Posts Tagged ‘data disposal’

CSO Online’s Ben Rothke published a 2-part series about Why Information Must Be Destroyed (Pt 2). The series discusses why companies shouldn’t hoard information and how to destroy digitally stored information.

Ben points out that the sheer volume of paper and digital media that accumulates over time requires effective information destruction policies and practices. Every company has information that needs to be destroyed, though regulations may require that certain data be archived for a few years or permanently.

The discussion talks about why hoarding data records can be a liability, gives a list of information that can be shredded when no longer needed, and talks about the regulatory environment regarding data retention and destruction. Just tossing things into the garbage is not the answer, as trashing of records without appropriate destruction can be dangerous. The article suggests that destruction of data be done on a formal (documented) and regular basis.

While the discussion of physical data continued in Part 1, Part 2 of the series looked at electronic information. The destruction of data here includes the importance of sanitizing unwanted hardware (computers, backup tapes, etc) so that no information can be recovered. Computrace Data Delete capabilities can help you do this as part of your asset life cycle. If for some reason it’s not possible to delete the data (maybe it’s from an extremely old computer), the hardware should be destroyed. Various acceptable and unacceptable methods of sanitation and destruction are discussed.

The whole series is a great read and may help you establish or refine your own data policies.

Image: ppdigital @morguefile

Document Retention - understanding what documents to keep, for how long, and how to destroy what you no longer need. This is an area Michael Overly recently explored, providing a series of tips about basic elements to be considered in a document retention program. Using those tips as a jumping off point, and supplementing with other research, I came up with this list.

10 basic elements of a good document retention policy

1. Understand what documents to keep, looking first to type of record (employment, accounting / tax, legal, electronic). Understand legal requirements, as well as business requirements, as to how long to keep documents. In the master policy, list the rationale to any decisions made for each type of information. The retention period for each type of document should be listed.
2. Electronic documentation retention should be clearly defined on its own, particularly as it pertains to email and IM. List the location where electronic information will be stored and policies as pertain to backup tapes.
3. Define how data is disposed – for both physical and electronic information. This includes how information is shredded and disposed of, how old electronic devices are purged and/or resold, how electronic information is purged from the network, etc.
4. Choose a storage / backup method that matches with the continued demand for information. Accessing backup tapes is not cost effective, so retain information in a way that makes sense with its use
5. Restrict the copying of data so that it cannot be duplicated to local machines (if desired) and/or restricted devices such as USB keys or mobile devices
6. Detail actions associated with the policy – for example, if email >X days old is to be deleted, list that the network will automatically perform this function.
7. Define disposable documents – those documents that don’t need to be retained. For example, duplicates or “trivial” documents.
8. Assign a process to keep documents, if a legal claim arises to exempt them from regular disposal
9. Assign a person or group to maintain the program and answer questions
10. Audit the program regularly to ensure the program has been implemented correctly and that it stays up-to-date with changes in the business or legal environment

Also in security news:

• Four in five Australian companies suffered data breaches in past five years
• Express Scripts customers threatened on data breach (millions perhaps affected)

Supplemental research sources: nfib, it world, uofaweb, microsoft, abanet Image: ppdigital @morguefile

This is just a common sense business tip: do not use shredded checks as packing material.

The WHH Ranch Company has been using shredded paper from a Texas-based bank for 20 years. Some of that paper came in the form of shredded checks.

When Michelle McBride ordered some food from WHH Ranch, she found it packed in shredded checks. The shredded paper was in wider strips (it was not cross-shredded) that could be easily pieced together. In fact, that’s what Michelle McBride did – she was able to easily re-assemble some checks and plainly read off account numbers and routing information for hospitals, medicare, schools, businesses and personal accounts.

After learning of the problem, WHH Ranch says they’ll ensure it doesn’t happen again.

So, two things to learn from this:

• If you are shredding sensitive information, use a good cross-shredder or confetti shredder. Particularly if you’re a business.
• If you are using shredded paper as packaging material, ensure it’s finely shredded material that contains only non-sensitive papers.

After the jump is a video of the CNN report about this incident (the video auto-plays): (more…)