Business documents can be a treasure trove of information. In fact, over 24% of consumers accidentally discovered their identity had been stolen. These consumers had personal information stolen either from their own shortcomings or from a business that stored their personal information. Without any hint that the theft had taken place, these individuals suddenly faced credit issues, legal ramifications, and other headaches.
For businesses, the risks are especially high. Businesses must not only protect their own confidential information, such as plans for developing and marketing their products, but must also protect the confidential information of their partners, employees, and customers. For example, businesses that fail to protect their employees' social security numbers or customers' credit card information could face severe legal and regulatory consequences. Here are five suggestions for approaching business document security:
Create a Document Access Policy
A document access policy defines who is allowed to access which documents. For example, it may be appropriate for an accountant to have access to employee social security numbers and birth dates, while it may be inappropriate for a marketing director to have access to that same information.
A document access policy sets out the rules and procedures for accessing documents, as well as how those rules and policies are carried out.
While there is no hard rule about how a business should craft a document access policy, a business may want to consider the business consequences associated with allowing and restricting access to information. For example, a policy that is too restrictive may create inefficient layers of bureaucracy that impede employees from carrying out their assigned duties. Conversely, a policy that is too permissive may create security risks from either intentional or accidental disclosure. Similarly, certain laws or regulations (such as the Health Insurance Portability and Accountability Act or HIPAA) may set out at least some of the requirements for a document access policy.
Of course, no document access policy works without a mechanism in place to allow and restrict access to the documents. Keeping documents under lock and key, and using watermarks to inhibit copying or scanning of documents, can provide the basis of a security system.
From a legal and regulatory standpoint, a business may also want to look to how others within the same industry approach document security. Often a business is not required to implement the most restrictive security procedures. Rather, businesses are typically only required to take measures that are reasonable under the circumstances.
Maintain an Audit Trail
An audit trail may be established through something as simple as a logbook that employees must sign whenever accessing restricted documents. More elaborate systems may use biometric data, employee ID cards, or another electronic logging system to track who accessed restricted documents. These logs can also determine which documents were accessed and when sensitive information was put at risk. This will enable a re-creation of events if a security breach occurs and also allow periodic reviews to ensure that the document access policy is being followed.
Create a Document Retention Policy
It is important to not only set forth a policy for accessing documents, but to also create a policy for destroying documents. Again, laws or regulations, such as HIPAA, may set out the broad strokes of a document retention policy. In addition to describing the duration of retention, a document retention policy also sets forth how documents are disposed of at the end of the retention. For example, for certain documents, such as marketing plans that have already been carried out, standard commercial paper shredders may be adequate for destruction. Conversely, personally identifying information, such as social security numbers and financial information, may require secure paper shredders for destruction.
Destroy the Documents
Again, having the policy in place is important, but the policy must be carried out to be effective. Where a business has determined that documents must be shredded at the end of the retention period, the business must select the shredder that will carry out the policy.
A business that creates a large volume of documents that must be destroyed may need an industrial shredder machine. Industrial shredder machines usually have a high shredding capacity. Industrial shredder machines may also be designed to handle documents with staples and paperclips. In addition to capacity and speed, a business may also consider the security level of the shredder and the size of the shreds produced by an industrial shredder machine.
When you want to better protect your customers and employees, rely on Capital Shredder Corp. for more information.