Is shredding necessary?
We all want to do the right thing with the information we are responsible for. Both employees and owners have important information pass through their hands, but it is not always clear how that information should be handled. When documents are no longer needed, should you just throw them in the trash or securely shred them? Is shredding necessary at all or just a suggestion? Here we explore this question by looking at legal guidelines, ethical obligations and best practices when disposing of paper documents.
Legal requirements
In the United States, we do not have a comprehensive privacy and information security policy on the federal level. Instead, there are various acts affecting the disposal of specific types of information along with state and industry specific regulations. Keep in mind that even if there is no clear criminal proceeding, there could still be an avenue for civil proceedings if information is shown to have been mishandled. Here we briefly outline some policy examples.
Fair and Accurate Credit Transactions Act (FACTA)
FACTA is a federal policy mainly affecting the financial sector. It was written to give consumers more insight and control of their credit report information. The main focus of this act is the use and disposal of information derived from a credit report. For this article, we are concerned with Sec. 216, commonly referred to as the FACTA disposal rule. This section requires the secure disposal of any information derived from a consumer credit report for a business purpose.
The act does not specify that documents must be shredded only to “properly dispose of” documents. However the Federal Trade Commission (FTC) has expounded on the rule explaining it “requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report.” They also clarify that “reasonable measures for disposing of … information could include … policies to: burn, pulverize, or shred papers … so that the information cannot be read or reconstructed.” While FACTA largely impacts the financial sector, any business which collects or holds information obtained from consumer credit reports would fall under its jurisdiction.
Texas Information Disposal Act (IDA) H.B. 698
This is an example of a state law legislating how information is disposed of by businesses within that state. In Texas, the IDA is not especially well known, but it does carry the potential for both fees and civil penalties. This law focuses on businesses with documents that contain personally identifying information (PII). We will talk more about PII in the next section, but for now it is simply information that can be used to identify you as an individual. IDA requires this information by securely disposed of. They define this as rendering the documents unreadable and undecipherable by “shredding, erasing, or other means.”
Reasonability
This is not a law or policy, but it is a widely accepted legal standard. While policies can shift greatly across state borders and industries, the standard of reasonability is more universal. Meeting this standard simply means you can demonstrate your organization took reasonable measures to protect information. This standard is common in both criminal and civil proceedings. Some of the keys to proving reasonability are: written policies for secure information disposal, documented employee training, and documentation showing regular, secure disposal. To learn more about how you can protect your company, consult legal council.
Ethical Obligations
Beyond legal policies, there are also ethical considerations when exploring if shredding is necessary. Failure to meet ethical standards can destroy your company’s reputation and lead to lawsuits. There are two main ethical obligations regarding information disposal: protecting the PII of both employees and consumers and protecting business critical information.
Protecting personally identifying information
One of the biggest ethical considerations is protecting the personally identifying information (PII) of both your consumers and employees. This may sound straightforward, but there is not a universally accepted definition of what constitutes PII. However, to give you an idea below are two different lists of PII examples. One is a list DSS commonly provides, the other is directly out of the Texas IDA.
List 1
- Full names
- Birth dates
- Phone numbers
- Addresses
- Employment information
- Employer ID number
- Passport information
- Medical information
- Bank / Financial information
- Credit card information
- Electronic / digital account information
- School ID numbers
- Passwords
- Social security numbers
This list is not comprehensive, it is simply meant to illustrate the types of information which could be considered to be PII. The Texas IDA defines PII as an individual’s first name or initial and last name in combination with any of the following:
List 2 (from IDA)
- Date of birth
- Social security number
- Government ID number
- Mother’s maiden name
- Fingerprint data
- Voice-print
- Retina or iris image
- Address / routing code
- Debit / credit card information
- Financial institution account number
- Other financial information
There is clearly a lot of over lap between these two lists, but there are distinct differences. Each jurisdiction may define PII in a different way.
Protecting business critical information
While businesses should protect their employees and consumers, there is also an ethical burden for employees to safeguard the interests of their employer by protecting business critical information. This is information which is necessary for the functioning of your business or which if in the hands of a criminal or competitor could cause harm. Information that is considered business critical will vary from organization to organization, but some examples include: finance reports, financial projections, trade secrets, and intellectual property.
Best Practices
Since the legal and ethical requirements are not always 100% clear, we have several best practices which we recommend. Keep in mind that it is always better to be safe than sorry. By this we mean it is generally better to follow a stricter standard than absolutely necessary than risk legal and civil liabilities later on.
- Do NOT leave individual employees to decide which information is important enough to shred and which isn’t. This should not be a matter of personal opinion or judgement.
- DO have written policies on what documents must be securely disposed of and the correct process for that disposal.
- DO keep a record of regular document destruction procedures. For instance, record if documents are shred every month, quarter or year.
- Do NOT rely on an office shredder for secure destruction. There are several dangers and pitfalls associated with office shredders, read more HERE.
- DO conduct regular training sessions with employees to review document destruction procedures. Keep records of each training and a list of attendance.
- DO consult an attorney on the specific policies and practices needed to protect your business.
- DO choose a shredding service provider that will also responsibly recycle your paper after it has been shredded. Learn more about the paper recycling process HERE.