Articles and News

September 21, 2015

New Confidential information legislation: Why outsource a secure document shredding company?


 Governments have developed new regulations that discuss the safety and use of Personally Identifiable Information (PII), with penalties for organizations that fail to sufficiently protect it.

It is an organizations necessity to treat privacy as both a compliance and business risk issue. There is an exponential amount of reputational damage that can be done if businesses do not comply with new legislation.  If not done this could ultimately lead to a loss of customers due to privacy breaches.

 

According to Steve Durbin, managing director of the Information Security Forum (ISF), "Regulators and governments are trying to get involved," he says. "That's placing a bigger burden on organizations. They need to have resources in place to respond and they need to be aware of what's going on. If you've got in-house counsel, you're going to start making more use of them. If you don't, there's a cost."

Here are listed some of the privacy guidelines that are outlined in the Privacy Rights Clearinghouse:  https://www.privacyrights.org/checklist-responsible-information-handling-practices#I

 

Privacy Guidelines
Organization of Economic Cooperation and Development, 2013

  1. Collection Limitation.
  2. Data quality principle.
  3. Purpose specification.
  4. Use limitation principle.
  5. Security safeguards principle.
  6. Openness principle.
  7. Individual participation principle.
  8. Accountability principle.

 

Many organizations are either not familiar with these legislative guidelines, or they implement regulation on some and not others.  However, Security of personally identifiable information—whether stored in electronic, paper or micro-graphic form is imperative for any business, so here some common questions to ask about your data & network security:

  • Do you have staff specifically assigned to data security?

  • Do staff members participate in regular training programs to keep abreast of technical and legal issues?

  • Have you developed a security breach response plan in the event that your company or organization experiences a data breach?

  • Have you developed security guidelines for laptops and other portable computing devices when transported off-site?

  • Is physical access restricted to computer operations and paper/micrographic files that contain personally identifiable information?

  • Do you have procedures to prevent former employees from gaining access to computers and paper files?

  • Are sensitive files segregated in secure areas/computer systems and available only to qualified persons?

  • Are filing cabinets containing sensitive information locked?  Are computers, laptops, and networks password protected?

  • Do you have audit procedures and strict penalties in place to prevent telephone fraud and theft of equipment and information?

  • Is encryption used to protect sensitive information (a particularly important measure when transmitting personally-identifiable information over the Internet)?

 Personal customer information is subject to a number of laws that dictate privacy protections, safeguarding measures, and proper disposal. Sensitive customer information or employee data should never be thrown in the trash or simply tossed in a recycle bin. Such actions could subject business owners to unwanted lawsuits by customers and government regulators.

 It is recommended that companies implement records retention and disposal policy that helps to ensure confidential information is safeguarded. Here is a list compiled from https://www.privacyrights.org/checklist-responsible-information-handling-practices , that provides useful questions to ask:

 

  • When disposing of paper documents, computers, diskettes, magnetic tapes, CD-ROMs, hard drives, memory sticks, mother boards, and any other media which contain personally identifiable information, have you selected a Secure Document Destruction Company that is AAA NAID Certified to destroy your material?

  • If you use third-party services for computer recycling or destruction, have you selected a service that provides a certificate of destruction? Does it dispose of toxic materials properly?

  • When disposing of waste and recycling paper, are all documents that contain personally identifiable information placed in secure padlocked containers or shredded? (Shredding should be cross-cut, diamond-cut, or confetti-cut shredding, not simply continuous [single-strip] shredding, which can be reconstructed.) Does your document destruction company certify its disposal/destruction methods?

  • When engaging an external business to destroy records or electronic media, do you check references? Do you insist on a signed contract spelling out the terms of the relationship? Do you visit the destruction site and require that a certificate of destruction be issued upon completion?

  • When engaging an external business to destroy records or electronic media, do you understand the advantages of on-site vs. off-site document destruction?

 

Implementing policy & procedures that can help reduce secure information breaches can be a key component to customer and employee retention rates. It is not only the consumers responsibility to protect their personal information, but with new legislation it is also the responsibility of the business.

 


Rock Solid Shredding provides customized paper and hard drive shredding services that assist businesses with complying with legislation while protecting information.

Contact them at 501.940.9900 or fill out the Contact Form.

Follow Rock Solid on Twitter. Like them on Facebook.