1. It is a mistake to assume a service provider is following security protocol every time, without investigating further.
We have seen errors made by service providers time and time again, who do not properly train their staff and audit their performance. The most common mistake is that their employees cut corners during service and do not follow protocol. It’s critical to follow protocol which keeps the confidential material, confidential. For example, boxes of records from a Healthcare Provider in New York were stolen out of the back of a third party record storage provider’s truck because the truck was not locked up. It cost the hospital millions in HIPAA violations, notification to patients, and identity protection services for the next two years. Additionally, any breach involving more than 500 patients, mandates posting of the breach on the HIPAA data breach website.
2. It is a mistake to assume that when documents are picked up by a service provider, the provider is taking full responsibility for them.
Whether your service provider is destroying your documents or picking them up to be stored, they are an extension of your company’s responsibilities. If they make a mistake while handling your documents, the government will come after the company where the records were originated. It is the company’s responsibility to go after the service provider for damages. What is the cost of damaging your brand in the media?
3. It is a mistake to assume that your staff knows the difference between confidential and non-confidential information.
Some companies will set up recycling programs for office paper, which is separate from their document destruction program. Employees generally do not fully understand what is confidential and what is not. If a piece of personal information is found in an unlocked recycling bin, the regulators will extract a penalty that will be in the thousands of dollars.
4. It is a mistake to assume that a service provider is fully secure because they are a publically traded, high-profile company.
It is easy to think that based on the size of a provider, they must be handling everything properly.
A few years ago a large national provider forgot to lock the back of their truck. This resulted in the service provider’s truck opening up and spraying all the documents all over a well-traveled road. Everyone in town was able to see the mess televised by the local news that night and rebroadcasted the following week. It was very costly to the bank and damaged their reputation.
5. Employees are the biggest threat to a security breach.
Employees are the biggest culprits of causing a breach. Senior management must provide proper training and awareness on an annual basis to keep employees informed and vigilant of protecting corporate information. If documents are not locked up at all times physically and electronically, the information becomes accessible to those who are willing to cause damage to the company for their own personal gain.
Don’t be an Assumer!
Do due diligence on service providers and how your information is being handled!
Erik Brown has been a security consultant at American Shredding in Salt Lake City, Utah the past seven years. Erik can be reached at 801-330-6481 for further discussions.