Chapter 12

Compliant Destruction

In This Chapter

Determining how to destroy information

Examining in-house and outsource shredding

Choosing the right vendor

Creating an information destruction policy

Records and information should be retained in accordance with the organization’s retention schedule and hold orders. However, when a record’s (and information) retention period has expired, and it’s no longer subject to any holds, it should be scheduled for destruction.

It’s important to understand how to appropriately destroy information. Consumer and privacy laws now make the proper destruction of some information mandatory. In this chapter, I walk you through the various destruction methods for different types of information, help you determine whether you need to outsource your destruction, and show you how to develop an effective information destruction policy. Although I focus heavily in this chapter on the destruction of physical (paper) information, I also review the issues involving the deletion of electronic information.

Determining the Appropriate Destruction Method

Organizational information is diverse. It may consist of a lunch appointment reminder on a Post-it note stuck to your computer monitor to a terminated employee file relegated to inactive storage. The point is that most companies have a variety of record and information types, some of which is inconsequential, while others contain personal, confidential, and competitive information.

Understanding the different types of information you have is a starting point for determining the appropriate destruction method. In Chapter 1, I talk about three types of organizational information — records, business value, and nonvalue. Records serve as evidence of business transactions and legal obligations and status. Items of business value don’t meet the criteria of a record, but contain useful operational or referential information, while nonvalue content is of a personal, nonbusiness nature. For destruction purposes, it’s important to understand each category of information.

When eligible for destruction, records and information of business value should always be shredded and never placed in a trash can or recycle bin. The potential exists for this type of content to contain personal, confidential, and competitive information. Nonvalue information should be discarded in a recycle bin.

To ensure that information of a personal, confidential, and competitive nature doesn’t fall into the wrong hands, some organizations have implemented a shred-all policy. This approach involves the shredding of all company information, regardless of category, when it’s eligible for destruction. This takes the employee guesswork of whether items should be shredded or placed in a recycle bin out of the equation.

Deciding on Your Shredding Approach

Organizations use two approaches for shredding documents — in-house or outsource. Before deciding on a shredding method, you should carefully evaluate your options. Typically, the decision is based on the size of the organization and the volume of documents to be shredded. The following sections analyze each option to help you determine which approach best fits your needs.

Shredding your own documents

In-house shredding is most often performed by small businesses that have lower document volumes. However, some medium- to large-sized organizations have made the decision to shred in-house due to the nature of their information. This may include organizations that have highly sensitive information and don’t want the information to be transported to a vendor for shredding or to have a third party involved in the destruction process.

If you decide to shred in-house, you need to evaluate several operational and logistics factors:

Equipment: Depending on the amount of documents and the frequency of shredding, the investment in shredding equipment can be minimal or substantial. Most small businesses can get by with a few personal shredders at a minimal cost. However, medium to large businesses may have to purchase an industrial shredder (see Figure 12-1) that is more expensive, but capable of shredding significantly more volume.

Costs: In addition to the cost of equipment, in-house shredding in medium to large organizations will result in additional labor and supply costs. In-house shredding usually requires dedicated employees to gather information to be shredded and perform the shred process, as well as additional equipment and supplies, such as personal or departmental shred bins that serve as collection points for documents that need to be shredded. Also, organizations that decide to use an industrial shredder for all their shredding needs should dedicate a secure area for the process. This can result in additional costs. If you require the use of an industrial shredder, it’s important to know that they require regular maintenance, in many cases by a certified technician. You should factor in the maintenance costs of your shredding equipment.

Process: Organizations should develop procedures for their in-house shred program and train each employee on the process. This helps to ensure that the program is appropriately followed. The organization should appoint a management employee to administer and monitor the program. In addition, a process should be developed that provides proof of destruction. Proof of destruction, commonly referred to as a certificate of destruction, allows an organization to prove that it is no longer in possession of specific information in the event of a lawsuit, audit, or regulatory investigation.

Information sensitivity: In most medium to large organizations, in-house shredding requires employees not affiliated with the departments they’re servicing to collect and shred documents. This approach means that the employees will have access to a broad range of information, some of which may be of a sensitive nature. Some organizations may determine this approach isn’t acceptable or require the employees to sign internal nondisclosure agreements.

Getting to know the shredders themselves

If you decide to shred your documents in-house, you should understand the different types of shredders and their capabilities. You want to ensure that the shredder you select shreds your documents in a manner that prevents them from being reconstructed. You find four primary types of shred cuts:

Strip-cut: A strip-cut shredder slices your documents into strips. The problem is that it’s feasible to reconstruct the strips into their original document format. Although strip-cut shredders normally shred documents faster with lower maintenance than other types of shredders, I nevertheless recommend that you avoid using a strip-cut shredder to destroy your documents for precisely that reason.

Cross-cut: Cross-cut shredders (sometimes referred to as confetti shredders) provide more security by shredding documents vertically and horizontally. Cross-cut shredders are more expensive than strip-cut shredders.

Diamond-cut: Diamond-cut shredders cut documents vertically and diagonally. After it is shredded, the paper is in small diamond-shaped pieces that are extremely difficult to reconstruct. Diamond-cut shredders are typically more expensive than strip- or cross-cut shredders.

Tear and crush: Many industrial shredders have transitioned from cross-cut shredding to tear and crush. This approach punctures and tears the paper instead of cutting it. This leaves the paper fibers intact, making it easier to recycle. After the paper is torn, it’s then crushed to compact it. This method provides a high level of security

For many years, personal, low-volume shredders only offered strip-cut shredding. Now they’re available in cross- and diamond-cut. Industrial shredders mainly use cross-cut and tear and crush.

Shredder prices range from less than $100 for low-volume (100 sheets per day) to over $100,000 for high-volume shredding (hundreds of sheets at a time). Heavy-duty industrial shredders can be fitted with conveyor belts to feed the paper into the shredders and have balers so that the paper can be recycled.

When implementing an in-house shredding program, it’s recommended that you shred your documents at a minimum on a weekly basis. Documents that need to be destroyed shouldn’t be allowed to accumulate excessively. The longer you wait to shred your documents, the greater the potential is for them to be compromised. Therefore, prior to purchasing shred equipment, it’s important to understand the volume of documents that need to be shredded and the frequency of your shredding needs. Personal shredders are available from most office supply retailers. The Internet is a good source of information for customer reviews of personal shredders. In most cases, if you plan to purchase an industrial shredder, you need to contact the manufacturer directly.

Outsourcing your shredding

Outsourcing your shredding is a recommended option for most medium and large organizations. Companies that decide to outsource shredding usually make their decision based on document volume and the hassles of having to create an internal process, as well as concerns about initial investment and ongoing costs. Many companies would rather leave the job of document destruction to vendors specifically trained and certified in the process.

Different approaches are available for outsourcing your document shredding. Some vendors provide on-site shredding in mobile shred vehicles, some pick up your documents and transport them to their facility for shredding, and others provide both services.

Vendor onsite shredding is a good option for organizations that want to retain some control over the destruction process. This approach allows a company to witness its documents being shredded rather than having its documents transported to the vendor’s facility, where they are later shredded. Although this option does have benefits, it typically costs more than offsite shredding.

If you choose offsite shredding, the vendor will transport your documents in secured containers to its facility. Vendors normally ensure that your documents are shredded with 24 hours after they arrive at their location. This approach is more economical than onsite vendor shredding, but it does come with an increased risk associated with transporting your intact documents. In the following section, I show you how to evaluate shred vendors in an effort to minimize risks associated with the process.

Some vendors offer a hybrid approach. They have on-site mobile shred vehicles as well as the ability to shred your documents at their facility. This approach is beneficial if you have separate operations with sensitive information that you don’t want to have transported, but don’t want to pay the increased costs for onsite shredding at all your locations.

Selecting the Right Shred Vendor

Over the past decade, many laws have been passed and regulations created to protect consumer privacy. This has resulted in more vendors offering document-shredding services. Before selecting a shred vendor, you should do your homework to ensure that you select a reputable organization.

A resource you should use in searching for a shred vendor is the National Association for Information Destruction (NAID). NAID is an international trade association for companies providing information destruction services. Its mission is to promote the information destruction industry and the standards and ethics of its member companies (courtesy of the NAID website, www.naidonline.org).

NAID’s website provides information on member vendors that provide document-shredding services. NAID offers a certification program to its member companies. The certification program involves NAID audits of the vendors’ mobile and plant-based shredding operations. The goal of the certification is to set standards for a secure information destruction process. This includes operational security, employee hiring and screening, the destruction process, responsible disposal, and insurance. It’s important to remember that a difference exists between a vendor that’s a NAID member and one that’s NAID certified. It’s recommended that you select a certified provider.

How to ensure that electronic information is unrecoverable

Most organizations understand the need and proper process for destroying physical information. Items of a personal, confidential, and competitive nature should be shredded in a manner that reduces the potential for reconstruction. However, organizations are less knowledgeable about the proper destruction of electronic information. Deleting a file isn’t adequate. With the proper technology and knowledge, deleted files can easily be recovered. Special methods must be used to ensure that electronic information is unrecoverable.

Some vendors now offer electronic information destruction services. The vendor will shred your hard drives and peripheral devices such as CDs, DVDs, and flash drives. This method ensures that the information is unable to be electronically recovered.

Another effective method for rendering electronic information unrecoverable is degaussing. Degaussing disrupts or demagnetizes magnetic storage found on hard drives, CDs, DVDs, and flash drives. This prevents the information from being recoverable. However, the effectiveness of degaussing depends on the type of media and degaussing equipment. For example, some hard drives have a higher magnetic field than others. Therefore, the degausser should possess enough strength to ensure that it thoroughly demagnetizes the media. Some electronic media types such as hard drives may not be able to be reused after degaussing has occurred.

Establishing your shredding requirements

Before selecting a shred vendor, it’s important to define your business requirements. It isn’t difficult to find a vendor to shred your documents. The challenge is finding a vendor that can meet all your operational and security needs. Following are important factors that you should evaluate during the requirements gathering process:

Locations: If your organization has multiple operations in different geographical areas, you need to determine which locations will need to be serviced. After you identify the locations, you must determine whether the vendor can service the area. In some cases, vendors will subcontract shredding services if they are unable to serve a specific market. If the vendor informs you that it must subcontract services in certain areas, ask the vendor to provide you information about the subcontracted vendor so that you can determine whether it meets your operational and security requirements.

Frequency: It’s important to determine how frequently you will need to have your documents shredded. If your organization has multiple locations that need to be serviced, you should also determine their shredding frequencies. If your business or any of your operations are located in a rural or remote area, the vendor may only be able to service you every few weeks or when it has enough volume from several customers to offset its travel and labor expenses.

Costs: You should estimate how much it’s going to cost to have a vendor shred your documents. Vendors typically charge by the pound of paper they shred or by the number of bins they service, regardless of whether they shred on-site or at their facility. You should avoid pricing that is based on time. Some vendors will charge based on the time it takes to collect your documents and shred them. This approach contains too many subjective variables.

Costs per pound can vary depending on your volume — the higher the anticipated volume, the lower the rate per pound. A typical charge per pound may range from $0.05 for higher-volume customers to over $0.50 per pound for lower-volume and onsite shredding. If the vendor is basing its costs on the number of bins it services rather than weight, you can expect a minimum charge to service your location. For example, the vendor may assess a minimum charge of $30 to service your facility or charge $10.00 per bin. If you only use two shred bins, you are paying $15 per bin ($30/2 bins = $15 per bin). However, if you use five shred bins, you will automatically meet the minimum charge, resulting in a cost of $50 or $10 per shred bin ($50/5 shred bins = $10 per bin). You should ask the vendor for its shredding fee structure.

Security: You should ensure that the shredding vendor meets the security needs of your organization. This includes how quickly the vendor shreds your documents after it picks them up from your facility. You should select a vendor that can shred documents within 24 hours of receipt. It’s recommended that you select a NAID-certified vendor for your document destruction needs. The NAID certification involves audits of several security-related issues, such as facility security, employee background checks, and security procedures.

Shred bins: Most shred vendors provide their clients with secure document destruction bins. The bins are equipped with locks that allow them to remain secure at your facility. They come in several sizes and models (see Figures 12-2 and 12-3). Figure 12-2 is a security console bin that is frequently used in an office environment, while Figure 12-3 shows a larger bin that can be used in an office or warehouse environment. It’s important to determine what types and quantity of bins you’ll need to adequately service your organization. For large organizations, it’s recommended that you work with department representatives to develop a floor plan that indicates where each shred bin will be located. This is an important step. It helps to ensure that the appropriate number of bins are placed in strategic locations, making them convenient for employees to use.

Electronic media: It’s important to determine whether your organization will need electronic media destruction. Vendors can provide separate secure bins for plastics and electronic content. Electronic media such as DVDs, CDs, and flash drives shouldn’t be placed in bins containing paper documents.

Certificate of destruction: The vendor you select needs to be able to provide you with a certificate of destruction. Certificates of destruction provide evidence that the vendor destroyed the information. The certificate usually provides information such as the weight and date of destruction. It normally doesn’t provide specific information about the documents’ contents, but it can be helpful during a legal matter or regulatory inquiry to demonstrate that the organization destroys records and information on a regular schedule and in the normal course of business.

After you have determined and documented your shredding requirements, you should include them in a request for proposal (RFP) to each prospective vendor candidate. The vendor should specifically communicate how it will meet each of your requirements, including a price schedule. It’s recommended that you tour the vendor’s facility to observe its security practices and witness the shredding process.

Developing an Information Destruction Policy

A destruction policy is an essential part of a Records and Information Management program. It provides specific information on what must occur before content can be destroyed, and how it should be destroyed. The policy helps to establish that an organization destroys information in the normal course of business on a regularly schedule basis. This is important in the event that the courts or regulatory entities question your destruction practices.

In addition to legal benefits, a destruction policy also provides compliance benefits. It provides the guidance and framework for employees to understand how information should be destroyed and how sensitive information can be kept from being compromised. The following sections analyze what to include (and what not to include) in your policy.

If you can’t do it, don’t include it

Company policies are perceived as corporate gospel. What you state in a policy is often viewed by outside parties such as attorneys and regulatory bodies as fact, and adherence to the policy is assumed. Therefore, avoid including anything in a policy that can’t be followed by employees. Moreover, operationally, including policy direction with no hope of adherence confuses and frustrates employees.

As you begin the process of considering what to include in your destruction policy, determine your organization’s capabilities. Know what technologies you have and what is lacking. It’s important to remember that company policies should be enforced and audited. You can’t enforce what you can’t do. Therefore, it’s critical that the elements of your policy be supported by the organization’s capabilities.

Elements of an effective destruction policy

An effective destruction policy should include elements that address what should take place prior, during, and after information has been destroyed. The policy should encompass the following items:

Purpose: The purpose states the reason for (or the objective of) the policy. For example, “The purpose of this policy is to ensure that organizational information eligible to be destroyed is done so in the normal course of business on a regularly scheduled basis and in a manner that renders it unrecoverable.”

Scope: The scope refers to what the policy applies to. In this case, the scope covers the destruction of physical and electronic content that is eligible to be destroyed or deleted based on the organization’s record retention schedules. In addition, the scope includes all parties responsible for adhering to the policy.

Approvals: The policy should address who should approve the destruction of information. For example, the destruction of nonrecord information may only require departmental management approval, while the destruction of official company records may require several levels of approval, such as the department head, the records manager, and the designated representatives from the Legal and Tax departments.

Information hold orders: It’s important to include policy verbiage that addresses the requirement to retain content that is currently (or anticipated to be) part of a hold order, even if the retention period of the information has expired.

Destruction methods: This section of the policy should address acceptable destruction methods for physical and electronic information.

Vendors: The policy should instruct employees to only use information destruction vendors approved by the organization.

Destruction log: Most organizations maintain documentation or a log of destroyed information. The log normally includes items such as the department, information type or box bar-code number, date of destruction, and who approved the destruction. The policy should state that a destruction log will be maintained and retained for a specified time frame.

Certificate of destruction. The policy should address the requirement that a certificate of destruction be provided by vendors that destroy the organization’s information.

Instead of creating a separate policy to address information destruction, some organizations include it as part of their overall records and information management policy. This approach reduces the number of individual policies that need to be distributed or made available to employees.