Most people when they hear there has been a data breach think “online” “credit card” “hacking”. However, did you know that, in the case of small breaches affecting less than 500 people, many are still from good old fashion paper? In addition, did you know that most of these are from human error and could have been prevented?
Personal information on paper, anything from social security numbers to names, birthdates and addresses, are required to be kept and destroyed in a secure manner. The government mandates there are three acceptable ways destroy this personal identifying information (PII), burning, pulverizing or shredding. Most paper breaches come from leaving information unsecured, where it is then found and disseminated or stolen and this has the potential to be a violation. This is particularly so in the case of the HIPAA privacy rule.
Fines are increasing and have been levied on anything from backpacks with notepads left on trains or in delis to boxes of files being left unattended or disposed of in dumpsters.
How to avoid these paper data breaches
In most cases, the breaches come from not having a process for using and disposing of paper. Where companies have a policy, educate their staff on its implementation, and the necessary procedures are in place, there is less likely to be a paper data breach.
Risk can be lessened by:
Knowing how long to retain documents.
Which documents should be shredded.
Where should un-shredded documents be stored, while awaiting shredding or when being retained or filed.
Knowing who should make decisions on retaining or destroying each document.
Having a clean desk – shred all policy, where documents are either filed, locked inside a desk or placed in secure containers while awaiting shredding.
Employing an on-site shredding company such as PROSHRED® for either regularly scheduled service with secure containers left on-site or one time purges. In addition, by using a NAID AAA Certified company such as Proshred and, receiving a Certificate of Destruction you have proof of secure destruction if there is a data breach.
Training employees to be aware of their responsibilities and the consequences to them and the company of a breach. Large fines can lead to employee attrition and put companies out of business.
Finally, a documented information policy as part of the company handbook is important written confirmation of procedures.