January 26, 2010

Shred-it and The Privacy Projects call on organizations to protect customer privacy

Organizations celebrate International Data Privacy Day (www.dataprivacyday2010.org) to raise awareness of privacy challenges and promote information security best practices

TORONTO, Ontario – January 26, 2010 – Shred-it and The Privacy Projects have joined forces to promote International Data Privacy Day to help educate organizations on how they can protect the privacy of their customers’ information. With support from Intel, Microsoft, Google, AT&T and LexisNexis, and over 50 additional companies, universities and privacy professionals, Data Privacy Day events and activities are occurring across the US and Canada on and around January 28, 2010.

Data Privacy Day (www.dataprivacyday2010.org) is an International celebration of the dignity of the individual expressed through personal information. It brings together advocates from businesses, governments, academics and not-for-profit organizations to promote the privacy cause in the United States, Canada and Europe.

“Shred-it is proud to support Data Privacy Day, and to send a message to organizations across North America that it is imperative for them to help protect their customers’ and employees’ privacy,” says Vincent R. De Palma, President and CEO at Shred-it, an Information Security company that provides secure document destruction services worldwide. “Organizations need to be aware that some of the highest-impact security breaches, which may lead to cases of identity theft and fraud, originate within companies themselves. We urge business leaders to adopt adequate document security measures to protect themselves and their clients against such incidents.”

“The information economy creates both new opportunities and new challenges. Our personal profiles are increasingly stored and shared by multiple organizations, online and offline,” says Richard Purcell, executive director of The Privacy Projects (www.theprivacyprojects.org), a non-profit research institute and the coordinating sponsor of Data Privacy Day 2010. “Ensuring organizations from various industries are on board to understand and address these challenges is an important step forward.”

According to Shred-it, common security challenges that organizations face include:

- Lack of comprehensive information security strategies and policies.

- Lack of employee security awareness and lack of a security culture.

- Policy implementation challenges: employees not following established information security policies, misinterpreting them or misapplying them.

- Employee negligence or wrongdoing: employees sharing confidential documents with unauthorized parties, storing them in unsecured spaces or disposing of them in an unsecure manner (in ordinary garbage or blue recycling bins).

- Chain-of-custody challenges: documents misdirected, lost or stolen en route to the document destruction location (particularly when documents are destroyed off-site).

Based on the Ponemon Institute’s July 2009 report, 85 percent of US organizations have experienced at least one data breach over the previous 12 months.

Breaches are also widespread in Canada, where, in 2008, an estimated 17 percent of organizations were affected by so-called “insider” security breaches alone, according to a recent study conducted by TELUS and the University of Toronto’s Rotman School of Management. That number jumped to 36 per cent in 2009.

Based on its 20-plus years of experience providing information security solutions to business, government and non-profit clients around the world, Shred-it has the following tips for organizational decision-makers to help them protect the privacy and security of their customers’ personal information:

- Conduct a formal information security audit, listing all potential risks that may threaten the security of organizations’ confidential information, and, subsequently, their customers’ information.

- Examine the lifecycle of documents produced by an organization, from data generation and storage to data transfer and document destruction; analyze both electronic and paper-based sources.

- Create a comprehensive information security strategy, including security policies that govern the issues of information security across all units of an organization and are compliant with national identity theft and privacy legislation.

- Only collect essential customer data and do not store it longer than necessary.

- Restrict internal access to sensitive customer information to key personnel.

- Train staff in secure document management and destruction; implement “shred-all” policies, making sure all paper documents are securely destroyed on a regular basis, following a stringent chain-of-custody process.

- Build an organizational culture that values and respects confidentiality and privacy.

More information about how organizations can protect the privacy of their customers is available at: www.shredit.com/data-privacy.asp. More information about Data Privacy Day can be found at www.dataprivacyday.org.