How NOT to Destroy Employee Personally Identifiable Information

April 25, 2023 at 8:00 am by Amanda Canale

Employee personally identifiable information (PII) is filled with critically private and personal information, such as financial information, healthcare information if provided by the employer, pay stubs, addresses and phone numbers, and more, so it should always be destroyed with the utmost care. 

Before we get to how not to destroy these types of files, it’s important we discuss how long you should keep them for. When it comes to personnel records, retention periods can vary. For instance, the Department of Labor Correspondence and the Internal Revenue Service (IRS) require any financial statements, documents from the IRS and Department of Labor Correspondence themselves, and plan and trust agreements to be kept three to four years, or even longer depending on the case.

However, when it comes to normal employee files, applications, contracts, and other employee personal information, they should be kept for two to three years from the date of termination. What about their compensation documentation? Keep these on file for three to five years from the termination. (This is important to remember!)

Now, let’s get to the fun part – the destruction!

Ripping Up

While ripping paper into confetti-sized pieces can be a great way to relieve some stress, we don’t necessarily recommend this tactic when getting rid of your most recent fire’s employee file. Even if you weren’t too crazy about your coworker, if not destroyed with high security end-of-life destruction equipment, their information could easily fall into the wrong hands, and your coworker could be the next to fall victim to identity theft – which nobody deserves. Don’t believe us? Take for instance the DARPA Shredder Challenge, where people quite literally competed to reassemble 10,000 shred particles for a large grand monetary prize. While the average person would much rather do anything else than spend 600 hours putting shred pieces back together, the same cannot be said for hackers and thieves; if it’s going to grant them access to your most sensitive information, then chances are they will rise to the occasion!

Shredded paper with text.

Recycling and/or Throwing Away

While we support the green initiative in wanting to recycle end-of-life PII documents, unfortunately this isn’t possible. Again, if it’s not a good idea to rip up your employee’s files, it’s not safe to simply throw it out or recycle. Sadly, the majority of our waste and recycling ends up in landfills and dumpsters which are typically gold mines for hackers and thieves. In addition, recycling and waste are not always transported securely, which makes it easy for people to intercept and have access to your most private and identifiable information.

It is always best to err on the side of caution when it comes to end-of-life data destruction. When it comes to specifically destroying employee files, it is best practice to use a secure, in-house method, like our Model 244/4 high security paper shredder. 

The Model 244/4 is our most popular high security paper shredder. Why? This solution is NSA evaluated and listed by the NSA/CSS EPL and meets DIN 66399 Level P-7 standards. Our 244/4 provides a rugged performance with an NSA one hour durability of 17 reams per hour while encased in a quiet system, making it the perfect choice for small or mid-size department use. 

Want even more security? Our Model 344 offers an even more secure shred size than the current mandate for the National Security Agency (NSA) requires. We like to call the 344’s final particle size as P-7+. This device is the only high security paper shredder on the market that offers a particle size of 0.8mm x 2.5mm (that is 50% smaller than the current National Security Agency requirement!) 

By adopting a shredding policy, you are making the most cost-effective, safe, and secure decision to take preventative measures to ensure that your past and current end-of-life employee information does not fall into the wrong hands.

How NOT to Destroy Paper Documents

April 5, 2021 at 1:13 pm by Amanda Canale

In the age of Big Media, it’s easy for some to say, “Paper is dead! Everything is digital now!” Well, not quite. Even as we get further and further into the digital age, not everyone (or everything) has gone paperless. While the majority of our information and data has gone digital, there are very literal paper trails linking our identities to our private information. From medical records and birth certificates to mailed credit card offers and business contracts, there is a plethora of paper documents out in the world that hold some of our most private and confidential information. It is this reason in particular why we at SEM stress that any end-of-life paper documents containing sensitive or confidential information should be destroyed securely. Join us as we break down some of the methods that should be avoided.

Cutting and/or Shredding by Hand

As satisfying as ripping up physical spam mail can be, making it your primary shredding method is not recommended. While this method may be enough for mail or documents not containing private, confidential, or personally identifying information (PII), it will not ensure that the information cannot be pieced back together. Unfortunately, when media or data of any nature is not destroyed with high security end-of-life destruction equipment, there is always a risk that some of the data may be recovered. Take for instance the DARPA Shredder Challenge where people competed to reassemble shred particles, or our previous blog, A History of Data Destruction.

Shredded paper with text.

Recycling and/or Throwing Away

While we support the green initiative in wanting to recycle your end-of-life confidential paper documents, unfortunately this cannot always be securely done. For starters, the majority of our waste and recycling ends up in landfills and dumpsters which are typically gold mines for hackers and thieves. In addition, recycling and waste are not transported securely, making it easy for people to intercept and have access to your most sensitive and confidential information.

It is reported that, on average, recyclables and waste sit on sorting floors for up to four weeks before finally being destroyed. Given that length of time, anything can happen! It is important to note that after this period, remnants of your information are not magically sorted; dozens of employees’ sort what the machines cannot and have direct access to your data. By opting for a seemingly eco-friendlier alternative, you will unfortunately only put your data at more risk.

nsa-listed-paper-shredder

It is always best to err on the side of caution when it comes to end-of-life data destruction. When it comes to specifically destroying paper documents, it is best practice to use a paper shredder. By adopting a shredding policy, companies and organizations can take preventative measures to ensure that end-of-life confidential information does not fall into the wrong hands.

That’s why at SEM, we want you to future proof the destruction of your most sensitive and confidential data with one of our high security paper shredders, the SEM Model 344. The Model 344 offers an even more secure shred size that we like to call P-7+. This device is the only high security paper shredder on the market that offers a particle size of 0.8mm x 2.5mm (that is 50% smaller than the current National Security Agency requirement!) This compact, portable, energy saving option is listed on the NSA/CSS Evaluated Products List and has a throughput of 12 reams of paper per hour when feeding five sheets at a time.

By opting for in-house data destruction methods, you and your company or agency are making the most cost-effective, safe, and secure decision. It is also important to remember that a data breach is a data breach, no matter the level of impact. At SEM we have an array of high-quality NSA listed/CUI and unclassified paper shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.

Complying with the New CUI Paper Destruction Mandate While Meeting Federal Sustainability Goals

January 28, 2021 at 8:44 pm by Amanda Canale

This new ISOO directive will redefine what it means to keep CUI data, and ultimately the American people, safe. While executive branches and agencies continue to move towards federally mandated and private sustainability goals, as well as update existing equipment to meet the new CUI standards, it is important to know that systems exist that can assist in meeting both targets in a cost-effective manner with the same end-of-life system. 

Click the button below for an instant download.

Paper and CDs and Drives, Oh My!

May 19, 2020 at 10:00 am by Flora Knolton
Shredded SSD Particles

When destroying data or media, the goal is to have it rendered useless and left unrecoverable. Destroying data means it’s no longer possible for the files to be read by an application or system. In reality, information can stay on hard drives long after a file has been deleted, so physical destruction should always be a part of the decommissioning process. Consider an investigation by the UK’s information Commissioner’s Office. This study found that one-in-ten second-hand hard drives still contain the original user’s personal information. Of the 200 hard disks they purchased on eBay, 11% contained Personally Identifiable Information (PII), and two of the drives contained enough information to steal the former owners’ identities. More and more companies are being run digitally each year and are depending on electronic media to secure their data, and at the end of their lifecycle, these storage media must be securely destroyed to maintain data security. When destroying data, it’s important for organizations to consider the cost and time while making sure their methods are up to par with industry specific regulations such as General Data Protect Regulations (GDPR), NSA Guidelines for Media Sanitization, and the National Institute of Standards and Technology (NIST) 800-88, to name a few. While cost is a factor, without an investment in such destruction devices, a breach may cost the company exponentially in the long run.

High security shredded paper.

For paper, SEM has many NSA evaluated shredders on the Evaluated Products List (EPL) prepared by the NSA along with Unclassified Paper Shredders and Optical/Mixed Media Destroyers are designed to specifically destroy all different types of e-media like CDs, DVDs, key tape, Blu-ray Discs (BDs), credit cards, ID badges, and key access cards. The Model 0201 optical media shredder is a high capacity optical media shredder listed on the NSA EPL for CD destruction. It accepts classified CDs as well as unclassified DVDs and BDs, is TAA compliant, and includes a basic start-up kit with lubricating sheets and anti-static waste collection bags. The Model 0200 OMD/SSD is similar to the Model 0201; however, it is a slower machine that can also destroy classified DVDs, BDs, credits cards, magnetic stripe cards, CAC IDs, and SIM cards. Compact and easy to use, these two devices are perfect for meeting NSA requirement for various forms of media.

For most magnetic media, a crusher or shredder used on its own can be acceptable, but for classified hard drives they must be degaussed prior to crushing or shredding. Degaussing renders the magnetic media scrambled, unreadable, and unusable. This two-step data sanitization is mandated by the Department of Defense for classified data, and data centers implement this best practice for end-of-life data destruction. Normally, physical destruction alone (either crushing or shredding) is the most common method of disposal for unclassified Hard Disc Drives (HDDs); however, security-focused organizations utilize the DoD’s degauss and destroy recommendation. The Model EMP1000-HS has been evaluated by the NSA and is listed on the NSA EPL for high security degaussers and can be easily transported to the location of media for onsite

SSD crushed.

erasure and declassification. This degausser is also perfect for commercial users as well as those who prefer to have a built-in verification system ensuring each cycle is degaussed successfully with no error. After degaussing, we’d recommend our Model 0101 hard drive crusher for most lower volume applications. At the touch of a button, the 0101 will deliver 12,000 pounds of force to destroy the internal platter of an HDD. The SEM Model 0101 hard drive crusher is the only unit with a chamber large enough to fit hard drives with mounted rails or handles left on.  An alternative to crushing depending on your destruction needs, hard drive shredders like the Model 0300 are ideal for small to medium volumes, while larger devices like our Model 0305 are perfect for enterprise drives and higher volumes. No one offers as many HDD shredders as SEM that are noted on the NSA/CSS EPL as meeting step two of the degauss and destroy mandate.

When destroying enterprise drives in higher volumes, we recommend our enterprise solutions, such as the Model 2SSD solid state drive disintegrator. The 2SSD is composed of a two-stage cutting system to destroy enterprise drives that are larger, heavier, and denser than standard solid state drives. This rugged device can take up to 180 enterprise SSDs per hour at 2mm squared particles. For applications with both HDDs and SSDs, SEM’s HDD/SSD combo shredders are the ideal solution. The Model 0315 HDD/SSD combo system uses specially designed saw tooth hook cutters to chew up rotational hard drives at 1.50” particle size and solid state drives with a particle size of 0.375”. In addition to hard drives, this device will also accept cell phones, optical media, memory sticks, thumb drives, PCBs, and other electronic storage media!

SEM also offers a complete line of all-in-one office solutions that are ideal for the destruction of classified, Unclassified, CUI, and PII in office environments. A perfect all-around media destroyer that is user-friendly for office environments would be our OfficeShredHS for an all-in-one NSA listed paper and optical media shredder that meets the NSA’s 2mm DVD and BD destruction requirement. In addition, we are pleased to offer Comprehensive Office All-In-One Solutions for our SEM direct customers. These solutions are pre-made to fit your specific destruction requirements. Not finding exactly what you need? Do not hesitate to call, email, or chat with us to customize a solution that’s not detailed on our website. We’re always happy to help!

Paper: It’s Here to Stay and It’s Loaded with Sensitive Data

August 12, 2019 at 1:56 pm by Paul Falcone

It’s quite ironic that in the digital age, there is still so much paper being used.

True, more and more organizations have “gone paperless,” whether it’s eStatements from your bank or the option for emailed receipts from retailers. And when you think about it, when was the last time you received a paper gift certificate, or flipped through a White Pages book to find someone’s contact information? (It’s probably been a while.)

Yet, there is still a plethora of paper out there, and even more so containing sensitive or otherwise private information. From mailed credit card offers and office correspondence, to business contracts, building blueprints and legal documentation. Medical records, birth certificates and social security cards are all printed on paper, as are government passports, all of which will likely not be issued in digital-only formats anytime soon. Even engineering plans for nuclear missiles are first presented on paper.

Our society operates with a literal paper trail that can be traced throughout our everyday transactions, which means we must take steps to ensure the protection of any personal, private and/or sensitive information that’s contained within it.nsa-listed-paper-shredder

Why It’s Crucial to Properly Dispose of Paper with Sensitive Data

Whether federal or personal, most types of paper documentation include what the government calls CUI, or, Controlled Unclassified Information. PII (Personally Identifiable Information) is one example of CUI on the consumer level. Unclassified government data such as those marked For Official Use Only (FOUO) or Sensitive But Unclassified (SBU) are considered CUI, as is any and all unclassified information throughout the Executive branch that requires safeguarding and dissemination control. CUI also covers nearly all government agencies as it relates to information for critical infrastructure, defense, export control, financial, immigration, intelligence, international agreements, law enforcement, legal, natural and cultural resources, NATO, nuclear, patent, privacy, procurement and acquisition, proprietary business information, provisional, statistical, tax and transportation documentation.

When documents containing CUI face end-of-life and need to be disposed of, it’s therefore critical to take the proper destruction measures for both the data and the media, to render the sensitive information unreadable, indecipherable and irrecoverable by any means.

For paper containing government-related CUI, the data destruction must follow NIST SP 800-88 standards. NIST SP 800-88 stipulates a 1mmx5mm or less final particle size for paper media (this is the same standard required by the NSA for classified information that’s reached end-of-life). This includes PII contained in a government document.

And although PII contained in non-government documentation does not require the same data destruction standards, it should still be treated with the same care and precision. If the documentation is to be shredded, the paper should be cross-cut—not strip-cut. Remember the Iran hostage crisis of 1979? (You know the one, when 52 American diplomats and citizens at the US Embassy in Tehran were held hostage for over a year by Iranian supporters of the Iranian Revolution.) During the hostage crisis, the Iranian hostage-takers gathered the strip-cut remains of shredded US intelligence reports and operational accounts and spent years painstakingly—and successfully—putting the shredded pieces back together. The sensitive data contained in the documents was made decipherable and readable, posing a major threat to the US government and our society.

cutting-shaft-p4
Paper shredded to a P-4 particle size.

To ensure something like that does not happen to any of your documentation with sensitive data that reaches end-of-life, you should follow DIN Standard 66399 for data destruction. DIN Standard 66399, in this case Material Classification P, refers to information presented in its original size, such as on paper. Within this DIN Standard, there are further levels of security ranging from P-1 (ideal for data carriers with general data) to P-7 (for data carriers with top secret information and the strictest security standards). Level P-4 is recommended for most non-government PII covered under HIPAA, FACTA, FISMA, PIPEDA, SOX and even GDPR regulations.Under P-4 standards, the maximum cross-cut particle surface area is 160mm² with a maximum strip width of 6mm, or 6x25mm or less final particle size. Shredded data at this size can only be reproduced using equipment that is not readily available commercially. Therefore, the P-4 shredding standard is safe to use for non-government-related documentation, such as those containing PII.

A Note on Data Destruction Machines

Paper documentation containing CUI that’s reached its end-of-life should either be incinerated or shredded with the correct destruction machinery. Be sure to look for signage or other indicators on the machine to inform you of whether it has been approved for CUI destruction. These machines should also be listed under the NSA/CSS 02-01- EPL for classified paper destruction.

All of SEM’s high-security shredders meet the NSA/CSS mandate. SEM also offers several cross-cut paper shredders for Unclassified paper destruction which meet the DIN Standard 66399 Level P-4. These machines are suitable for commercial, non-government paper shredding or Unclassified non-Executive branch shredding and can be viewed here.

Maybe Paper Isn’t the Only Thing You Should Be Shredding

June 13, 2018 at 4:27 pm by SEM

SIGNAL CONNECTIONS E-newsletter August 15, 2005

Hard drive disposal has become a hot topic over the past few years for both the defense community and the private sector. As personal computers advance and older units become obsolete, disposal of sensitive information still left on the hard drive is of serious concern. For most companies simply throwing the computers or drives away is not an option. Some choose to “erase” the drive with either software or degaussing equipment, but experts agree that the process is not always 100% effective. The best way to be certain that important information is not accessible after disposal is to physically destroy the hard drive. Current methods for destruction or defacing prior to disposal can be effective but are often primitive and labor intensive. They include everything from drilling, crushing or removing the platter for sanding or grinding. Recently, at the request of several customers, SEM began developing machines to destroy entire hard drives, by turning them into an unrecognizable pile of shredded material.

Through testing several combinations, exploring alternate materials and working out safety concerns, we enhanced two of our current disintegrators (industrial shredders) to successfully destroy hard drives. The process is actually very simple. Drives are placed into one of our disintegrators and are continually shredded until the particles are small enough to pass through a waste disposal screen. The unrecognizable, unreconstructable waste can then be disposed without fear of information theft. This type of one-step destruction is viable and cost-effective for many companies. However, as in all forms of destruction, understanding the process and knowing the requirements is the key to success.

Limitations/Maintenance – One-step destruction does have limitations and maintenance associated with it. There are limitations on drive size (1 ½ lbs. case weight), volume (drives fed per hour) and collection capacity depending on the method chosen. Maintenance includes periodic blade sharpening, lubrication and replacement of consumable items, all determined by amount of use and volume. None of these items alone or combined are deterrents but must be factored into the cost and overall maintenance budget.

Understanding How the Disintegrator Works – The disintegrator or industrial shredder is a rotary knife mill, which uses a number of rotating and stationary knives working in unison to create a scissor-type cutting action. The level to which the product is cut or broken up is determined by an interchangeable sizing screen. Screens are available with various hole sizes, which allows the end user to tailor the final particle size to their requirements of security. Once the product is destroyed and passed through the sizing screen, it falls into a tote bin or larger collection device (drum, cart, or dumpster).

Going Beyond the Hard Drive – Once we had perfected hard drive destruction, we in the destruction community were faced with another challenge. It seems the process of opening all the computer cases and removing all the hard drives was becoming a burden to the folks charged with sending us the drives. It may seem like a small thing, but many older tower computers may require as many as 10 screws to be removed before a drive can be taken out. The procedure could take several minutes. In response to demands to simplify the process, we have developed a machine that will destroy an entire tower or desktop CPU with no need to open the case or remove any items. The dual-shaft design machine literally shreds them into 2” wide pieces at random lengths. The 2” particle size can be reduced even further, if desired, by running it through a disintegrator.

What About Cost? – The decision to purchase a system should not be based on cost, but on potential risk. For lower volumes, destruction services are an option. Even so, many companies simply cannot afford to purchase this equipment for the relatively small number of computers that need to be destroyed. In these cases, we recommend investigating a destruction service. At SEM we not only sell the equipment, but we maintain and operate a full-scale destruction facility. So, if you have old computers to dispose of, stop and think about the best way to do it. Destruction, specifically shredding, just might be the answer.

About the Author – Leonard Rosen is the Founder and Chief Executive Officer of Security Engineered Machinery. He has over 40 years of experience in the field of information security and destruction.