Does Your Information Destruction Policy Rely on Luck?

Is your company prepared for a potential data breach? Without a protocol and procedure in place, you’re leaving your company’s and your clients’ data, as well as your reputation, vulnerable to attack. Every high-profile data breach is a reminder of the importance of the need for information protection. An organization’s information is one of it’s most valuable assets and both paper and digital records must be protected from careless loss as well as internal and external theft. The best way to protect your sensitive data is to implement an information destruction policy and educate staff company-wide.

A Data Breach Can Affect Any Business Type

If you think your organization isn’t a target, think again. Since 2005, the Identity Theft Resource Center ( has been identifying breaches by industry sector. In 2016, the business sector again topped the list in number of incidents at 45%, followed by health/medical sector at 35%. However, less publicized, small- and medium-size businesses are not safe from data breach threats either.

Whether it’s through neglect of physical documents or digital files, a data breach is a looming threat and policies should be enforced to prevent data theft. One way that some data thieves are attempting to gain sensitive data is through hacking, skimming, and phishing attacks. These types of attacks have grown to become the leading cause of data breach incidents, accounting for 55% of overall breaches. Of these, many were the result of “CEO spear phishing efforts” also known as “business email compromise schemes.” This is where an unsuspecting employee receives an email appearing to be from the company CEO requesting confidential information, such as employee personnel records that include social security numbers. “For businesses of all sizes, data breaches hit close to home…with the click of a mouse by a naïve employee, companies lose control over their customer, employee and business data” says Matt Cullina, CEO of CyberScout and Vice Chair of IRTC’s Board of Directors.

It’s unsurprising that skimming and fishing activities are so successful at gaining sensitive data. Studies show that the main source of internal data breaches occur as a result of upper management and executives who aren’t educated on the subject of data security. This is why education and prevention policies are so essential to the wellbeing of your company’s sensitive information.
When leadership and employees are educated about digital and physical document data security, your organization can better prevent a breach from occurring.

Is Your Organization Compliant?

While the number of breaches resulting from physical, low tech access to personal records has steadily declined from the leading cause of identity theft in 2007 to just 13% in 2016, numerous federal and state laws and regulations require virtually every organization to destroy all information prior to disposal. The penalties for violations can be severe, beginning at $1,000 per each violation. Shredding all office documents, rather than leaving it up to the individual employee to decide, is increasingly being adopted as standard policy.

With your reputation at stake and large financial penalties being levied, you can’t leave your information destruction policy up to luck. It’s imperative to have a clear and concise policy that communicates the rules and expectations of every employee as well as a protocol should a breach occur.

Tips for Implementing an Information Security Policy

Put your policy in writing. Every data protection law on the books requires that information destruction policies and procedures be provided in writing. After putting a policy and protocol together, make the document available in writing to all employees, whether by way of a digital pdf, by printing it out and distributing, or both.

Educate your employees on compliance. For some employees, it’s important that they understand the “why” in order for them to stay in compliance with your policies. Hold a company-wide or team-wide session where data security best practices are outlined and explained. When employees understand that the policies are in place to protect your company’s reputation and that when they don’t follow protocol for sensitive documents, they’re risking penalties, etc., employees will be more likely to follow your guidelines.

Explain your policy to employees. Communicate your policy before employees are exposed to sensitive information. Review it during the on-boarding process and make it part of your new employee packet. Inform employees of your records retention policy so they know when it’s time to dispose of the various types of information. Learn more about records retention best practices on our blog.

Describe the appropriate method of disposition. Outlining your chosen method of disposal of each type of document and media is essential for the success of your information destruction policy. For paper, this may be shredding. For hard drives, it may be physical destruction, degaussing, or sanitization. For micro media, it may be incineration. No matter what methods you choose, let your staff know your policy and require that they uphold it.

Review policies and procedures periodically. By staying up-to-date with policies and procedures, you can best plan for new data security needs. For instance, as solid state devices become more prevalent you may need to include them, and the proper method of destruction.

Hire a professional. There are many benefits to getting consultation for your data security needs as well as outsourcing your data destruction services. Not only does hiring a professional allow for the most efficient and secure policies and procedures, it also helps to support or remove employee responsibility for destruction of sensitive information. Freeing up employee time is beneficial to the organization’s bottom line and enhances the company culture–a win-win.

Start the conversation

Without a data security and destruction policy and procedure in place, you may be relying on the luck of the Irish to protect your business. Implementing company-wide policies and procedures for your organization doesn’t need to be a headache. Hiring a professional can help to guide you and take on your organization’s data destruction burden. Learn more about our services and contact us today!


These recommendations on data security and destruction are general guidelines only. They are not intended to represent legal advice. Contact your legal representative or federal, state or local government to ensure you are following current legal requirements in your area. Vangel is not liable for any omission, oversight or legal action resulting from the use of information contained herein.

About the Author


Leave a Comment