Recycling records might not provide enough security
Some business sectors face hefty fines for not disposing of materials as required
Patrick DeVriesRobert JohnsonFebruary 14th, 2013
While recycling office paper and discarded computer equipment is a noble cause, increasing liabilities and dangers make the secure destruction of information an imperative that deserves the same importance as recycling.
Up until a few years ago, the attention on environmental issues regarding paper and computer disposal was centered primarily on the environment. However, with new fines for improper disposal of personal data reaching an all-time high and mandatory fines for discarding undestroyed data pending, information protection has taken on an equal, if not higher, significance. These new laws and fines make no distinction between information on paper or computers. It all has to be properly destroyed to achieve compliance.
The U.S. now has a number of data protection laws mandating far more security than can be achieved by simple recycling.
The safeguard's provisions of Gramm-Leach-Bliley require the proper disposal of financial information. The Fair and Accurate Credit Transaction Act contains a provision called the Final Disposal Rule, requiring the destruction of consumer information prior to disposal. Regulation S-P, issued by the Securities and Exchange Commission, requires equity traders and investment professionals to properly destroy discarded client information. And, finally, the Health Insurance Portability and Accountability Act was recently amended by the Health Information Technology for Economic and Clinical Health Act to include a mandatory fine structure.
The U.S. Department of Health and Human Services used the example of an improperly discarded hard drive containing personal information as an example of a disposal violation that would be considered among those deserving the most severe mandatory fines. Among the more recent data disposal cases getting businesses' attention were a medical clinic outside Houston that was fined $990,000, a hospital near Detroit that was fined $1 million, and pharmacy chain CVS that was fined $2.25 million. All fines were for the improper disposal of information.
Remember, not long ago, there had been little to no penalties for improper information disposal.
Not all new fines are so dramatically high. Businesses ranging from insurance companies to health clubs to mortgage brokers across the country are incurring fines anywhere from $10,000 to $50,000 for improperly discarding undestroyed records or computer hard drives.
In addition to federal regulations, both Washington and Oregon already have their own laws requiring the destruction of all discarded personal information prior to disposal.
In Washington, the law stipulates that all organizations "must take all reasonable steps to destroy, or arrange for the destruction of, personal, financial and health information and personal identification numbers issued by government entities in an individual's records within its custody or control when the entity is disposing of records that it will no longer retain."
In Oregon, the law requires a business to irrevocably destroy or erase any media that's no longer required by law or regulation, so the information cannot by read or reconstructed.
Keep in mind that these laws apply to a discarded phone message or memo as much as they apply to formally stored records. Paper trash is one of the largest components of office waste and represents what may be the largest vulnerability to businesses.
While computers are contributing to the recent decrease in office paper consumption, they and their electronic cousins have created their own environmental concerns.
Annually, U.S. businesses discard tens of millions of computers and other electronic components. Households will discard as many or more personal electronics, from smart phones to televisions. Further, because businesses and individuals often don't know how to best dispose of such equipment, they are hoarding old computers and other electronics in everything from closets to warehouses.
The concern is that, out of frustration and necessity, that equipment will be precipitously discarded into landfills where it could contaminate groundwater and wreak other environmental havoc.
As a result of both the massive amount of electronic equipment and government incentives, a large electronics recycling industry has been steadily growing over the last decade. Unfortunately, this has come with its own set of issues, one of which is the unethical and often illegal shipment of old electronics to third-world nations, where they are stripped of their value before being improperly discarded.
Along the way, children and impoverished adults are often exposed to the environmental hazards, first as they process the equipment and then later as it is buried or burned near their homes. The U.S. Environmental Protection Agency and many states, including Washington and Oregon, have passed laws requiring the environmentally responsible disposal of discarded electronics.
A reasonable approach
There are two simple steps that, if taken properly, effectively insulate organizations from data protection regulatory troubles. First, ensure any contractors hired to help with destruction have the appropriate security, and second, properly train employees on the organization's data destruction training program.
With all these changes in data protection laws and the resulting fines, it's understandable that organizations are increasingly taking their data protection requirements as seriously as their environmental responsibilities. This is most obviously seen in the dramatic increase in the number of companies offering environmentally friendly secure data destruction services.
The National Association for Information Destruction (NAID), an international industry trade group, estimates a 10-fold increase during the last decade in the number of secure destruction services that offer paper shredding and computer recycling.
And while regulators understand that outsourcing is usually the most secure and economical way to destroy discarded information, they also realized that the increased demand their laws have created could attract opportunists incapable of or unwilling to provide the proper level of security.
As NAID President Scott Fasken put it, "It's now illegal to simply select a data destruction company based on price alone. Customers need to show they put some care into the selection process to make sure the company meets appropriate standards."
Fasken is correct. If an organization doesn't make an attempt to ensure that the destruction service has adequate security standards, it would be in violation of the regulations.
The first way companies can insulate themselves from regulatory problems is to demonstrate the appropriate level of security in their service provider selection process. The second way is to make sure they train their employees on the importance of complying with the organization's data destruction program.
The disposal of confidential information in the form of office waste paper, stored records, and retired computers is inevitable. For better or worse, such disposal also has risks. Thanks to the reasonable expectations of regulators and the growing availability of properly qualified service providers, there is a solution that diminishes the risk by protecting both the environment and the data with which you have been entrusted.