Are you dealing with sensitive materials? If you are, your confidential shredding procedures need to be on point. Here's how to get them there.
Shredding confidential documents might seem like a big hassle, but it’s vital to protect both your customers and your organization. In many industries, confidential shredding is required by law.
The medical, credit, and financial industries, along with government agencies, all have strict regulations about the shredding of confidential documents. It’s easy to understand why – 17.6 million Americans were victims of identity theft in 2014 alone.
Regardless of your industry, as an organization, you have a responsibility not just to do confidential shredding, but to eliminate the conditions that could lead to a breach and to have a plan in place to respond to a breach if one occurs.
Doing this well isn’t just about obeying the law. It’s about taking care of others’ information the way you would want them to take care of yours.
Understanding Confidential Shredding Laws
Confidential shredding is important for every business in every industry, but some industries have specific laws that dictate how sensitive documents are stored and later destroyed. Some of the key national laws include:
- HIPAA for the health industry. The Privacy Rule and the Security Rule dictate the types of safeguards that must be in place to protect both paper and electronic health information.
- FACTA for the credit industry. This law allows consumers to get a free credit report once every 12 months from each of the three major credit agencies and requires the secure disposal of consumer information.
- GLB Act for the banking industry. The Safeguards Rule in the GLBA requires financial institutions to develop a written information security plan that describes how the organization safeguards clients’ private personal information, including confidential shredding.
- CIPSEA for government statistics data. The law gives government agencies standard ways to deal with protecting private information so that the respondents’ identities will not be exposed.
There are also state laws protecting confidential information in at least 32 states. California, Georgia, and Massachusetts have some of the most important requirements with some of the strongest penalties.
How to Take the Proper Steps for Confidential Shredding
Many people assume that buying a shredder is all they need to do to comply with the various federal and state privacy laws. Unfortunately, that’s not the case.
The laws often specify what kind of confidential shredding is required, and there are many considerations.
Shred Size
Some laws regulate the actual size of shred that’s needed before a document is considered securely destroyed. Most consumer paper shredders use a simple strip-cut, which is all that’s needed for most consumer mail.
However, organizations have more stringent requirements and require a higher level of shred. There are six levels to choose from. Level 1 is the consumer strip-style, and Level 6 is referred to as “confetti-like.”
Agencies governed by specific federal laws will probably want Level 6, but most commercial businesses do well with the small cross-cut provided by Level 5 machines.
Storage While Awaiting Shredding
Collecting documents that need to be shredded is harder than it sounds. There are concerns about where the records are stored until they need to be shredded.
One approach is to have a commercial shredder in your office and to ask your employees to destroy documents for you immediately. This works well if most employees don’t handle secure papers and you can rely on a few trusted staff members to protect the confidential documents.
Another way to keep shredding protected is to hire a shredding service that will allow you to use secure, locked collection bins for confidential paper that needs to be shredded. The employee of the shredding service never handles your documents – the bins are dumped directly into the shredder.
The third-party service is best for companies where a lot of secure information is handled every day, or where many employees have access to information that needs to be shredded.
Proof of Document Destruction
If there’s ever a concern or complaint about how your organization handles private personal information, it’s helpful to have certificates to prove that you use your document shredding process faithfully.
A certificate of destruction is the physical proof you need to show you took all of the necessary steps to keep private consumer information safe. Any third-party shredding service should be NAID-certified and provide you with a certificate of destruction with every order they process.
Protect & Review Your Files Regularly
It’s useful to have a standard schedule for when your organization evaluates personnel and customer files and shreds outdated information. Create a policy for how long you hold on to certain kinds of information and when files will be reviewed.
It’s also important that day-to-day handling of confidential information is done correctly. Secure bins for confidential shredding should be available in your office at all times, so your employees never wonder what to do with private customer information that they no longer need.
Finally, it’s vital to limit the number of people in your company who have access to protected customer information. As much as is reasonable, make sure that only select people have access to employee records, storage closets, and customer files.
Have a Process in Case of a Breach
If you practice confidential shredding according to the rules, you will avoid many problems. However, there still may be a breach, and your organization needs to be prepared. Data breaches can be very expensive.
Have a written policy regarding how you investigate a violation of private consumer information, and how you handle someone who mishandles confidential documents. Sometimes these incidents are a mistake, and sometimes they're intentional, and you’ll need to handle both.
To make this easier, ensure that responsibilities regarding confidential shredding and handling of information are clearly described in each job description and the employee manual. You should also have written consequences for breaking these rules.
When you have the right process in place before there’s a breach, you’ll be ready to react professional and efficiently if something goes wrong. Whether you have a rogue employee or a simple oversight, you can handle the breakdown, re-secure the private information, and move on with your business.
Confidential shredding may seem simple on the surface, but the protection of private information regarding your customers and employees is essential. It’s important to do it right, not just so you can avoid penalties and lawsuits, but because protecting others is the right thing to do.
If you’d like to learn more about how to implement efficient, confidential shredding in your office, we’re here to help. Contact us today!