So You’re Going to Implement a Shred Policy
There are very few businesses today that haven’t wrestled with the question of how to manage the risk associated with the disposal of sensitive information. The issue has been driven by both federal regulations, including the FACTA Disposal Rule, and numerous other existing and pending federal and state laws governing the disposal of consumer information.
Pressure has also come from a growing awareness of the power wielded by the court of public opinion. No business wants to find itself making headlines because of a security breach, with private, sensitive information suddenly becoming public – however inadvertently.
Now that you’ve decided to shred, you need to determine how much of the information your firm generates you want to shred. All of it? Half of it? Only those documents that have been identified, for whatever reason, as highly sensitive?
You must also decide who will do the shredding. Will it be firm employees with access to a personal shredder? Or will you entrust your shredding to an outside firm that can guarantee the documents have been securely shredded?
As you will see, there is really only one viable answer to all of these questions.
Selective Shred – Better Than Nothing, but Very Limited
The Selective Shred option places the burden on your employees to decide what gets destroyed. This can help reduce the amount of material that needs to be shredded, but there are several things it is important to understand if you choose Selective Shred:
- Your shred program will rely on the guidelines and procedures that you establish. You will need to make sure that these conform to all government and industry regulations and that they are updated when the rules change.
- You will need to establish a training program to make sure that your employees know exactly what needs to be destroyed securely, and what can be placed in recycling or trash containers. New employees will need to be trained as they are hired, and existing employees will need periodic refreshers. Anytime the guidelines are changed, you will need to make sure everyone receives updated training.
- If you are using office shredders, you will need to make sure employees shred documents immediately and don’t just pile them up near the shredder. And because office shredders periodically break down, you will need to have a plan in place that takes this into account. The plan should provide for the time it takes to locate a replacement or to have a new one shipped in.
- You may want to establish a program to monitor paper that is placed in trash or recycling containers. People will make mistakes, and having someone double-check all the paper that is not marked for secure destruction will help catch mistakes before that paper leaves the complex.
Why Shred-All Is Your Best Option
The Shred-All option instructs employees to securely shred all information no longer needed for business or required by compliance laws – as opposed to placing it in a trash can.
You no longer have to worry about creating policies that are current with all government and industry laws and regulations. Employees are not asked to decide whether information is sensitive, classified or confidential. The Shred-All option completely takes employee decision-making out of the compliance process, thereby removing a company’s single biggest risk factor. Shred-All programs are implemented by organizations that:
- Want to be certain that anything that needs to be destroyed is destroyed in a secure and timely fashion.
- Don’t want to burden employees with the responsibility of having to decide what is sensitive enough to require destruction.
The Shred-All option is easy to explain, easy to understand and, best of all, easy to implement.
Implementing an Effective Program
A Shred-All policy all but eliminates the chance for a potentially devastating security breach. Employees no longer have to agonize over whether a particular document contains confidential information. All employees have to know is that the document, by definition, has outlived its usefulness to the organization. Their only responsibility at this point is to have it shredded.
Implementing a program is simple and only requires a few key steps:
- Make sure there are shred bins placed at convenient locations throughout the office. Have clear instructions posted as to who to contact if a bin fills up and needs to be serviced ahead of schedule.
- Make sure that all employees understand the importance of securely destroying documents, and are aware that there are laws, regulations and company policies that can all be satisfied by a “Shred-All” policy. They should know never to second-guess what a document contains and risk dropping a confidential document in the trash by mistake.
- Make sure clear guidelines are posted to let people know what types of materials can be placed in a shred bin and what cannot. All types of documents and reports, for example, can be placed in a shred bin, but old DVDs and batteries cannot.
Securing a Professional Service Provider
Adopting a Shred-All policy makes life simpler all the way around for everyone in the workplace. It reduces risk, and greatly enhances compliance while letting employees focus on their job – not on sorting paper.
Most organizations selecting a Shred-All program will retain a shredding vendor to collect and securely destroy their information. The vendor will also provide a certificate of destruction attesting to the fact that the information has been destroyed as required.
Do you have questions about information management? Read additional Knowledge Center Small Business resources, or contact Iron Mountain’s Small Business team. You’ll be connected with a knowledgeable product and services Small Business specialist who can address your specific challenges.