Why a ‘destroy all’ data disposal strategy is the only reasonable option
January 8, 2015
A “destroy all” data disposal strategy is the only safe and reasonable option. For instance, at our organization, I have no control over our firewall. Emails are scanned to remove harmful links. It would be very difficult for any employee to circumvent these data protection measures. I think most people would agree the more automatic or foolproof we can make data protection and, take out the human element, the better.
I am always surprised by the number of organizations that leave it up to the frontline employees to decide what discarded media should or should not be destroyed securely when it is discarded. Information disposal is an area of data protection where every employee has the capability of inadvertently putting an organization at tremendous risk. It’s borderline negligence to have a policy that allows every employee to determine what needs to get shredded or what computers need to destroyed. And yet, as secure destruction professionals, we see this all the time. Employees are told where the shredder is located and advised to use it when necessary. Or employees are given a waste basket, a recycle bin, or confidential shredding console and instructed to make sure the right stuff goes in the appropriate bin.
Under this scenario, the organization is literally putting its regulatory compliance, client privacy, and intellectual property rights in the hands of employees, who are usually not held accountable for their decisions, who have no stake in their choices, who have little understanding of the risks, and who are pressured to be as productive as possible.
In this day and age, that is not even borderline negligence; it is pure negligence. Imagine being audited or deposed after an incident and having to admit that every employee has the discretion to make such an important decision with no way to hold them accountable. This response would be devastating to the organization.
Given the risks, given the regulatory consequences, given the loss of reputation and intellectual property rights, the only reasonable course of action is to destroy all discarded media. The cost is so low, especially when compared to the consequences, any other choice would be deemed reckless at minimum and almost certainly legally negligent.