To Shred or Not to Shred -- The Paper Trail Of Data Breaches
I would not want to be a financial institution in the state of Texas these days. Texas Attorney General Greg Abbott has started aggressively enforcing two Texas identity theft laws.
Financial institutions are just like every other business, they produce mounds of paper and trash, the thing financial institutions often forget is that financial trash can be considerably more revealing (and valuable) than that of say an auto repair shop or other business.
While recent headlines have covered the myriad stories of electronic data breaches where the personal information of customers numbering in the millions were stolen, most regrettably the loss of paper copies of similarly valuable information is pushed aside.
Your financial institution’s paper records contain the information that every criminal wants, account numbers, names, addresses, social security numbers. The need to protect these paper records and properly destroy the copies you don’t need anymore is one of the things you’ll find that can be done easily and quickly.
Texas AG Abbott has taken legal action against five companies (so far none are banks or credit unions) this year that were found to be improperly disposing of customer information, and placing those customers’ identities in harm’s way. What would be the worst case that my institution would face, you ask? How about paying a penalty of fines as large as $500 per unprotected record under the new law? (This makes for a convenient price tag you can put on every single page you’re not shredding before it leaves your building, especially if you reside in Texas.) While other states don’t have the hefty penalties that Texas has, you may expect it in the future.
What will come out of these Texas cases? Hopefully these poster children for bad record disposal will not pay in vain. Does your information security department have a written policy on the disposal of printed information? Every institution has a duty to protect these records and dispose of them properly.
Educate your employees on the risks associated with improper disposal. Do they know where the secured disposal bins or shredders are located?
Train everyone at your institution how to handle paper destruction. Would they know how to shred it the right way? Walk your employees through the process.
If the proper disposal of all sensitive documents is overwhelming, consider outsourcing with a company that specializes in data destruction.
Know what the institution has accomplished. By auditing the procedures, an institution will be better prepared to stem any paper from leaving the building. If there are computer media, CDs, tapes or floppy discs, attention to the proper disposal of them will also be part of the audit procedure process.
Paper records are still the mainstay of many “dumpster divers†or identity thieves who pick through unshredded paper documents left out in the trash. Identity thieves hate businesses that put out bags of shredded paper. Just think of every piece of paper being shredded is potentially saving you the money your institution would have to spend on legal fees, penalties and loss of customers, and finally how much those dumpster divers will despise you.