In era of data breaches, businesses need strong document policies

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.azcentral.com/story/money/business/tech/2016/01/28/era-data-breaches-businesses-need-strong-document-policies/79478834/

As a consumer, I think about how my information may still reside with a tax
preparer or doctor that I have not done business with in 10 years,
especially when I read stories of a data breach because of inactive
customer information being stolen from an unsecure environment.

Businesses, especially small to medium-sized businesses, need to
incorporate a formal document retention and destruction policy. Next,
communicate your policy to employees so they understand their
responsibility in safeguarding customer information, and to customers so
that they have confidence in conducting business with you.

High-profile data breach events are just one part of the identity-theft
epidemic in the United States. Your past business relationships where your
personal information resides is another high-risk factor.

For example, how many of you have worked for the same company your entire
life? I suspect very few of you have had only one job. Think about all of
the personal information we have left with our past employers including
name, address, Social Security number, driver’s license and even bank
account information (for direct deposit).

And it’s not only past employers, but also their vendors, such as health
insurance, dental insurance and supplemental insurance companies, along
with payroll service and others where your personal information and even
the personal information of your family have been used.

But there is more. Think of any past relationship, including every doctor,
dentist, tax-preparation service, auto dealer, bank, school, mortgage
broker, student loan servicer and any organization to which we have
submitted personal information. Ask yourself, where is your sensitive
information being stored today, how is it being secured, and what are the
document retention and destruction policies of these organizations?

A great resource for business owners is ARMA International, a non-profit
professional association and authority on managing records and information.
ARMA developed and published principles to foster general awareness of
information governance standards.

You can learn more about ARMA’s “Generally Accepted Recordkeeping
Principles,” which detail  how to properly retain information as
organizations are creating and storing more information than ever before,
mostly in electronic form.

In addition to document retention, the shredding of documents containing
sensitive employee and customer information has become a high priority
because of identity theft, data breaches and stolen trade secrets and
client information.

Here are some basic shredding tips that your business should include in its
information security and governance best practices:

- Documents destruction services: Choose a company that knows state and
federal laws governing storage and destruction of documents. Important
things to know include understanding the difference between hard copy
document and electronic document requirements.
- Choose the right shredder: A cross-cut shredder (versus a standard
shredder that simply shreds documents into long horizontal strips, some so
wide that you can still make out individual words) cuts the paper from two
directions and makes it much harder for someone to reconstruct the document.
- Document destruction compliance is the law: The state and federal
regulatory environment regarding information security and governance,
including document destruction will be enforced with fines and penalties
that could negatively impact your business.

Mark’s most important: Identity theft and data breach can bring a business
down. Review and update your document retention and destruction policy each
year and communicate your policy to employees and customers.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.