Data Destruction: 4 Tips for Staying Compliant

Data Destruction: 4 Tips for Staying Compliant

Brian Quinn

We live in the “Information Age” where unprecedented amounts of digital data are created at the root of information, and this deluge isn’t slowing down.

According to the International Data Corporation (IDC), the digital universe is growing at 40% a year.  Companies are responsible for generating, storing and securing a large amount of this created data. In fact, IDC found that companies’ employees and consumers created two-thirds of data points.

Data can help a business fine-tune its day-to-day operations, better serve customers and forecast future trends.  But, with great data comes great responsibility. The more data that companies create, the more they must properly manage and destroy in order to protect the privacy of their employees and consumers. 

Data breach statistics continue to grow and compliance regulations continue to get tighter and tighter.  While fines and legal fees associated with non-compliance vary widely, companies should prepare to pay more as both courts and class-action lawyers zero in on data misuse. 

Now more than ever, proper disposal and destruction policy for data is critical.

What is Data Destruction?

Data destruction is the process of ‘properly’ destroying information, whether paper or digital, according to industry set compliance and best practice standards.

Secure data destruction overwrites sensitive information with random data, rendering the original material unreadable. 

When individuals fail to destroy their data, they’re vulnerable to identity theft. A 2015 study found that 48% of second-hand hard drives and smartphones had residual data containing sensitive personal information, photos and videos. 

The stakes are much higher for companies and larger organizations. When Affinity Health Plan, Inc. forgot to sanitize leased computer hardware, the health records of more than 340,000 people were compromised. The oversight cost the company a $1.2M settlement with the U.S. Department of Health and Human Services.

Data Destruction Laws

As the information landscape has evolved, so have government regulations concerning data.  Several state and federal laws now mandate that companies properly store and destroy data to protect consumers and employees. 

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 as the healthcare industry began to rely on digital systems in both clinical and administrative settings. This federal legislation protects medical records and prevents their disclosure. 

HIPAA data destruction protocols are stringent and include the following:

  • Paper records must be shredded, pulverized, burned or pulped until patient information is rendered unreadable and cannot be reconstructed
  • Labeled prescription bottles must be stored in opaque bags until destroyed by a disposal contractor
  • Electronic information must be cleared using overwriting software or magnetic methods

The Computer Fraud and Abuse Act

Enacted in 1984, the Computer Fraud and Abuse Act has been updated six times to reflect changes in data collection and technology. Essentially, the law prohibits accessing a computer without authorization, and was designed to penalize hackers. Punishments can be severe and result in criminal convictions. 

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act mandates that financial institutions—such as banks, mortgage lenders and credit unions—explain their information-sharing policies to consumers and protect sensitive information. Data destruction must be consistent with the Federal Trade Commission’s strict disposal regulations.

Sarbanes Oxley Act of 2002

Enacted in response to corporate financial scandals including Enron and WorldCom, the Sarbanes Oxley Act of 2002 (SOX) protects investors from corporate fraud. Record management is central to SOX, which sets special guidelines for retaining, auditing and destroying financial data. 

Fair and Accurate Credit Transactions Act 

The Fair and Accurate Credit Transactions Act (FACTA) is an amendment to the better-known Fair Credit Reporting Act. Enacted in 2003, FACTA protects consumers from identity theft, and stipulates that all businesses—regardless of size or industry—must protect customer data. Specialized data disposal guidelines were added in 2005. 

Visit AccessCorp.com/records-management/regulatory-compliance/ to see how Access works directly with clients to ensure compliance amongst a wide array of industry standards.

Tips for Data Destruction Compliance

Data is a double-edged sword. As valuable as it can be in helping companies understand consumer trends, it can also be costly when mismanaged. Failure to maintain data destruction compliance can result in hefty fines and lawsuits, as well as devastating reputation damage.

Fortunately, there are clear steps companies can take to remain compliant.

1: Institute a Data Disposal and Destruction Policy

 A data destruction policy guides the process by which data is cleaned and destroyed within an organization and covers all data whether in print or digital. When crafting this policy, organizations need to ensure it is in compliance with all industry, state, and federal regulations.

Maintaining compliance begins with creating formalized policies surrounding the data destruction process. 

First, a company must clearly define the data it wants to protect. Not all data is created equal, and it’s important to identify which documents will be included in the destruction procedures. When drafting policies, companies should involve representatives from a variety of departments, ensuring all weak points and improvement opportunities are taken into consideration. 

And, remember: Enforcing policies is just as important as creating policies. Audits of data destruction policies should be performed periodically to ensure that all requirements are being met. 

2: Digitize Records

By law, some companies must keep hard copies of certain records, for specific amounts of time. In these cases, there are methods and retention schedules for securely destroying paper documents. 

However, in most circumstances, paper is an unnecessary liability. It’s impossible to determine who read a piece of paper or who made a photocopy. Even the most meticulous filing system can’t alert a manager when paperwork goes missing, or when an audit wasn’t performed.

By digitizing records and using smart data destruction software, such as CartaHR, which can be configured to automatically delete documents on retention schedules, companies can take an important step in ensuring that sensitive data is properly stored and permanently destroyed.   

3: Use Records Management Software

Records management software is a one-stop-shop for protecting data over the course of its entire lifecycle. By automating processes and performing autonomous audits, these systems can alert users when documents have expired and should be destroyed. Retaining certain documents, such as I-9 forms, longer than required by law can result in fines, so it’s important to not only destroy documents but to do so in a timely manner. 

4: Work with a Records Management Consultant 

Laws for data retention and destruction vary by industry and by state. To ensure your company is in compliance, consider working with a records management consultant. These experts can determine if your organization is properly storing and destroying data, protecting you from costly lawsuits and fines. 

What to Look for in a Data Destruction Vendor

Whether you’re destroying paper documents or digital files, a data destruction vendor can ensure that your information is gone for good. Before hiring a vendor, do your research to make sure they meet your company’s individual data needs, and are qualified to protect your employees and clients.

When searching for a secure data destruction company, ask the following:

1: Is your vendor NAID certified? The National Association for Information Destruction (NAID) sets industry standards for the safe disposal of confidential documents. 

2: Do they provide certificates of destruction? These detailed documents describe how your data was destroyed and disposed of, protecting you in the event of an audit or lawsuit. 

3: Do they adhere to federal, state, and industry standards? It’s important that your vendor is an expert on the regulations of data destruction, not simply the technology.

4: Do they provide a chain of custody? When destroying paper documents and hard drives, it’s imperative to know who had access, and when. Your vendor should be able to provide a detailed chain of custody, which will protect your company if a breach occurs.

As more and more data becomes available, companies have a unique opportunity to improve operations, better serve customers and improve the bottom line. However, it’s crucial that businesses understand how to protect themselves from costly data breaches and information mismanagement. By creating data destruction policies and working with certified data destruction vendors, companies can remain compliant while reaping the benefits of the Information Age.

 

Brian Quinn is an expert on records and information management, scanning operations and systems, digital transformation, and secure destruction of information. Brian is Vice President of Strategic Business Development at Access and is a Certified Records Manager (CRM), Certified Information Professional (CIP) and has an MBA from Xavier University’s Williams College of Business.