If private information surfaces after the vendor accepts it the court is bound to question the process by which the particular contractor was selected. Any company not showing due diligence in their selection of a contractor that is capable of providing the necessary security could be found negligent.

From a practical standpoint, if proprietary or private information is lost or leaked by the fraud or negligence of a vendor, the obligations of that vendor are irrelevant. The firm whose information falls into the wrong hands stands to lose the most, either from loss of business, prosecution or unfavorable publicity.

Since a business cannot transfer its responsibility to maintain confidentiality, it must be certain that it is dealing with a reputable company with superior security procedures. Unfortunately, there are those information destruction services that provide certificates of destruction while having no semblance of security and, in some cases, no destruction process available to them. Anyone interested in contracting a data destruction service is advised to thoroughly review their policies and procedures, conduct an initial site audit and conduct subsequent unannounced audits. On-site document destruction is also an option in most cities.

1. Incidental Business Records Discarded On A Daily Basis Should Be Collected, Protected or Destroyed.
   Without a program to control it, the daily trash of every business contains information that could be harmful. This information is especially useful to competitors because it contains the details of current activities. Discarded daily records include phone messages, memos, misprinted forms, drafts of bids and drafts of correspondence.  All businesses suffer potential exposure due to the need to discard these incidental business records. The only means of minimizing this exposure is to make sure such information is securely collected and destroyed.  Use locking collection containers in convenient work areas to accomplish this.
2. Recycling Is Not An Adequate Alternative For Information Destruction.
   To extract the scrap value from office paper, recycling companies use unscreened, minimum wage workers, to extensively sort the paper under unsecured conditions. The >acceptable< paper is stored for indefinite periods of time until there is enough of a particular type to sell. The sorted paper, still intact, is then baled and sold to the highest bidder, often overseas, where it may be stored again for weeks or even months until it is finally used to make new products.

There is no fiduciary responsibility inherent in the recycling scenario. Paper is given away or sold and, by doing so, a company gives up the right say in how it is handled. There is, also, no practical means of establishing the exact date that a record is destroyed. In the event of an audit or litigation, this could be a legal necessity. And, further, if something of a private nature does surface, the selection of this unsecured process could be interpreted as negligent. For all these reasons, the choice of recycling as a means of information destruction is undesirable from a risk management perspective.

If environmental responsibility is a concern, materials may be recycled after they are destroyed or a firm can contract a service that will destroy the materials under secure conditions before recycling them. Any recycling company that minimizes the need for security has its own interests in mind and should be avoided.

By not adhering to a program of routinely destroying stored records, a company exhibits suspicious disposal practices that could be negatively construed in the event of litigation or audit. Federal Rule 26 requires that, in the event of a law suit, each party provide all relevant records to the opposing counsel within 85 days of the defendants initial response. If either of the litigants does not fulfill this obligation, it could result in a summary finding against the business. By destroying records according to a set schedule, a company appropriately limits the amount of materials it must search though to comply with this law.

From a risk management perspective, the only acceptable method of discarding stored records is to destroy them by a method that ensures that the information is obliterated.

Documenting the exact date that a record is destroyed is a prudent and recommended legal precaution.  For help with retention periods contact your legal counsel or ask us about our helpful retention guide.

Chances are high that one of  the following privacy laws applies to your business: (1) HIPAA (Health Insurance Portability & Accountability Act); (2) FACTA (Fair and Accurate Credit Transactions Act); (3) GLB (Gramm-Leach-Bliley Act); and add to this list any state laws that apply, such as Oregon’s “Oregon Identity Theft Protection Act” (OITPA).

You might think you’re in good shape because you have a shredding service.  That’s a good step but it’s not a safeguard system yet.  To ensure a complete information safeguard system you need a written procedure and the rules need to be communicated to your entire team, periodically and consistently.  Take the next step and create a written destruction policy. We can help you.