Join MVP Seminars
Subscribe to RSS Feed 
The consequences for a privacy or information security breach can be devastating to enterprises in terms of hard and soft costs. I have been told more than once by leaders of both large and small enterprises that they purchased a paper shredder and that performing privacy and information security risk assessment is no longer necessary. Really?
An identity theft, privacy and information security risk assessment may cover 50 or more critical points depending on the size and type of enterprise. Each point may have a host of solutions, one or more being “reasonable and appropriate” for the business, not-for-profit or local governmental entity and depending on its size and they type of information collected.
Shredding paper is just one! Not one of the 50, but one of three solutions to how sensitive paper information may be destroyed before disposal. You may find that pulverizing or incineration may be more appropriate for your risks. For better work flow and ease of destruction and security, you may decide on having an outside service take care of your information disposal needs. Are they certified, and what type of legally defensible documentation do they provide you for your legal chain of custody; that is, your proof that the information you possessed was disposed of properly and in such a manner that your enterprise is not legally responsible?
What governs how your enterprise disposes of information? Both Federal and State Laws.
Who do they apply to? Any enterprise that has employees or customers!
Doesn’t than mean all of us? The laws even apply to certain individuals who may have neither. A common example of an individual covered by the Federal Law governing the collection and disposal of sensitive information is the “accidental landlord.” This is the family that rents the other half of a duplex they own and live in.
Having a paper shredder, but not training employees on what must be shredded is as bad as not having a shredder. The laws also mandate written procedures for information destruction and employee training on the procedures. Training records must be maintained or you will be perceived as not having trained your employees on the procedures. So a paper shredder without proper documentation and employee training is about the same as __________.
That’s right, NO PAPER SHREDDER.
What about the proper disposal of electronic media like disks, tapes, and hard drives? These too have federally mandated protocols for disposal.
Yes, protecting consumer privacy and minimizing enterprise liability is more than buying a paper shredder. Shredding paper is one of 50 critical risk assessment points. That’s information destruction in a nutshell or more appropriately a blogshell.