We all assume that businesses holding our information will protect it, that is the law after all. The Federal Trade Commission requires ‘reasonable measures’ in the disposal of sensitive and personally identifying information. However datalosses and security breaches still occur on an (almost) daily basis.
Many business entities have implemented measures to protect this information. They have established policies outlining how information should be disposed of, but something still happens. Unfortunately for a Georgia attorney, recent events show that a system of policies and procedures can break down.
According to the news report; Ashley Bell was surprised to discover that his firm was the source of one of the most easily avoided types of dataloss-confidential documents tossed in a dumpster. After all there is an established procedure in place, confidential documents are to be shredded and recycled. An internal investigation led to a college intern, who was perhaps a bit too eager to get the task done and dumped the files in an unsecured dumpster. The procedure was there but it was not followed.
Shredding can be a tedious task, I know from experience. I also know that the information you are shredding can be dangerous in the wrong hands so it is a vital step in any disposal procedure. The key is that I know and understand this. Employers need to make sure that employees are trained to understand that danger and the consequences if the information is exposed. Was this intern trained? The report does not tell us that, and even training an employee does not guarantee that they will follow procedures. It can however greatly improve the chance that they will when they understand the consequences and the employer can show that they have taken steps to prevent a breach.
Many businesses are taking steps to implement these reasonable measures, They are acting in good faith to protect information such as in the case of Mr. Bell’s law office. Unfortunately for every Ashley Bell there are business owners who will not take steps to protect information until after they have experienced a dataloss themselves.