In today’s business climate, it’s more important than ever to protect sensitive data. If your company is required to meet the standards of the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act or the Fair and Accurate Credit Transactions Act (FACTA), you may already be aware of the importance of having solid records management and document destruction policies in place.
However, even beyond the scope of these regulations, your company is still responsible for the data it handles on a daily basis, such as payroll records, personnel files, client lists, financial records and proprietary information.
If you’re not managing your company’s records and their destruction carefully, you could be putting this data at risk—and exposing yourself to significant liability.
In this article, we’ll share five best practices to help you evaluate your company’s document destruction processes. We’ll also show you how some of these recommended practices can also help your company contribute responsibly to Guam’s environmental future.
Best Practice #1: Talk with Your Legal Counsel
In this article, we’re going to offer you recommendations based on our 10+ years of experience in records management in Guam. However, at the end of the day, we aren’t lawyers, and we can’t offer you legal advice.
Any document destruction or records management policies need to be signed off on by your legal team and your financial team. They’re the ones know your business best, including the regulations it’s subject to. As a result, they should be your first stop when creating any document destruction policies.
Best Practice #2: Think Bigger Than Just Document Destruction
Document destruction is just one element of a comprehensive records management policy that will help your company handle sensitive data properly.
If you haven’t already, your organization needs to define a records management procedure that includes both:
- Retention Policies – How long do you need to keep each type of record?
- Destruction Policies – How do we destroy these records to maintain the security of the information they include?
When it comes to records retention, every type of record has a shelf life. This shelf life is sometimes dictated by regulations, such as IRS requirements. In other cases, these retention policies are guided by industry best practices. Once that shelf life has expired, those records should be destroyed—properly.
To give you an idea of some of the timelines your business may encounter, below you’ll find some of the record retention guidelines we offer our customers. However, as we noted above, your lawyers are the ones who should make these final decisions.
Type of Record
Records related to tax returns, including income and deductions and other supporting documents
Until the period of limitations for that return expires, between 3-7 years. Read more on the IRS website.
Employment tax records
Four years after the date that the tax becomes due or is paid, whichever is later
Personnel action records
Seven years after termination
Two years after hiring decision
Not more than three years after termination
Employee benefits records
Medical and benefits records
Six years after plan year ends
Records related to employees exposed to toxins and other hazardous materials
Once your records have passed their shelf life, you’ll have to decide the best path to dispose of them. To start you off, we’ve seen two destruction methods on Guam that we definitely don’t recommend:
- Burning records – Besides the fact that this method is not 100% secure—and will not include a certificate of destruction that many regulatory agencies require—this option isn’t great for the environment. That’s especially true if you’re dealing with non-paper records, such as hard drives, floppy disks and X-rays. (More on certificates of destruction and non-paper records shortly!)
- Dumping records in dumpsters – Dumpster diving for sensitive data is a real problem. In 2017 in Orlando, Florida, a man looking for scrap metal happened upon thousands of financial documents with just about everything you’d need to steal someone’s identity—birthdates, banking information, financial data, etc. Although he reported his find, others might not be as honest.
To combat issues like this, many companies instead adopt a “shred-all” policy, in which they agree to shred all their documents, no exceptions. It often works like this:
- Your company contracts with an outside provider to place secure disposal bins in your office.
- On a day-to-day basis, any paper that’s no longer needed goes into these bins, with no exceptions. These bins are collected on a regular basis, taken to a central processing warehouse and shredded.
- When it’s time to destroy documents that have completed their shelf life, that same outside company will collect and shred those documents, providing a certificate of destruction when the work is complete.
As a blanket policy, shred-all provides the highest level of security and confidence that your company won’t accidentally leak sensitive data through routine office paperwork or records disposal.
However, it’s also important to realize that external data breaches are not the only possibility.
Best Practice #3: Understand That Security Starts Internally
As you evaluate your office for potential security breaches, don’t overlook the fact that many happen inside the workplace. In a recent study, 36% of workers admitted to leaving sensitive documents on their desks when they went home for the day. In that same study, 36% of executives reported that employees have had documents lost or stolen because they ignored physical security protocols.
When it comes to document destruction, even something as simple as an open and unsecured disposal bin can expose sensitive data to anyone in your office. As you create your document destruction policies, make sure that you offer your employees access to a secure bin where they can place documents that need to be shredded to provide an extra layer of security.
Pro Tip from Joyce Diamadi, Records Manager, DeWitt Records Management, Guam: Don’t overlook potential security breaches from guests and visitors. Although you may trust your employees implicitly, things like unsecured paper bins or open folders on unattended desks can offer visitors unauthorized access to sensitive data. Make sure your employees understand these risks and act according to your established records management policies.
Best Practice #4: Look for These “Musts” When Outsourcing
As you establish records management policies within your workplace, you may decide to contract out your document destruction services. Outsourcing can ultimately save your company both time and money over creating an administering a program internally. If you do decide to take this route, we recommend you look for a couple of features to ensure that your document destruction is handled with the highest level of professionalism and security:
- Certifications from the top two organizations – A professional document destruction company should carry certifications from the two main records management associations: the National Association for Information Destruction (NAID) and the Professional Records and Information Service Management Association (PRISM). Additionally, if your company deals with any kind of health information data, you should outsource with a provider that’s HIPAA certified to ensure compliance with regulations.
- Options for shredding at your place of business – If your company decides it needs the highest level of security, you may need a provider who can bring a shredder to your office so that documents don’t have to be transported before they’re destroyed.
- Arrangements for staff to witness shredding – If off-site destruction will work for your business, you may still need to send a compliance officer to witness shredding. Ask what options your provider offers.
- Provisions for “non-white-paper” records – Your business may store its records in all kinds of non-paper formats, like CDs, floppy disks, hard drives, data reels, and X-ray film. Breaking disks in half, hitting “delete” or running a magnet over these media can leave residual data that’s vulnerable to hacking. Look for a document destruction provider who can help you properly dispose of these non-white-paper records.
- Certificates of destruction as proof if you ever get audited – As we mentioned earlier, many regulatory agencies may require proof that you are correctly maintaining your records disposal schedule. A reputable document destruction company will provide you with a certificate of destruction for your records. That way, if you are audited, you have proof of compliance.
When it comes to outsourcing your document destruction needs, there’s just one more best practice to consider.
Best Practice #5: Don’t Assume It’s Too Expensive
Many small businesses on Guam don’t believe they can afford to outsource their document destruction. Others might mistakenly believe their data isn’t sensitive enough for these precautions and, as a result, may take risks with their document destruction practices.
If you find yourself in either of these two positions, know this:
#1: Proper document destruction is cheaper than a lawsuit.
A smart investment in professional document destruction now can save your company the cost of a legal battle down the line. If a data breach is traced back to your organization, you could end up with a mountain of legal fees, not to mention the judgment if you are found liable.
#2: There are document destruction options for companies of every size.
With most companies offering pickup schedules that range from weekly to monthly, you can tailor a plan to fit your budget.
Additionally, on Guam, outsourcing your document destruction offers you one of the only options for paper recycling on the island. So in addition to making a smart choice for your company, you’ll also be making a smart choice for Guam and all of its future inhabitants.
When implemented as part of an overall records management program, document destruction policies will help you secure the sensitive data that belongs to your customers, your business partners, and your employees. It will also allow you to do business with the confidence that you’re doing your part to protect your company and its future.
If you’d like to discuss establishing a document destruction program for your company, reach out to us. With over 10 years of experience managing records on Guam, we can help you come up with a comprehensive records management solution that fits your company’s needs and budget.
Tell us about your move!