Why secure data disposal isn't always secure - and what you can do about it

Most organisations with more staff than this monkey has fingers will have made provision for secure disposal of confidential paper documents and - hopefully - data storage media as well. Usually, this involves passing the documents and disks to a trusted third party contractor for shredding, incineration, or whatever means of secure destruction takes your fancy.

Here we highlight why this may leave gaping holes in your information security provisions and leave hard copy data in dangerous hands.

XYZ Plc had built their reputation of the excellent service they provide to their customers. They know trust is the key to maintaining this relationship and thereby their competitive advantage. Understandably, Managing Director John Smith Jr.  was concerned about the security of the business documents they get rid of every day. He installed confidential waste bins in every department and instruct staff to use them. Each day, the waste was collected in special sacks and taken to the basement for collection. At the end of the week the sacks were collected by a contracted firm who provided a certificate of secure disposal.

One day, a list of direct debits containing the names and bank details of all their customers is found for sale on the internet and is picked up by a national newspaper. Their reputation is in tatters and they are facing a potential £500,00o fine from the Information Commissioner as well as costs of around £60 per record in damage limitation and rectification. The Managing Director finds his job on the line. To keep it, he needs to establish what went wrong.

Unfortunately, even after a thorough investigation it's unlikely he will every find out - there are just too many weaknesses in this system of control. Some of the failings that might accompany the investigators' report and Mr Smith Jr's dismissal could well include:

  • Not enough bins were installed, resulting in staff putting documents in the general waste on a regular basis. Why weren't the bins emptied more often, or more bins installed?
  • The bins were not in the right locations, many were further away from printers and desks than general waste bins. Why wasn't there a confidential waste bin for every general waste bin?
  • Staff had been told to use the new bins at when they were brought in, but there were no reminders. Why were new staff not advised of procedures? Why did did not feature in the annual CBT test given to staff?
  • The company had conducted a risk assessment which covered data disposal, but not all departments had been involved. Members of the finance team did not think that  finance reports counted as customer data - it had just never occurred to them to consider it. Why hadn't all departments been asked to identify data security risks in their business processes?
  • Staff did not understand the reason why secure disposal was important. As a result, they didn't pay too much attention. Why weren't staff informed that leaking confidential information would result in disciplinary proceedings, or told about the problems it could cause for customer relationships, sales, and therefore salaries?
  • The bins were collected daily, and left in the basement next to an unlocked and unmonitored door often used for deliveries. Why were confidential documents not stored securely pending disposal? Why weren't they in a locked room or cage with limited access? And why was the entrance not locked with a keypad or similar device?There was no contract with the disposal company, so even if the loss had been proven to be their responsibility it would have been very hard to seek damages. Surely a contract should have been agreed - with a suitable confidentiality/ non-disclosure agreement?
  • The company operated a clear desk policy, but there were no records as to when this was last checked. Investigators found that, whilst customer service departments were clean, large amounts of paperwork was left on desks in support departments. Why was the policy not better communicate, enforced, and compliance checked regularly and across all departments dealing with customer data?
  • The contractors often arrived late, in which case the caretaker would leave the sacks outside for collection. Why were they allowed to come outside scheduled hours, and why did the caretaker not know better than to leave the sacks outside for anyone to collect? Why did line management not know to intervene? Why did no-one check procedures were being followed or check the collection records?
  • The contracted company had lax procedures as a result of under-staffing. This was caused by financial problems. Why had no risk assessment or due diligence exercise been carried out?
  • XYZ Plc was unable to prove that documents had been disposed of securely at that time, as disposal certificated were not retained,no records were kept of bin emptying, and procedures had not been documented for the caretakers who emptied them. Why not?
  • The company had conducted background checks on high-risk staff but this had not included caretakers and cleaners, as they were considered to be low risk. Subsequent checks found one of the cleaners who worked out of hours was an undischarged bankrupt, and one of the caretakers had a prior conviction for theft. Employer references could not be traced for two further staff. Why had they not checked references, credit histories and criminal records? Why had these risks not been recognised?
  • A visit to the contractor noted a number of significant weaknesses in their procedures which meant they could not be sure that all documents had been properly shredded. Why was no site visit undertaken to confirm the contractors was doing everything expected of them?

Could any of this happen to you? Only one of these weaknesses would be enough to compromise your security. Why not compare this list to your company's document disposal process or your audit programme?