February 05, 2015
Workplace security experts must have been disheartened when they read the following response to a recent data breach at large health insurer Independence Blue Cross, (IBC): “To reduce the risk of another such incident,” a company spokesperson said, “we no longer allow our maintenance team to dispose of full boxes (of reports) in the trash.”
According to Philly.com, maintenance workers were supposed to move four boxes of member records (containing private health information from 12,500 members) from one floor to another – but they threw it all out instead.
The incident underlines the importance of all kinds of information security in the workplace, and raises a number of questions.
Do companies not realize that "old-fashioned" data breaches still occur? While the media focuses so much attention on electronic data breaches, the physical theft of information is still a huge problem too. In an article posted at Infosecurity Magazine in 2012, Larry Ponemon, Ponemon Institute, said a lot of organizations focus almost entirely on electronic data. “All the other information in printed form doesn't get the attention of security people anymore.” Research showed that traditional paper-based fraud accounted for 15.2% of breaches.
Why are insurance records being put in the trash? The IBC records contained names, addresses, member identification numbers, health care plans and group numbers of members, and that’s exactly the kind of information that insider fraudsters and dumpster divers are looking to steal. According the Shred-it’s 2014 State of the Industry report, 91% of U.S. businesses don’t dispose of confidential material regularly. Confidential information should never be put into open recycling bins, trash cans or garbage bins. Instead, there should be locked consoles in the workplace that securely hold documents until they can be destroyed. Shredding is recommended so there’s nothing to steal.
Why are maintenance people handling confidential information? “There’s a huge amount of damage that can be done by having access to paper documents and files,” Ponemon said in the Infosecurity article. Access to confidential information should be limited and controlled - employees should have access only to the information they need in order to do their job.
What about privacy laws? Different privacy laws are in place to protect personally identifiable information. In the health industry, most healthcare insurance companies and providers come under the Health Insurance Portability and Accountability Act or HIPAA regulations. Secure disposal of protected health information (PHI) in all forms is a requirement. Companies should partner with a knowledgeable shredding company that provides a secure chain of custody with locked consoles, security-trained personnel and a certificate of destruction after every shred.
Why isn’t a security policy in place? A corporate information security policy helps to create a culture of security and provides policies and procedures so employees know how to protect information. For example, a comprehensive document management policy protects confidential documents in storage and also when they are no longer needed. All information should be securely destroyed and then recycled.
Are paper documents in your workplace secure? Check this office security infographic for the five most vulnerable areas and security safeguards that will make a difference.