By Todd Myers
Published in the February 2006 issue of Today’s Facility Manager
Volatile climates have sparked significant action in terms of document management. Governments and regulators around the world expect companies to take responsibility for ensuring the security of their own information as well as that of their customers, employees, and suppliers.
In the U.S. alone, there are several federal laws that impact document management. These include the Gramm-Leach-Bliley Act, the Sarbanes-Oxley Act (SOX), the Fair and Accurate Credit Transactions Act (FACTA), the Health Insurance Portability and Accountability Act (HIPAA), and USA Patriot Act. Furthermore, more than 20 states have enacted their own laws, which impact confidential information in virtually every industry and add further restrictions or penalties for companies who fail to comply.
Disposing of documents in the trash or storing them in vulnerable locations is no longer an acceptable practice. In fact, business espionage professionals consider trash as the single most available source of competitive and private business information.
Any organization that stores private and proprietary data insecurely or discards it without destroying it is exposed to the risk of criminal and civil prosecution—as well as the loss of business. It comes as no surprise then, that in a survey conducted by The Conference Board, top executives from 300 companies ranked the security of company records as one of the top five critical issues facing business today.
Yet, despite stern warnings, legislation, increasing consumer awareness, and the threat of legal action, businesses fall victim to corporate espionage and identity theft every day. According to Dun’s Review, corporate espionage costs U.S. businesses more than $7 billion annually. Fortunately, a well managed document destruction and records management system can help keep vital information secure.
Secure Destruction
There are various document destruction options for facility managers to consider, but the primary goal must be the creation of a secure chain of custody. Whether using a do-it-yourself approach on premises, contracting out to a recycler, or hiring an on-site destruction service, the company must take responsibility for the protection of information.
When considering a service provider, facility managers should examine the options carefully to determine the best fit for the company’s needs. They should look for a provider who can offer customized solutions to meet their needs.
Asking questions is part of this process. It is important to ensure that if the company is contracting out any part of the destruction process, such as pick up, shredding, baling, or recycling, it is done securely. When choosing between on-site and off-site services, facility managers must consider how the information is being handled and by whom.
In general, a properly managed on-site document destruction system provides secure and reliable handling of information. This system can protect information by maintaining a short and secure chain of custody. All materials remain on the company’s premises until they are moved to a waiting shredding truck for immediate destruction.
Because off-site destruction typically involves shipping and storage of documents and proprietary data in their original form, the transporting, sorting, and shredding processes will likely involve a number of people. Unfortunately, some of these people may not be bonded, insured, or properly trained in security protocols, which could result in a longer, less secure chain of custody.
Facility managers should check whether or not the document destruction company provides the following:
- appropriate bonding levels for all agents;
- secure storage containers on the premises;
- documents are destroyed securely behind locked doors;
- shredded material cannot be reconstructed;
- the ability to shred more than just paper (CDs, DVDs, floppy disks, tapes, etc.);
- bales and recycles material and does not subcontract to a third party; and
- a certificate of destruction.
Shredding And Recycling
Another consideration when choosing a document destruction service is recycling. For obvious reasons, shredding paper before reuse is highly recommended.
The environmental benefits of a recycling program are far reaching. According to industry estimates, in addition to saving hundreds of trees, every ton of recycled paper uses 64% less energy and 50% less water, and causes 74% less air pollution than the same quantity of paper made from virgin wood pulp.
Options for shredded paper include:
- Packing material,
- Animal bedding, and
- Compost (Mix two parts paper with one part grass in a compost pile).
Keeping Records Safe
When a company needs to keep documents due to legislation or some other requirement, security is critical. Storing documents in unsecured areas or in unlocked boxes or filing cabinets on the premises is an invitation to problems.
Once documents are removed from the office environment, they are outside the chain of custody and can be easily lost, stolen, or damaged. Even locked storage areas do not provide the long-term security necessary to meet some regulatory guidelines.
Many facilities simply do not have the resources—human or financial—to protect document storage areas as required by law. Furthermore, if documents stored on-site are damaged or destroyed in an event such as a fire or flood, business recovery may be difficult—or even impossible. Storing records off-site has many advantages in addition to complying with government regulations, including freeing up valuable building space and reducing liability due to theft or damage.
When deciding where to store information, facility managers should take several factors into account, such as the type of information (financial or health, for example), the need for regular access, and the security of the storage facility.
For instance, the HIPAA law requires health care organizations to “maintain reasonable and appropriate technical and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information.” Fines and penalties for HIPAA can be as high as $2,500 per violation. The Sarbanes-Oxley Act stipulates that all publicly traded companies have a formal document management policy in place. (Information about legislation is available online at www.shredit.com/privacy.asp.)
When selecting a records management company, facility managers should keep in mind that documents and records must be protected from the time the service provider is entrusted with them to the time they are authorized for destruction. It is important to ensure that a records management company’s facilities meet the highest security standards and that its representatives are trained in security measures. This will guarantee the records are safe throughout the chain of custody.
Access to records when they are needed is another important consideration. A company that can provide geographic proximity to, or quick delivery of, stored material should take priority. The service provider should be able to assess a company’s current storage needs and consider industry standards in order to recommend a program that will ensure the security and accessibility of the information being stored.
Important value-added services can be provided by a records management company that may be too costly and impractical with on-site storage. These services include:
- packing and repacking records;
- indexing and cataloging;
- auditing;
- purging;
- file shuffling; and
- scanning and duplicating.
Finally, facility managers should consider choosing a company that is a member of a professional association such as the National Association for Information Destruction (NIAD), the Association of Records Managers and Administrators (ARMA), or Professional Records & Information Services Management (PRISM). These organizations provide ethical service standards within their industries.
There is too much at stake to leave the destruction of documents to chance. Secure document management should be a critical function in every business operation.
Myers is vice president and general manager with SECURIT Records Management in Toronto, ON. He is responsible for all aspects of the business including customer service, operations, and sales. Myers joined the company in 2004, bringing expertise in profit and loss management and 12 years of experience in the records management business.