The Need For Service

The Need For Service - Continued

5.) A Certificate of Destruction Does Not Relieve A Company From Its Obligation To Keep Information Confidential
	Any company contracting an information destruction service should require that it provide them with a signed testimonial, documenting the date that the materials were destroyed, not just picked up. The certificate of destruction, as it is commonly referred, is an important legal record of compliance with a retention schedule. It does not, however, effectively transfer the responsibility to maintain the confidentiality of the materials to the contractor. It is not something that you "just buy." Know the company that you are trusting your records to. Be totally satisfied that they are reputable and will safeguard the documents and records during the destruction process. One Texas bank was getting a Certificate of Destruction and was happy, that is until over 200 customers of the bank fell victim to identity theft. The recycling firm doing the destruction was shipping the paper to a pulping facility without shredding it first. The identity theft ring operated out of the paper mill. If private information surfaces after the vendor accepts it, the court is bound to question the process by which the particular contractor was selected. Any company not showing due diligence in their selection of a contractor that is capable of providing the necessary security could be found negligent. Unfortunately, there are those information destruction services that provide certificates of destruction while having no semblance of security, inadequate or no liability insurance, and in some cases no destruction process available to them to perform the work.
6.) Most Records Storage Companies DO NOT Have The Equipment To Provide Shredding Services.
	Many commercial records storage facilities offer records destruction as a service to their customers. However, in a survey conducted by the National Association for Information Destruction, a majority of the commercial storage firms were found lacking the equipment necessary to provide the service themselves. One local west Texas company was taking them out on a private ranch and burning (?) them. Another simply out-sources the destruction to recycling firms that may or may not shred the records. Any business using a commercial records storage firm should inquire as to the nature of the destruction services that are available and forbid outsourcing the destruction. It is an unacceptable risk to permit a storage firm to select a subcontractor to provide the records destruction service. The owner of the records is ultimately responsible for their security and, therefore, should be selecting the vendor directly.
7.) Internal Personnel SHOULD NOT Be Responsible To Destroy Certain Information.
	Common sense dictates that payroll information and materials that involve labor relations or legal affairs, should not be entrusted to lower level employees for destruction or imaging. It has been well established, time and again, that employees are the most likely to realize the value of certain information to competitors. And, lower wage employees often have the economic incentive to capitalize on their access to it. It was recently learned that a janitor was offered $500 cash for one trash can from a Microsoft office by a competitor in the same office building.
8.) Information Protection Is A Vital Issue To Senior Management
	In a survey conducted by the Conference Board, top executives 997 from 300 companies ranked the security of company records as one of the top five critical issues facing business. In the May issue of the "ABA Risk Manager," the American Bankers Association recommended banks adopt a records-disposal policy and to shred all customer records, while making the policy available to their customers. Records stored off-site should be stored in a professionally managed facility that reduces your risks. For medical records, a Business Associate Agreement is required by Federal Law. Under Texas law the storage facility that stores protected health information becomes a Covered Entity as defined by the HIPAA laws.