 |
DO NOT, I repeat, DO NOT let this happen to you! Even though everyone says "oh, it won't happen to me", don't be that person. It can, and will, happen to you. What is 'it' though? 'It' is the heavy imposition of FINES on you for the improper disposal of sensitive information. These fines are imposed by both Massachusetts state laws (93H and 93I which require the proper destruction of information containing social security numbers, driver's license numbers, financial account numbers, and credit or debit card numbers) as well as federal regulations like HIPAA that require the secure destruction of PHI (protected healthcare information)as well as FACTA. If anything is to be taken away from this blog, it should be that the DUMPSTER is NO PLACE for the disposal of any kind of sensitive record. If you even have to question whether or not the information is "sensitive", then it probably is. Too many times companies, large and small, are exposed, and fined heavily, for disposing of sensitive information belonging to their clients, patients, or customers simply into the trash.
|
For the companies that don't heed warning and do not take the proper steps to ensure the security and proper disposal of sensitive information, they are used to make examples of what NOT to do. This is done by way of news reporters plastering the names of companies, and what they did, all over the headlines. For example, big corporations like RiteAid, Walgreens, and CVS were all EXPOSED for their improper disposal of private prescription information. Hitting closer to home, St. Elizabeth's Medical Center is investigating how patient financial information was found floating around on the streets outside of a building in Charlestown. Thankfully, the hospital is taking the correct measures to ensure that this does not happen again. Also, the hospital did what it is required to do by law when a data breach of this sort happens and they notified the Massachusetts Attorney General's office.
Then, we come across a more interesting situation where SHREDDED PAPER was used as confetti in the Macy's Thanksgiving day parade. So what's the big deal? We'll the shreds were very thick and cut perfectly horizontal across the paper so that perfectly clear lines of text were able to be read, including social security numbers, and other sensitive information. It is clear that a typical office shredder was used to shred these documents since that is the common level of "security" that an office shredder provides. The differences between an office shredder and a commercial shredder is the level of security in the 'cut' of the paper. Security levels 1-6 exist with the higher the level, the higher the security of the cut. Office shredders typicall have level 1 or 2 security where the shreds of paper are thick, easy to read and easy to reconstruct. Security levels 3 and 4 give consequtively smaller cuts of paper and allow for cross-cutting, inhibiting the readability of the shreds as well as inhibiting the ability to reconstruct the shreds. Security levels 5 and 6 are recommended for destroying top-secret government or research documents due to the shreds coming from this shredder being like grated-cheese. It is typical of a commercial shredding company to have a shredder with a security level from 3-6. Then, in some instances, a reputable shredding company will go one step further and have your shreds pulverized and recycled.
The one thing that could have made a huge difference in each of these three situations is if the drug stores, the hospitals, and the police stations had all used a document shredding and storage company for their storage and destruction needs. Although the actions of safe and secure document storage and destruction seem straight forward and simple, they are best to be left in the hands of those companies who make it their sole purpose to protect information (yes, even AFTER it is shredded!).
One of the biggest changes to the shredding industry over the years is the appearance of the "Mobile Shredding Truck". Usually coming fully equipped with a shredder, tv monitor, and a big bad name, shredding trucks have their good qualities, but poor ones too. A lot of companies seem to enjoy the ability to view in "real time" the shredding of their documents. Unfortunately, what a lot of companies don't know is that on-site shredding can be performed by less than qualified staff and a less than qualified company.
Yes, you heard it right. Anyone with a cell phone, a one page website, and a truck can pass themselves off as a mobile shredding company. Are their services actually helping you become compliant with the laws? Do they have strict information security policies in place? What happens if the truck breaks down (like in the picture below). What is the level of security of the shredder that is being used in the truck? Some mobile shredding trucks have shown to actually let WHOLE CHECKS pass through, unshredder (proof is in the pudding, I mean picture, below). These are some things you need to question before electing to use a mobile shredding company.
 |
 |
| How comfortable would you feel if yourdocuments were shredded in that mobile truck? |
And then, ask yourself, how comfortable would you feel having a mobile shreddingtruck shred your documents when the shredder lets WHOLE CHECKS pass through? |
Off-site shredding is done by a shredding company who has a warehouse (real estate), an industrial shredder, and a bonded and insured warehouse staff, at the very least. Usually, a company that performs off-site shredding also offers and performs other records management related services and they hold certifications and memberships in order to do so, adding to their legitimacy.
I like the analogy of likening an off-site shredding company to a bank. You give the bank your money but you don't see them put it in the vault, so how do you know it is safe and will be there when you need it? Because a bank is insured. With a bonded and insured shredding company, you have the same circumstances. You don't need to watch the shredding be performed to know that your document will be securely and properly disposed of due to associations like NAID, the National Association of Information Destruction. NAID is the association that verifies and puts their "stamp of approval" on those companies who follow the highest security measures in their shredding operations.
We aren't saying that you should not use a mobile shredding company (but you really shouldn't!) but what we are saying is, we don't think this mobile shredding trend is here to stay. What do you think? Feel free to leave you comments in the box below...
You read it right, we're asking: Do you know where your personal documents are? And no, we aren't talking about the documents you keep in a filing cabinet, in a kitchen drawer, or a home office. We're talking about the personal information you've left with anyone who you have ever given it to... your bank, your doctor, your lawyer, your accountant, etc. Do you know what is done with your documents? Well, in most cases, youshould feel secure leaving your information with a reputable company who uses a professional document shredding service to securely destroy your information. Unfortunatly, as detailed in this news video, sometimes your personal information can be just thrown in the trash by those who have no regard for the safety of their clients or patients information.
 |
| A trash collector found these documentscontaining sensitive personal information in a dumpster, and even found a copy of a socialsecurity card.
|
So now you ask, well how can I be sure that the people who deal with my sensitive information aren't just throwing it away? Of course you cannot police them, but what you can do is be an educated consumer of the services you are using, and when you know your sensitive information is going to be in the hands of a service provider, all you have to do is ASK! Don't be afraid, your identity and financial information may be at risk. All it takes is a simple question of "will all of my information be securely shredded when you're done with it?". The answer will either be "Why of course, we use company XYZ to shred all of your client/patient information" or it would be "No", or maybe "we plan on starting up services sometime in the near future", or any type of explanation to make it sound not-so-bad that they aren't using a shredding company. Either way, when you ask, you are only doing a service to yourself and the fellow consumer. Maybe your question will prompt that company to call their shredding service provider to have them remove sensitive documents (some of which may be yours!), or, maybe your question will prompt them to START using a document shredding company. The outcome will be positive, no matter what.
As a consumer, you have a right to DEMAND the safety of your information. Thankfully, Massachusetts and most states have laws that affect the types of businesses that handle sensitive information and so you can feel comfortable knowing that those businesses are required by law to keep your information safe. Regardless, it never hurts to ask. You never know whose sensitive information you could be keeping from going into the trash.
As a legal professional, you generate tons and tons of files and confidential client information. Your industry or professional associates counsels you on what you should be doing with this information, how long you should keep it for, and when it can disposed of. Implementing the safe-keeping and safe destruction of your files though, is what is not so straight forward. Your private information is sacred to you, and you are probably weary of letting it out of your sight and handing it off to some self-storage company or leaving it unsecured in the office basement, as you should be. Then when it comes time to destroy those files of yours whose retention time is up, do you have the office intern sit at a paper shredder and manually feed your papers into an office shredder? How are those "shreds" then disposed of? Hopefully not in the dumpster.
As you can see, there are a lot of questions that arise even with the counsel of your industry advising you on what files to keep and for how long. To get rid of your headache, that is where records management company comes in. A reputable records management company can provide safe, and secure storage in climate controlled conditions where your files can be kept for the remainder of their retention period. When that retention period ends, a reputable records management company will also be able to provide certified shredding where after the shredding, the shreds are recycled so that no traces of your information exist except for the white pulp that may then be used again to fulfill one's morning coffee desires.
Find out what a Records Management company can do for YOU....
Need a place to get started? Click below...
Need some pricing? Click below...
Right about now there are two types of people in the U.S., those who have done their taxes, and those who haven't. The big deadline is April 17th... a mere weekend and day away. Luckily, for both types of people, there is no deadline for figuring out what in the world to do with all of your tax and related financial documents, past and present. And thus, the question begs to be asked; how long do I need to keep all of my important tax information? And what do I need to keep? We will start with this: three years is the golden standard for some tax documents, since that is the amount of time the IRS has to audit someone, but other documents should be kept forever, as they can come in handy in many future situations. We’ve put a table together below to help sort it all out for you…
|
Document Type
|
How long to keep it?
|
What to do with it?
|
|
Financial Records
(W-2’s, cancelled checks, receipts, bills, etc.)
|
3 years (minimum)
|
Securely shred after a minimum of 3 years
|
|
The tax return itself
(1040/accompanying forms, etc.)
|
Indefinitely
|
Ideally, secure storage of the hard copy documents is preferred. If that’s not an option for you, another option is to digitize the documents with a scanner and securely shred the paper documents.
|
|
Stock Purchase Receipts
(With the date and price paid for each)
|
Indefinitely
|
Secure storage or digitize and securely shred
|
|
Home Improvement Records
(To help in offsetting taxes if you ever sell your home)
|
Indefinitely
|
Secure storage or digitize and securely shred
|
We recommend keeping hard copy files of all of your documents until their retention time is up rather than digitizing them due to the possibility of a data breach that could lead to your digital information being stolen. Identify and credit card theft is all too common these days and any ways to reduce that possibility are always stressed and thus, the secure shredding of all of your tax and financial records once their retention time is up is necessary to keep ensuring that your information has no way of getting into the hands of a thief. The best bet for shredding is always utilizing a shredding company, brownie points if they are NAID members, who use shredders that not only tear the papers into easy to put back together strips, but pulverize the paper, turn it into pulp, and then recycle it.
Tax season already has its drawbacks, so don't let information theft be one of them... request more information on keeping your information secure by clicking any of the buttons below!
(See this article for more specific information on what the above is a summary about: http://www.npr.org/blogs/alltechconsidered/2012/04/02/149714051/you-should-keep-tax-records-but-how-and-for-how-long)
Have you made sure your data is safe? If not, there is a chance it will cost you financially. It could ruin your reputation as well.
In a recent news story, MetLife, headquartered in New York City, whose revenues topped $50 million in 2008, felt the effect of laws involving data storage security. Because they failed to use records management as risk management, they were fined $70,000. Apparently, when they moved from one location to the next, they discarded a lot of trash in the dumpsters outside the office. In it were sensitive records containing social security numbers, addresses and financial account information of people who were current and former clients of MetLife. The hard copy files remained in dumpsters outside the building for well over three days. During this time, anyone could have acquired the information and used it for identity theft.
In North Carolina, a news article from 2010 about Prompt Med spoke of a $50,000 fine, from the urgent care unit having thrown into a dumpster sensitive information including financial accounts and identification numbers of over 700 patients. Records management as risk management would have clearly helped here.
The Carolina Center for Development and Rehabilitation was highlighted in this article for having illegally disposed of the financial information of nearly two thousand patients in 2011. The fine for this was $40,000. The senior officers had plenty of warning about records management as risk management from the above previous incidents, but did not learn from it.
More and more information these days must be secured and companies are having to treat records management as risk management. With the advent of identity theft, any written, electronic, or printed records must be protected if they include personal information about a client. And if the records are to be discarded for any reason, they must be destroyed in a proper fashion, so that the information contained within is kept safe. From this was born the idea of records management as risk management.
Risk management rpocedures are extremely important to implement to prevent Identity theft. Identity theft is any person's personal information being used by another to illegally remove money from bank accounts, acquire loans and passports and commit other crimes. Identity theft is now also known as identity fraud.
There are state and federal laws in place across the country to ensure that the destruction of certain files is done so properly, in order to prevent Identity theft. If proper measures are not take, then the company responsible for not following the precautions can be given some fairly big fines.
In Massachusetts, the laws that aid in the prevention of identity theft are called the General Law 93H and 93I, and are applicable to all companies in the state of Massachusetts secure all data that include personal information, such as bank account numbers, credit and debit card numbers, and the like that have the ability to create identity theft opportunities.
In addition, each company must have safeguards, by the employment of valid identification systems, in order to keep non-authorized personnel from gaining access through computers, or in hard copy files. The company must also keep all locations safe from outside the company. On a regular basis, companies shall be audited to ensure they within compliance. According to the 93I, a company must document the policy of their destruction procedures.
The fines for non-compliance of 93H requires for the company to pay five thousand dollars for each record that was not kept safe. For 93I, the fine is one hundred dollars for each record, with a cap of fifty thousand dollars. These ordinances came into law in 2005.
In addition to state laws, The Federal FACTA Disposal Rule maintains any person or business using consumer reports must make sure all the information within those reports remain completely secure when discarded.
In summary,the risks that someone takes for improper document disposal are inexplicable. Primarily, risks cannot be taken anymore because it is the law to practice safe and secure document disposal, but secondly when there are a multitude of risk management strategies available through document shredding and management companies, how can someone not take advantage of a simple way to reduce risk?
Need to start managing your risk? Or change your strategy? We can help... click on any of the buttons below to be on your way to a risk management solution!
So although shredding paper seems like the most dull, boring and annoying fact about working with paper in your office, at the end of the day, paper shredding is actually crucial to the safety and security of your business. Knowing what to shred, when to shred it, and how to get the best cost for your shredding needs will all be explained in detail below, so sit back, take a breather, and remember, you will never have to pull staples out of all those darn packets of papers again after you realize how cost and time effective using a shredding company really is!
First things first, what do you need to shred????? Knowing what you need to shred is the first step to take towards keeping yourself and your company protected from the heavy fines associated with carelessly discarding unshredded sensitive information.
Personal information in need of shredding could contain any of the following (don't forget that junk mail!)-
passwords, bank accounts numbers, bank statements, documents with signatures, phone numbers, addresses, pre-approved credit offers, credit applications, insurance information, expired passports, expired travel information, cancelled checks, loan documents, and any form of identification (old school Id's, expired Id's, Military ID)
Business information in need of shredding-
Documents with signatures, business policy/guidelines, passwords, account statements, bank statements, expense reports, customer lists, address lists, phone lists, account numbers, customer payment information, employee documents (health records, resumes, contracts, benefits information, discharge papers), and any and all legal documents.
Shredding the above listed documents will help to ensure that you, your businesses, your employees and you clients information won't fall into the hands of thieves and scammers and that you will be staying compliant with the data protection laws such as 93H, 93I, and the FACTA law. What are these laws you ask? Well they are pretty straight forward but they carry hefty fines if they aren't followed.
93H and 93I are the two newest Massachusetts data protection laws out there and put in place in March of 2010.
93H is a law requiring all businesses in Massachusetts to take serious measures to prevent identity theft. Any business holding the name of a Massachusetts resident and their social security number, Driver's License number, or financial account number (credit/debit cards) is subject to this new data protection law.
93I requires the shredding or destruction of any paper files or data storage devices containing personal information of employees or customers. In addition to the destruction of the information, businesses are required to have a written policy that details how they go about disposing of the sensitive information.
The fines that can arise from non-compliance with the 93H and 93I laws can be anywhere from $100-$5,000 dollars per record compromised and can reach up to $50,000 per incident of improperly disposing of sensitive information.
The federal FACTA (Fair and Accurate Credit Transactions Act of 2003) Disposal Rule intends to prevent identity theft. It calls for the proper disposal of information in consumer reports.
If the above laws aren't reason enough to use a service for secure data shredding, maybe the ability to save time and money by using a service might convince you?
Many studies have been done to show that not only does using a service save the time that employees need to put aside to take the staples or binder clips off of documents and to feed the slow drone, but it also SAVES $$$! The cost of having a company pick up boxes or bins of papers is usually less than half of what it would cost to have your employees use their valuable time for shredding.
For example, office shredders cost anywhere from at the very minimum, $450.00, which doesn't get you much, to thousands of dollars for decent shredders! Then you must add on any fixes that might need to happen in the event that someone puts an unforeseen paper clip through or it gets jammed. Next, the length of time it takes for an employee to shred all the necessary documents could add up to hours a month per employee. This time consuming act may lead to cutting corners and just tossing sensitive documents into the trash which would then leave your business or company liable for any damages that may occur because of the data that you have made available for thieves.
Just take a minute to let all of that sink in and realize how actually inconvenient and costly shredding in-house can be. Why not let someone else deal with the paper clips and binder clips while saving money?
For more information on the above laws, please visit:
Http://ftc.gov/opa/2005/06/disposal.shtm
and visit:
http://www.safeguardrecords.com/
for more information on how a shredding service can help you.
March 1st, 2010 - New laws require all businesses in Massachusetts to take serious measures to prevent identity theft. Any business holding the name of a Massachusetts resident and their Social Security Number, Driver’s License Number, or financial account number (including credit or debit card numbers) is subject to this new Massachusetts data protection law
We can do either:
- One time box pick-ups
- Bin rotations...
Convenient Bin Rotations
1. We place a 65 gallon bin in your office
2. You call us when it is full
3. We pick up the full bin, securely destroy the contents and replace it with an empty one.
Contact Sean Kelly at 1.888.795.7233 or operations@safeguardrecords.com
What are 93H & 93I?
Massachusetts General Law 93H
93H requires all businesses in Massachusetts to take serious measures to prevent identity theft. Any business holding the name of a Massachusetts resident and their Social Security Number, Driver’s License Number, or financial account number (including credit or debit card numbers) is subject to this new Massachusetts data protection law.
What are you required to do?
Among the compliance standards for this new data protection law include the following:
A written comprehensive information security program (CISP).
Controls on employees’ access of sensitive information, including physical security safeguards, computer user access levels and user authentication protocols.
Security measures on computer information systems, including data encryption, anti-virus and anti-spyware software, and firewalls.
Periodic review of audit trails and monitoring of systems for unauthorized access.
Proper disposal of sensitive information, as outlined in new Massachusetts data protection laws.
Massachusetts General Law 93I.
93I requires the shredding or destruction of any paper files containing sensitive information and the erasure or destruction of any electronic files or data storage devices containing personal information of employees or customers.
93I also requires a written policy regarding the disposal of sensitive information.
What are the penalties?
A violation of 93H levies fines of up to $5000 per record compromised.
A violation of 93I levies fines of up to $100 per record compromised with a maximum of $50,000.
This does not take into consideration the loss of your company’s hard-earned reputation and the potential loss of credit.
Safeguard can help guide you through compliance. Call Sean at 508.795.1015 for a Free Assessment, email Sean at operations@safeguardrecords.com or log onto www.safeguardrecords.com for industry specific information.