Q. Does our company have any confidential material?
A. All businesses have confidential material; they just have not examined what they are disposing. Customers lists, price lists, sales statistics, drafts of bids and correspondence, and even memos, contain information about business activity which would interest any competitor. Every business is also entrusted with information that must be kept private. Employees and customers have the legal right to have this data protected. Without the proper safeguards, information ends up in the dumpster where it is readily, and legally, available to anybody. Business espionage professionals consider the trash as the single most available source of competitive and private information from the average business. Any establishment that discards private and proprietary data without the benefit of destruction exposes itself to the risk of criminal and civil prosecution, as well as the costly loss of business.
Q. How long should we keep records on file before we shed?
A. The period of time that business records are stored should be determined by a retention schedule that takes into consideration their useful value to the business and the governing legal requirements. No record should be kept longer than this retention period. By not adhering to a program of routinely destroying stored records, a company exhibits suspicious disposal practices that could be negatively construed in the event of litigation or audit. In addition, the new Federal Rule 26 requires that, in the event of a lawsuit, each party provide all relevant records to the opposing counsel within 85 days of the defendant’s initial response. If either of the litigants does not fulfill this obligation, it will result in a summary finding against them. By destroying records according to a set schedule, a company appropriately limits the amount of materials it must search though to comply with this law. From a risk management perspective, the only acceptable method of discarding stored records is to destroy them by a method that ensures that the information is unreadable. Documenting the exact date that a record is destroyed is a prudent and recommended legal precaution.
Q. What should we do with our daily incidental business records?
A. Without a program to control it, the daily trash of every business contains information that could be harmful. This information is especially useful to competitors because it contains the details of current activities. Discarded daily records include phone messages, memos, misprinted forms, drafts of bids and drafts of correspondence. All businesses suffer potential exposure due to the need to discard these incidental business records. The only means of minimizing this exposure is to make sure such information is securely collected and destroyed. Security container service is available for the protection of the information you generate daily.
Q. Is recycling an adequate alternative for information destruction?
A. To extract the scrap value from office paper, recycling companies use unscreened, minimum wage workers, to extensively sort the paper under unsecured conditions. The acceptable paper is stored for indefinite periods until there is enough of a particular type to sell. The sorted paper, still intact, is then baled and sold to the highest bidder, often overseas, where it may be stored again for weeks or even months until it is finally used to make new products. There is no fiduciary responsibility inherent in the recycling scenario. Paper is given away or sold and, by doing so, a company gives up the right say in how it is handled. In addition, there is no practical means of establishing the exact date that a record was destroyed. In the event of an audit or litigation, this could be a legal necessity. Further, if something of a private nature does surface, the selection of this unsecured process could be interpreted as negligent. For all these reasons, the choice of recycling as a means of information destruction is undesirable from a risk management perspective. If environmental responsibility is a concern, materials may be recycled after they are destroyed or a firm can contract a service that will destroy the materials under secure conditions before recycling them. Any recycling company that minimizes the need for security has its own interests in mind and should be avoided.
Q. Our records storage company provides shredding service…is that sufficient?
A. Many commercial record storage facilities offer records destruction as a service to their customers. However, in a survey conducted by the National Association for Information Destruction, a majority of the commercial storage firms was found lacking the equipment necessary to provide the service themselves. It is a common practice in that industry to subcontract the destruction of the records. In some cases, disreputable storage firms were found misleading their customers by charging for secure record destruction, while the materials were being sold to a recycling company for scrap.
Any business using a commercial records storage firm should inquire as to the nature of the destruction services that are available. It is an unacceptable risk to permit a storage firm to select a subcontractor to provide the records destruction service. The owner of the records is ultimately responsible for their security and, therefore, should be selecting the vendor directly.
Q. Should internal personnel be responsible for destroying certain information?
A. Common sense dictates that payroll information and materials that involve labor relations or legal affairs should not be entrusted to lower level employees for destruction. But, beyond that, competition sensitive information is best protected from them as well. It has been established, repeatedly, that employees are the most likely to realize the value of certain information to competitors. And, lower wage employees often have the economic incentive to capitalize on their access to it. The only acceptable alternatives are to have the materials destroyed under the supervision of upper management or by a carefully selected, high security service.
Q. Is information protection a vital issue to senior management?
A. In a survey conducted by the Conference Board, top executives from 300 companies ranked the security of company records as one of the top five critical issues facing business. When asked which issues required immediate attention and policy development, the security of company records ranked second only to employee health screening.