Skip Navigation
 
 

NAIDnotes

Bookmark and ShareTuesday May 23, 2017

Customer Misconception: Only a Small Portion of Discarded Media Must be Destroyed

Selling Information Disposition by the Book (vol. 6)

By Bob Johnson

There are several ways in which data controllers put themselves at risk by destroying only a portion of what should be destroyed. Usually it is by letting employees decide what should be securely destroyed and what can be disposed of casually. It is most commonly seen where a data controller gives the employee multiple options for how media is discarded. This is a mistake for several reasons, and one of the many places Information Disposition confronts this mistake is in can be found on page 47 in Chapter 2 on Physical Security:

Special Collection Issues
Allowing Employee Discretion

It is very risky for a data controller to allow rank and file employees the discretion to determine what media or information requires secure destruction. While allowing employee discretion minimizes the amount of material requiring destruction, it gives every employee the ability to violate an organization’s regulatory compliance. Furthermore, a data security breach traced back to such employee discretion, having arguably been authorized precisely because it was more economical, would be difficult to defend.

Chapter 3 defines what actually constitutes as an official “record,” and what is considered “personal information,” as this will also help explain to data controllers that they are taking a big risk with any destruction program that doesn’t include ALL discarded media. The example of Carlucci v. Piper Aircraft Corp., 102 F.R.D. 472 (S.D. Fla. 1984) in Appendix A of Chapter 3, page 77 is case law demonstrating:

...the need for a document destruction policy as well as a document retention policy -- especially in legal situations. The court ended up ruling against Piper in this case due to their incriminating (i.e. inconsistent) document destruction.

Information Disposition also spends considerable time on the importance of employee training, which will help maximize their sensitivity to what must be destroyed.

Get your copy of Information Disposition today >> 

Read the next blog post in this series >>

Comments: 0 | Reply


Submit your Comment

All comments are moderated. Your comment will appear in the order received after being approved.

(comment length available: )

Enter Verification Code:
Captcha Code
Type the characters you see in the picture above.

By submitting a comment, you agree to the terms and conditions governing this blog. Any information, including but not limited to remarks, suggestions, ideas, personal information or other submissions, communicated to NAID through this website is the exclusive property of NAID. Your name will appear along with your comment if/when they appear on the website.

Return to Current Blog