August 10, 2017
There should be a standard process for the secure destruction of sensitive documents in every workplace today.
But there isn’t always.
The 2017 State of the Industry Report by Shred-it revealed there’s no policy for paper document disposal, for example, in 39% of SBOs. Only 13% have a locked console in the office provided by a professional shredding service.
What likely happens instead is documents that are no longer needed are tossed into the office recycling bin.
But while recycling is an important green initiative, standard recycling doesn’t provide information security.
Here’s what a secure document destruction process looks like… and how it compares to basic office recycling.
EMPLOYEE TRAINING: In a protected workplace, the workforce receives ongoing training on privacy laws. A corporate security policy spells out that documents containing personal information (i.e., name, address, and account numbers) must be protected from creation to disposal. Less obvious documents that need to be protected are identified too including resumes, applications, pay stubs, shipping labels, agendas, and post-it notes. A Shred-it All Policy is recommended so all documents are securely destroyed. Basic recycling: Any document that is no longer needed is ear-marked for the recycling bin. According to the Shred-it report, some people think tearing paper into smaller pieces will protect confidential information. But torn up pages can be re-assembled, and this is not efficient for bulk destruction.
DISPOSAL: Documents are dropped into a secure console conveniently located in the workplace. Consoles, which are provided by the document destruction partner, are locked and have beveled slots so that documents cannot be retrieved. Basic recycling: Documents are tossed into a common open recycling bin. Anyone walking through the office can see documents and physically remove them or take a photograph, potentially resulting in a data breach. According to the 2017 Cost of Data Breach Study, 52% of breaches in the United States are due to hackers and criminal insiders.
TRANSPORT: Security trained professionals come to the workplace regularly to empty consoles and securely transport paper to either a shredding truck parked on-site or a secure facility where documents are shredded within 48 hours. Materials are never left exposed. Basic recycling: A janitor empties recycling containers into large clear bags, and puts them into a larger bin outside. At some point, the intact documents are loaded onto a truck and taken to a sorting facility. There are no security checkpoints, and information is exposed inside and outside of the office.
DESTRUCTION: Documents are fed into an industrial shredding machine and shredded into confetti-like pieces. Shred-it uses proprietary crosscut shredding technology. If shredding is done on-site, the pieces are sent for bundling; at the shredding facility, pieces are bundled together. Basic recycling: There is no secure destruction process. Documents are sorted and prepped for recycling, and are often left exposed in warehouses as they wait to be destroyed.
PROOF: The document destruction company issues a Certificate of Destruction after every shred. It is a guarantee and proof that materials have been securely destroyed. Basic recycling: There is no verification that documents are secure - a potential gap for some privacy law requirements.
RECYCLING: Securely destroyed, bundled paper is sent to a partner facility for recycling. Basic recycling: Destroyed documents are placed in the blue bin.