Identity theft – it’s a multibillion dollar swindle that has the potential to plague any business, from large corporations to small family-operated companies. In today’s 24/7 news cycle, there is always a story about a hack, or an attempt at one. We have become almost numb to the stories about data breaches where cyber attackers retrieve social security numbers, accounts numbers, and more. IT companies are working overtime to protect the infrastructure of the companies and organizations they are charged with safeguarding. The “outlaws” are getting smarter and more convincing, and it takes a fulltime effort to stay ahead of the cyber threats.
Most of what we hear on the news deals with IT cyber threats, but what is often overlooked in the discussion is an even more basic, fundamental location where sensitive and secure information is stored…on paper, and on small portable electronic devices. The very same potential for human error that leads to cyber hacking exists for sensitive information stored on paper. A mere one or two pieces of personal information left in an office trash bin is all that is required to steal an identity; inasmuch, the importance of securely shredded documents cannot be overstated.
Consider, even as we as a society attempt to migrate more toward a “paperless” state, that there are still many instances where highly sensitive information is stored in paper format. Consider, too, what could happen if, at a healthcare facility as example, sensitive medical records stored on paper were discovered “in the trash” by someone who shouldn’t have access. The same holds true for financial institutions, real estate offices, auto dealerships and more. The list goes on. Despite the increase in electronic transactions, there is still a lot of information saved to paper.
The type of information businesses discard daily is monumental. Financial statements, net worth information, partnership agreements, detailed memorandums about wills and testaments, and more. Any and all of this information contains the ammunition necessary to raid an individual’s financial, health and other personal records. In a perfect world it wouldn’t happen, but let’s be realistic. Even those sworn to protect the sensitive information they routinely discard can slip up – a blunder that could land highly confidential information into the wrong hands, and have your organization facing fines and remediation expenses.
Let’s not forget the U.S. Supreme Court has declared that someone can legally dig through your trash if it is left in a public dumpster or trash bin. Once the trash is placed there, that person or company has essentially forfeited their ownership rights to the items, as the property is now in the public domain. This implies that someone could legally sift through your company’s trash or recycling looking for confidential information…and that someone could include a corporate competitor. Target markets and prospect information, long and short-term strategies, research and development materials, product designs, partnership arrangements; even with just one or two of these critical confidential items, a competitor could sabotage the future of your company. All that money, time and effort spent on plans for a new product or service could fly literally out the window and directly into the hands of someone conducting corporate espionage.
A story in a Connecticut newspaper was written by reporters who went “undercover” and rifled through a dumpster of a prominent institution, then identified an individual by name in their story, saying, “John Smith, we know how much you earn, where you work, what your Social Security number is, and how much you pay each month for your car loan. We know this because we went through a dumpster outside of your bank.” That one “dumpster diving” news story certainly encapsulated the need for security measures when disposing of any sensitive information, whether personal or corporate.
Liability for violations of privacy rests squarely on the shoulders of the regulated businesses, including but not limited to attorneys, retail stores financing consumer goods or issuing their own credit cards, insurance companies, mortgage brokers, real estate agents, tax preparation services, credit unions, credit bureaus, banks, management consulting and counseling firms and the list goes on.
These businesses are obligated to establish procedures to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use records or information which could result in substantial harm or inconvenience to any customer. And while GLB has been in effect for close to two decades, it would be naïve to believe that every medical facility, attorney, mortgage company, etc. complies with the act 100% of the time.
Regulations such as Graham Leach Bliley, the California Consumer Privacy Act (CCPA) HIPAA, Sarbanes Oxley (SOX) and the Payment Card Industry Data Security Standard all have one common message – keeping paper documents past their useful life is a liability. Improper disposal and the potential for unauthorized disclosure opens up the originator to legal suits, due to breach of confidentiality.
As a result of such regulations, (in addition to the fact that it just makes common sense) an increasing number of companies are turning to shredding services that provide locked bins and consoles to collect sensitive documents for transport back to the shredding company where they are destroyed. Some such services also offer on-site mobile shredding. As with any service partner, it’s always wise to conduct research before forming a relationship
The need to defend against assaults on private information also extends to another form of “written” material – hard drives. Degaussing, a demagnetizing process to erase a hard drive or tape, is a slow an expense process to accomplish correctly. Simple erasing or wiping of electronic media is no longer an acceptable method of securely obliterating stored data. Identity thieves can collect confidential information by mining it from discarded hard drives; even hard drives that are reformatted can often be restored using special software. Companies that dispose of sensitive, confidential data without using a secure method expose themselves to unnecessary risk and costly government fines. Even if it appears hard drives and other disposable media have been wiped clean, they may still hold information that could prove damaging if in the wrong hands. The sole guaranteed method to securely dispose of retired hard drives and tapes is to shred them into infinitesimal pieces. There exist a number of shredding service firms that in addition to permanently destroying paper documents can also destroy hard drives, tapes and other media containing sensitive information.
Threats to the security of any business or organization can overwhelmingly be traced to some sort of human error that is not intentional, but often due to a lack of or lapse in proper protocol training. As our methods of keeping records have migrated from paper to electronic, there has been less focus on paper trails…creating a boon for criminals knowing who, how and when to target. Don’t allow your company to be a victim of these offenders; destroy their efforts by properly destroying your valuable data. And, as many of you who are reading this article work in the IT field, one of the best pieces of advice you can offer your clients is that in addition to the IT and software solutions they employ to protect their infrastructure, they should never forgot where stored information begins: on paper and on electronic devices. We all have a hand in helping our clients protect their information.
(Rick Carey is a Partner at Destruction.com, a Datasafe Information Security company.)