Businesses serve the needs of its clients and this is achieved through the efficient and secure collection and utilization of information that is used to provide goods and services. This information is often confidential and sensitive. The responsibility to protect this information while it is necessary and securely destroy it when it is no longer needed has ethical and legal obligations.
Every business has the responsibility to protect its clients, employees and itself by ensuring the security of the information under their control.
Beyond the personal responsibility is the legal responsibility. Federal laws such as FACTA, The Red Flag Rule, The FACTA Disposal Rule, FTC Safeguards Rule, Fair Credit Reporting Act, Gramm-Leach-Bliley Financial Services Modernization Act, Identity Theft Penalty Enhancement Act, Sarbanes Oxley Act, HIPAA-Health Insurance Portability and Accountability Act, HITECH- The Health Information Technology For Economic And Clinical Health Act, have a commonality concerning what needs to be done for Information security and destruction, they are summarized as follows;
• Develop and implement a Written Information Security Plan
• Included in the plan must be Information Disposal Policy
1. Destruction must be by Shredding, Burning or Pulverizing
2. Electronic files must be destroyed by physically or erasing methods
3. Perform due diligence when hiring a document destruction vendor or hire a vendor certified by a recognized trade association.
• Train all employees
1. Have employees sign an agreement to follow the company’s policy
2. Regular reminders and retraining of employees on the company’s policy
3. Imposing disciplinary measures for violations
• Monitor and test the plan
• Evaluate adjust and update the plan
• Document all information destructions
• Advise all employees of any changes or adjustment to the plan
You must be able to prove your compliance. Your plan must all be documented and available to Federal or State agencies when requested.
What next?
First and foremost, recognize information security as a priority.
Second, designate someone to be in charge of information security. This individual should be someone with a senior authority level, who has the authority regarding information security aspects of the organization’s programs, policies and any new initiatives.
Third, find a document destruction vendor that is certified to assist you with development and implementation of a Written Information Destruction Plan.
Fourth, develop appropriate policies and procedures to safeguard the information. Be aware of Federal and State requirements.
Fifth, Give the authority to your information security officer to oversee the implementation of and compliance with the written information security policies.
Sixth, train all staff members. Ensure that all staff is re-trained periodically on your policies and best practices for protecting information.
Seventh, hire a qualified document destruction vendor that has been certified by a nationally recognized trade organization (NAID-The National Association of Information Destruction).
