Document shredding: the why and the how
Tim McBride serves as the Vice President and General Manager of Secure Destruction Services for Recall North America. He is focused on driving improvements in safety, security, service and efficiencies, and is responsible for exploring potential new opportunities and emerging technologies within this service line. In this interview he talks about the practice and requirements of document shredding, and the risks of doing it wrong.
Everybody who has ever worked in an office is familiar with those relatively small paper shredding machines. What other types are there? Is there a “right” and “wrong” way to shred paper documents?
There are numerous commercial shred options to choose from including strip shred and cross-cut, however the best way to protect your organization is to utilize a professional third party Secure Destruction provider with a closed loop chain of custody process in place with stringent controls that provide “end-to-end” security. Knowing a document’s lifecycle, from creation to destruction, is the first step to a fully functional records program. Establishing what each document is and where it is located will minimize the legal risk, regulatory compliance risk and annual expense of data management and storage.
Is shredding of confidential documents mandated by law for some entities in the U.S.? If yes, which ones? Is the manner in which it has to be executed regulated by law?
The Federal Government has specific compliance standards in place which is also true in Canada. As compliance laws and regulations evolve, company policies need to stay on top of the changes. Written data security programs and plans should be administered and re-evaluated and it is important to view your policies as a living document, not a list of laws set in stone.
Although certain government agencies do have shred size particle specification requirements (some of which require NAID Certification), they are not dictated by law but rather by internal policy. Regardless of an organization’s mission, securing and managing critical documents must be a top priority across every department. The goals to keep in mind are keeping mission critical information protected from unauthorized access and destroying physical documents so that they are unreadable and unrestructable. Further impacting the need for security are the many regulations that require the storage and security of important documents such as HIPAA and HITECH (health care), Sarbanes-Oxley and GLBA (public companies, financial institutions) and individual state regulations.
What are the security implications of improperly shredded documents? Can documents be recreated? If so, how easy is it do it? Are there companies that legally offer this recreation service?
Security implications are significant. Identity theft, corporate espionage and dumpster diving are rampant. Documents can certainly be reconstructed via multiple methods (i.e. manual processes), and there is even software available that boasts this capability as well. However, the effort and investment of implementing an enforcement strategy to any Records and Information Management program pales in comparison to the cost of having to replace lost documents or mounting legal defenses as a result of improperly/not properly securing information.
How are the shredded remains of documents disposed of safely? Does some of it get recycled?
After a document’s lifecycle has run its course, it must be properly destroyed. There are countless ways to improperly do away with obsolete physical and digital documents, and the end result can be catastrophic. Knowing who is responsible for handling, transporting and destroying is critical to avoiding the nightmares associated with improperly discarded documents. As mentioned before, I would strongly recommend use of professional third party Secure Destruction providers to ensure a closed loop chain of custody process, secure vehicles & facilities, along with industrial shred equipment. The majority of material, particularly paper, is indeed recycled but it is important to note that the transport of the shredded material must be secure up to the time it is delivered to a mill and de-inked and re-pulped.
There has recently been an incident involving shredded confidential documents belonging to Nassau County Police Department being showered down on spectators of Macy’s annual Thanksgiving Day Parade in New York. Since then, there has been no official explanation on how that was allowed to happen. Have you followed the situation and know the answer to that question? If not, how do you think this incident may have happened?
We have absolutely followed this incident and while it has not been made public as to how this occurred, my educated guess would be that the material was shredded but was not sent to a paper mill to be properly and securely recycled. It is critical that any organization has a complete understanding of what will happen with its confidential material after it has been shredded, which doesn’t necessarily mean it has been securely destroyed. Because information comes in so many forms today, keeping documents secure is infinitely more challenging than it once was. However, failure to protect critical information places a business’s financial livelihood and reputation at stake. The phrase “security breach” can be defined in a number of ways in today’s business environment, but knowing what files you have, where they are located and the information those files contain helps to drastically reduce the risk of critical information being altered without detection.