taxes, what unites every business is that they possess highly sensitive information that should not be seen by unauthorized persons. While some documents can be destroyed minutes after printing, regulations may require others to be archived from a few years to permanently. But between these two ends of the scale, your organization can potentially have a large volume of hard copy data occupying space as a liability, both from a legal and information security perspective.