Inconsistencies in secure information destruction policies and procedures have led to virtually every embarrassing data disposal incident. The shame of that fact—and the good news, too—is that, once identified, they are relatively easy to fix.
Inconsistency #1: Allowing Employee Discretion
No organization in its right mind would contemplate allowing front-line employees to write their own checks or to disable the company’s Internet firewall. But, as absurd as these notions sound, neither differs from granting every employee the discretion to determine what should or should not be destroyed.
By merely instructing employees to destroy information THEY consider confidential, the organization places its fate in their hands. A disastrous error could occur if the incorrect items are selected for secure destruction. Numerous studies demonstrate the grave repercussions of data breaches (defined as any unauthorized access), including their devastating financial impact and the fact that they cause a significant number of businesses to fail.
Every piece of paper, such as letters, memos, reports, versions of correspondence, proposals, etc., may contain sensitive or confidential information. If a worker is given the option to dispose of these materials in the garbage, the recycle bin, or the destruction container, they may make the incorrect decision. The organization’s data security depends not only on their judgment but also on their mental state. Did they have a poor night’s sleep, are they inebriated, are they too sluggish, or are they dissatisfied? Or are they simply too preoccupied with their task to select the correct bin?
Multiple disposal paths for paper and electronic devices present more than just the risk of a data breach. Additionally, it undermines any future challenge to the integrity of regulatory compliance and jeopardizes legal protections for intellectual property. How can you assure the court that it was appropriately destroyed when every employee had the option not to destroy it?
Implementing a single “destruction-by-default” disposition policy that covers the disposal of all media is the solution to this dilemma. A burgeoning number of companies already are. They have judiciously determined that the associated risk and cost of allowing employees to determine what is and is not destroyed are unreasonable.
Inconsistency #2: Treating Various Media Differently
Modern organizations store and send data using many media, including retained paper records (purged annually), incidental paper records (discarded daily), laptops and desktops, USB flash drives, memory cards, magnetic tapes, and some historic remnants of microfilm and microfiche, which are less prevalent today.
While they all contain regulated personal information and proprietary intellectual property, it is not uncommon that their disposal is overseen by disparate functional departments, each with its own understanding and priorities related to the need for (or how to achieve) the appropriate level of data security. This lack of a consistent approach—or consistent priority—can lead to a whole host of decisions that undermine data security and regulatory compliance, such as allowing entire categories of media to go unaddressed or the haphazard hiring of marginally capable vendors.
The solution is to have one data disposition policy and procedure that governs all media and centralize compliance monitoring to a single functional entity within the organization that is ultimately responsible for compliance.
Inconsistency #3: Variations in Disposal Practices by Satellite Offices and Remote Workers
Not surprisingly, it is common for an organization’s headquarters or large operations centers to have well established secure data destruction policies and procedures. As the epicenters of the organization’s leadership, given the value and volume of material they generate and their generally high-profile standing within the organization, sensitivity to the secure destruction of the information flowing from them is a high priority.
Unfortunately, too often, this same high priority on proper information destruction does not filter out to the satellite offices and remote workers. So, while the headquarters has recognized the need for secure destruction, the sales offices, whether they are spread around the county or across the country, are doing something else, usually less and sometimes nothing. This inconsistency in information disposition practices has more recently been exacerbated in the aftermath of the COVID-19 pandemic, where a significant number of employees are working remotely. There is no shortage of studies and surveys showing that remote worker data security is a major issue and that many remote workers have been left to develop their own solutions.
From the organization’s perspective, developing consistency across satellite offices and remote workers boils down to providing clear direction. Aspirational or vague phrases like “securely destroy” or “prevent unauthorized access” should be replaced with explicit instructions and tools. Instructions like, “Call this local firm to destroy the sensitive materials.” Tools could be a collection container or a prepaid shipping container for the return of IT assets.
Inconsistency is More Insidious than it appears.
It’s easy to see how the inconsistencies described above increase the possibility of a data breach. What is not so easy to see, however, is how those inconsistencies also undermine the veracity and integrity of an organization’s attempts to do the right thing.
For example, if headquarters are going to lengths to protect personal information, the fact that they lack practice at a remote office negates the whole effort. One could argue that it makes it worse since the headquarters’ practices show that the firm obviously understood its obligation, making the absence of those practices seem even more negligent.
The same could be said if purged paper records were securely destroyed, but the daily flow of confidential paperwork gets tossed in the trash.
So, remember, when it comes to information destruction, Consistency is King.