Ever wonder how Private Industry balances the need to make profit with the escalating costs of managing data risk and compliance with privacy laws? Who has the power……the CFO who watches profitability, CSO who controls security or the Risk Manager who looks at the potential liability?
It is a daunting task to try and measure the potential liability of a privacy breach. The CSO will tell you that it makes most sense to be proactive through the development of programs and processes that protects the data. While these upfront investments are significant, they pale in comparison to the potential liability costs resulting from a law suit. The CFO will argue that it’s just too costly to implement the comprehensive program that is requested by the CSO. So who’s right?
There doesn’t seem to be one answer to fit all. Most of what you read today is about cyber security programs and various tools to protect electronic data. But what happens when the “stored” data is no longer needed? A good physical destruction program can remedy this dilemma.
Shred Service vs. In-House Program; Many companies look to shred service companies to provide “on site” shredding services. While these services can be effective, they are typically designed for the destruction of paper. But as we all know, most of the data resides on “electronic media” such as back-up data tapes, hard disk drives and other similar media. As such, the on-site shred service must be able to provide an “effective” service that includes the ability to destroy this type of media. This can get very costly.
A more secure method of destroying electronic media is to simply do it yourself. It’s always more effective if you have control of the process. Suppliers such as SEM (www.semshred.com) offer a wide variety of destruction solutions for virtually every form of media. These systems are designed for low volume “office” or high volume “warehouse” environments.
So how does Corporate America determine what’s best? How do you measure the cost of a shred service against an in-house solution and factor in the overall potential risk?
To determine the best COST….the CFO can do a simple Return on Investment (ROI) calculation…..capital purchase vs. monthly shred service expense. The CSO should measure the most effective method of discarding the information…..In-house control against relying on a third party service and the Risk Assessment Manager should be answering the old Midas Muffler question of…..pay me now or pay me “big time” later.
No one answer is right or wrong. We have seen companies implement a complete control program by implementing a comprehensive In-house program. Others simply contract with third party on-site or
off-site shred services while others have executed a hybrid of both. It’s purely up to the corporate culture and in many cases the Manager who makes the strongest argument within the company which of course could be a daunting task. It almost sounds like the start of good story…..a CFO, CSO and Risk Manager walk into a Bar. One says to the other………. !