Media Collection Containers, Key Control, & Custody
May 11, 2022
Secure data destruction service commonly provides clients with containers to accumulate paper or other media prior to destruction. And, while it is true that the containers are designed to protect the media from prying eyes and hands, they are not high security vaults, and clients or service providers losing sight of this put themselves at risk.
Conventional media collection containers are provided as a convenience, not a security measure. And while they do serve to prevent access by unauthorized individuals, they were never intended to secure information from a malicious individual who could simply wheel the bin away, bust it open with a hammer, or slice it open with a razor knife.
The actual “security” stems solely from the controlled confines of the client’s building; it has locks on the front door, the watching eyes of employees, and the security alarm and CCTV of the building…and not from the container itself.
Understanding this is important for a number of reasons.
Key Control
It sometimes strikes clients as inappropriate (or unsecure) that the keys to their containers open containers placed at other clients. Doesn’t that mean those other clients could open their bins too?
The misconception here is that the “key” is the source of the security. It is not. If an unauthorized person is walking around their office opening bins, the problem is with the security of the building, not the container. As already mentioned, that same malicious unauthorized individual walking around the office could have gotten into the containers without the key.
The idea that a key that is exclusive to one client is more secure is both misguided and dangerous. No client should believe – or be led to believe – that anything but the security of the overall environment in which the containers are deployed is the actual source of the security.
Furthermore, from the service provider’s perspective, suggesting the key and container are the source of the security suggests that they – the service provider – are responsible for that security of material in the client’s office. It is extremely reckless, both for the service provider, and the client, to foster that belief.
Care and Custody
Clients sometimes believe (or act as if they believe) that custody of the media transfers to the service provider once it goes into the collection container. That is not the case. Regardless of who provided the collection container, the service provider is not responsible for the care and custody of personal information until they take possession of it. Again, the security of the environment is the important thing, and, as a result, it is very important that service providers do nothing that suggests otherwise.