As a consumer, I think about how my information may still reside with a tax preparer or doctor that I have not done business with in 10 years, especially when I read stories of a data breach because of inactive customer information being stolen from an insecure environment.
Businesses, especially small to medium-sized businesses, need to incorporate a formal document retention and destruction policy. Next, communicate your policy to employees so they understand their responsibility in safeguarding customer information, and to customers so that they have confidence in conducting business with you.
High-profile data breach events are just one part of the identity-theft epidemic in the United States. Your past business relationships where your personal information resides is another high-risk factor.
For example, how many of you have worked for the same company your entire life? I suspect very few of you have had only one job. Think about all of the personal information we have left with our past employers including name, address, Social Security number, driver’s license and even bank account information (for direct deposit).
And it’s not only past employers, but also their vendors, such as health insurance, dental insurance and supplemental insurance companies, along with payroll service and others where your personal information and even the personal information of your family have been used.
But there is more. Think of any past relationship, including every doctor, dentist, tax-preparation service, auto dealer, bank, school, mortgage broker, student loan servicer and any organization to which we have submitted personal information. Ask yourself, where is your sensitive information being stored today, how is it being secured, and what are the document retention and destruction policies of these organizations?
A great resource for business owners is ARMA International, a non-profit professional association and authority on managing records and information. ARMA developed and published principles to foster general awareness of information governance standards.
You can learn more about ARMA’s “Generally Accepted Recordkeeping Principles,” which detail how to properly retain information as organizations are creating and storing more information than ever before, mostly in electronic form.
In addition to document retention, the shredding of documents containing sensitive employee and customer information has become a high priority because of identity theft, data breaches and stolen trade secrets and client information.
Here are some basic shredding tips that your business should include in its information security and governance best practices:
- Documents destruction services: Choose a company that knows state and federal laws governing storage and destruction of documents. Important things to know include understanding the difference between hard copy document and electronic document requirements.
- Choose the right shredder: A cross-cut shredder (versus a standard shredder that simply shreds documents into long horizontal strips, some so wide that you can still make out individual words) cuts the paper from two directions and makes it much harder for someone to reconstruct the document.
- Document destruction compliance is the law: The state and federal regulatory environment regarding information security and governance, including document destruction will be enforced with fines and penalties that could negatively impact your business.
Mark’s most important: Identity theft and data breach can bring a business down. Review and update your document retention and destruction policy each year and communicate your policy to employees and customers.
Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., an ID theft-background screening company based in Phoenix. Contact him at email@example.com.