Document shredding: the why and the how
by Zeljka Zorz - Managing Editor - Monday, 4 February 2013.
Tim McBride serves as the Vice President and General Manager of Secure Destruction Services for Recall North America. He is focused on driving improvements in safety, security, service and efficiencies, and is responsible for exploring potential new opportunities and emerging technologies within this service line. In this interview he talks about the practice and requirements of document shredding, and the risks of doing it wrong.

Everybody who has ever worked in an office is familiar with those relatively small paper shredding machines. What other types are there? Is there a "right" and "wrong" way to shred paper documents?

There are numerous commercial shred options to choose from including strip shred and cross-cut, however the best way to protect your organization is to utilize a professional third party Secure Destruction provider with a closed loop chain of custody process in place with stringent controls that provide “end-to-end” security. Knowing a document’s lifecycle, from creation to destruction, is the first step to a fully functional records program. Establishing what each document is and where it is located will minimize the legal risk, regulatory compliance risk and annual expense of data management and storage.

Is shredding of confidential documents mandated by law for some entities in the U.S.? If yes, which ones? Is the manner in which it has to be executed regulated by law?

The Federal Government has specific compliance standards in place which is also true in Canada. As compliance laws and regulations evolve, company policies need to stay on top of the changes. Written data security programs and plans should be administered and re-evaluated and it is important to view your policies as a living document, not a list of laws set in stone.

Although certain government agencies do have shred size particle specification requirements (some of which require NAID Certification), they are not dictated by law but rather by internal policy. Regardless of an organization’s mission, securing and managing critical documents must be a top priority across every department. The goals to keep in mind are keeping mission critical information protected from unauthorized access and destroying physical documents so that they are unreadable and unrestructable. Further impacting the need for security are the many regulations that require the storage and security of important documents such as HIPAA and HITECH (health care), Sarbanes-Oxley and GLBA (public companies, financial institutions) and individual state regulations.

What are the security implications of improperly shredded documents? Can documents be recreated? If so, how easy is it do it? Are there companies that legally offer this recreation service?

Security implications are significant. Identity theft, corporate espionage and dumpster diving are rampant. Documents can certainly be reconstructed via multiple methods (i.e. manual processes), and there is even software available that boasts this capability as well. However, the effort and investment of implementing an enforcement strategy to any Records and Information Management program pales in comparison to the cost of having to replace lost documents or mounting legal defenses as a result of improperly/not properly securing information.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th