Tag: personally identifiable information

Applying to College: What Happens to Your PII Once You’re Accepted?

April 27, 2021 at 1:50 pm by SEM

College applications. For a lot of people, just reading those two words can bring back a swarm of flashbacks of awkward college essays, endless SAT prep, and countless hours spent anxiously awaiting that giant envelope announcing your acceptance into your dream school. While this time can be exciting for many people, it’s also a time spent filling out application after application detailing all your personally identifiable information (PII). But what happens to those applications, and that information once you’ve been accepted?

Colleges and universities are bound by a federal law called “The Family Educational Rights and Privacy Act” (FERPA), which ensures that the information provided by and in relation to students is kept private. The law also states that if the information provided is no longer needed, that it must be discarded in a manner that securely protects the information.

For context, FERPA is administered by the Family Compliance Office in the US Department of Education and applies to all educational agencies and institutions that receive funding under any program administered by the department. Private schools at the elementary and secondary levels generally do not receive funding and are therefore not subject to FERPA. Private post-secondary institutions, however, generally do receive funding and are therefore subject to follow all FERPA guidelines and regulations.

While FERPA accounts for a variety of issues such as access to education records, amendments to and disclosure of records, it also makes provisions and guidance on the protection of the information. It is within this segment of the law that institutions are obligated to protect the privacy of the data and to effectively destroy or eliminate data that is no longer needed in a controlled and secure manner.

How is this data destroyed?

Personal data resides on many forms of media, including but not limited to paper, hard drives, data tapes, optical disks, and more. Paper documents can easily be destroyed by feeding the end-of-life documents into a paper shredder. Many institutions use in-house cross-cut paper shredders for this purpose while others may deploy an outside service to shred the paper. If an office or institution utilizes an outside service to destroy their paper documents, they are usually stored in a locked cabinet or receptacle that only the outside service has access to. While these documents are securely stored in the meantime, SEM will always recommend in-house data destruction to ensure secure destruction. By opting for a third party vendor to handle your end-of-life destruction, the number of safety risks can be immeasurable. It can be far too easy for an ITAD vendor to mishandle, misuse, or even lose drives and/or paper when in transportation, being sorted by staff, and in the actual acts of destruction and disposal. (Some third party vendors have even been known to sell the data they are given to online third parties!)

Unfortunately, many college applications are now submitted virtually through applications like CommonApp and through institutions’ online portals. This means that the destruction of their electronic media is a bit more challenging. Again, there are outside services that perform this function, but they do not come without their own set of consequences. For hard drives, it is best practice to degauss any end-of-life drive prior to destruction. SEM degaussers use powerful magnetic fields to sanitize the magnetic storage media which renders the drive completely inoperable. This can in turn potentially save an institution more time and money in the long run by preventing a breach of any kind and ensuring their applicants’ PII stays safe.

At SEM, we specialize in providing secure and effective in-house solutions to numerous educational facilities around the country. We have an array of various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your institution’s destruction needs.

What Documents Should You Shred After Filing Your Taxes?

April 26, 2021 at 6:16 pm by Amanda Canale

Ah, tax season. A time to reflect and reevaluate on the past year’s finances, and a wonderful excuse for some major spring cleaning!

In this blog, we’ll break down all of the documents you can say, “bye-bye” to and the ones you may want to keep around for a bit longer. It’s important to note that this is simply a condensed breakdown, but more information on record retention policies (RRP) can be found in our blog, Records Retention Schedules: When Will Your Data Expire?

Bye-Bye Junk!

  • ATM and deposit receipts: These can be shredded once they are compared against your monthly statement.
  • Credit card bills: Once your bill has been paid, shred away!
  • Utility bills: Keeping utility bills once they are paid is not always necessary. However, it is recommended to save all of your utility bills for one year if you are claiming a home office deduction.
  • Pay stubs: Pay stubs should be saved for one year but once your taxes are filed, they are ready for the shredder.
  • Insurance policies: Once your policy is renewed (either with the same insurance company or a different one), feel free to feed it to your shredder.
  • Receipts: No need to pile up your desk or filing cabinet with every UberEats and Postmates receipt from the past year. It is only necessary to keep receipts from bigger purchases or items that will be deducted.
  • Monthly bank statements: Your monthly bank statements should be saved for one full year and then shredded after you receive your annual statement.
  • Monthly investment statements: All annual statements and the most recent monthly statement should be kept on file; however, feel free to shred the rest!

sell-sheets

Documents for Next Tax Season

  • Income: Whether your income comes from wages, interest, or other business, any W-2, 1099, or K-1 forms, and bank and brokerage statements should be kept leading up to your next tax return.
  • Deductions and credits: Any receipts pertaining to childcare, medical and dental expenses, using your home as your business, alimony, or charitable donations should be kept leading up to your next tax return. In addition, any receipts or invoices, cancelled checks, and bank or credit card statements.
  • Home and property documents: Whether they are closing statements, proof of payments, insurance records, or home and property renovation receipts, these types of documents should all be kept for a year leading up to tax season.
  • Investments: Any and all 1099 and 2439 forms, brokerage statements, and mutual fund statements should also be kept prior to filing your taxes.

With all of this being said, it is important to mention that there are some financial documents that should be kept for a specific amount of time after you file your taxes. The Internal Revenue Service (IRS) has three years to assess additional tax and audit returns, meaning it would be a smart move to keep any documentation to support your recent claim should be kept on file.

Shred Away!

Now is the fun part: shredding time! While there are various ways to destroy a paper document (as detailed in our recent blog, How NOT to Destroy Paper Documents), we at SEM know it to be best practice to use a high security paper shredder (no, big box store shredders won’t cut it — pun intended!) when destroying all of your end-of-life paper documents. By adopting a secure shredder policy, you can be sure your financial information does not get into the wrong hands. We suggest the SEM Model 1324P deskside shredder for all of your at-home shredding needs. This device offers a DIN 66399 P-4 particle.

P-7, shown above, is the standard for the destruction of classified material on paper

At SEM we have an array of high-quality NSA listed/CUI and unclassified paper shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.

How NOT to Destroy Paper Documents

April 5, 2021 at 1:13 pm by Amanda Canale

In the age of Big Media, it’s easy for some to say, “Paper is dead! Everything is digital now!” Well, not quite. Even as we get further and further into the digital age, not everyone (or everything) has gone paperless. While the majority of our information and data has gone digital, there are very literal paper trails linking our identities to our private information. From medical records and birth certificates to mailed credit card offers and business contracts, there is a plethora of paper documents out in the world that hold some of our most private and confidential information. It is this reason in particular why we at SEM stress that any end-of-life paper documents containing sensitive or confidential information should be destroyed securely. Join us as we break down some of the methods that should be avoided.

Cutting and/or Shredding by Hand

As satisfying as ripping up physical spam mail can be, making it your primary shredding method is not recommended. While this method may be enough for mail or documents not containing private, confidential, or personally identifying information (PII), it will not ensure that the information cannot be pieced back together. Unfortunately, when media or data of any nature is not destroyed with high security end-of-life destruction equipment, there is always a risk that some of the data may be recovered. Take for instance the DARPA Shredder Challenge where people competed to reassemble shred particles, or our previous blog, A History of Data Destruction.

Shredded paper with text.

Recycling and/or Throwing Away

While we support the green initiative in wanting to recycle your end-of-life confidential paper documents, unfortunately this cannot always be securely done. For starters, the majority of our waste and recycling ends up in landfills and dumpsters which are typically gold mines for hackers and thieves. In addition, recycling and waste are not transported securely, making it easy for people to intercept and have access to your most sensitive and confidential information.

It is reported that, on average, recyclables and waste sit on sorting floors for up to four weeks before finally being destroyed. Given that length of time, anything can happen! It is important to note that after this period, remnants of your information are not magically sorted; dozens of employees’ sort what the machines cannot and have direct access to your data. By opting for a seemingly eco-friendlier alternative, you will unfortunately only put your data at more risk.

nsa-listed-paper-shredder

It is always best to err on the side of caution when it comes to end-of-life data destruction. When it comes to specifically destroying paper documents, it is best practice to use a paper shredder. By adopting a shredding policy, companies and organizations can take preventative measures to ensure that end-of-life confidential information does not fall into the wrong hands.

That’s why at SEM, we want you to future proof the destruction of your most sensitive and confidential data with one of our high security paper shredders, the SEM Model 344. The Model 344 offers an even more secure shred size that we like to call P-7+. This device is the only high security paper shredder on the market that offers a particle size of 0.8mm x 2.5mm (that is 50% smaller than the current National Security Agency requirement!) This compact, portable, energy saving option is listed on the NSA/CSS Evaluated Products List and has a throughput of 12 reams of paper per hour when feeding five sheets at a time.

By opting for in-house data destruction methods, you and your company or agency are making the most cost-effective, safe, and secure decision. It is also important to remember that a data breach is a data breach, no matter the level of impact. At SEM we have an array of high-quality NSA listed/CUI and unclassified paper shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.

How NOT to Destroy Hard Drives

March 2, 2021 at 8:00 am by Amanda Canale

Since the first days of chat message boards and social media profiles, we’ve all heard the saying, “don’t put all of your information online because it never truly goes away.” The same can be said for end-of-life data and information on rotational hard disk drives (HDDs): once information is on there, it’s sometimes near to impossible to fully remove. Aside from implementing a secure, in-house destruction plan, there are many other methods we do not recommend using. Let’s break some of those down.

Recycling and/or Throwing Away

While we support the green initiative in trying to recycle your end-of-life drives, unfortunately, this cannot be securely done. For starters, the majority of our waste and recycling ends up in landfills and dumpsters which are gold mines for hackers and thieves. On top of that, recycling and waste is not transported securely, making it easy for people to intercept and have access to your most sensitive information.

It is reported that, on average, recyclables and waste sit on sorting floors for up to four weeks before finally being destroyed. Anything can happen within that length of time! After this period, remnants of your information or data are not magically sorted; dozens of employees’ sort what the machines cannot and have direct access to your data. By opting for a seemingly eco-friendlier alternative, you will only put your data at more risk.

Deleting and/or Overwriting

One of the more common (and misleading) data destruction misconceptions is that erasing or overwriting the information of an end-of-life drive and degaussing are synonymous with one another. While methods such as cryptographic erasure and data erasure would allow the drive to be used again, it is not a secure and foolproof destruction. Information, whether encrypted or unencrypted, can still linger behind on the drive and be accessed, even if it has previously been deleted or overwritten.


Burning

Burning a hard drive, whether with a blow torch or roasting it on a stick, is highly discouraged. Not only would this require protective gear and holding platters at a safe distance with a heat resistant tool, but burning hard drives will also lead to harmful fumes to be released into the air in the process.

Unfortunately, just because a drive experiences physical damage, it does not mean that the information has taken the same hit. Take for instance the 2003 explosion of the Columbia space shuttle. As the spacecraft made its way into the atmosphere, a piece of the insulation foam had detached, causing it to become enflamed and combust. The horrific disaster resulted in the loss of everyone aboard as the shuttle disintegrated on its way back to Earth.

Just about six months later, a rotational hard drive that was aboard the Columbia was found in a riverbed. It was discovered that the drive had not only survived the initial explosion, but it also survived a 40-mile fall while on fire at terminal velocity and staying in a muddy riverbed for six months. The most interesting part? Even after surviving all of that, it was discovered that 99% of the data that resided on the drive was recovered. It’s safe to say that burning a hard drive is not only harmful to you and the environment but is a tactic that simply won’t work. We suggest sticking to roasting just marshmallows over future fires.

Photo of recovered Columbia space shuttle hard drive


ITAD

ITADs, or information technology asset disposition companies, are third-party vendors that sanitize and destroy end-of-life data and drives. While the appeal of these types of companies can be quite convincing, we at SEM do not recommend utilizing these types of companies when getting rid of your end-of-life data. While there are some reputable ITAD and data sanitization companies out there, the risk may not be worth the convenience. Security risks can be unpredictable and potentially catastrophic as it can be far too easy for ITAD vendors to misuse, mishandle, and misplace drives when in transportation, destruction, or disposal. It has also been reported that some vendors sell end-of-life devices and their sensitive information to online third parties.

During the summer of 2020, financial institution Morgan Stanley came under fire for an alleged data breach of their clients’ financial information after an ITAD vendor misplaced a number of drives that were storing personally identifiable information (PII). Instead, we suggest purchasing one of our NSA listed devices, keeping the chain of custody within the company, and conducting all destruction in-house.

data-theft
Other (Un)Worthy Methods

  • Submerging the HDD in acid
  • Using a drive as target practice
  • Running over HDDs with your car
  • Giving HDDs a bubble bath
  • Physical destruction with a blunt object
  • Attaching industrial-strength magnets

Regardless of the catalyst for end-of-life drive destruction, it is always best practice to conduct destruction and degaussing in-house. While degaussing is not possible for the destruction of end-of-life data on solid state drives (SSDs), SEM recommends always following NSA standards and degaussing all magnetic media, including hard disk drives (HDDs), prior to destruction. Solid state drives (SSDs) and optical media cannot be degaussed, so crushing and/or shredding is recommended.

By first degaussing then physically destroying HDDs, companies are choosing the most secure method of data destruction per NSA guidelines as this is the only way to be certain that the end-of-life data has been properly destroyed. When magnetic media is degaussed, our devices use powerful magnetic fields to sanitize the magnetic tapes and drive, wiping all sensitive information from the device. This act renders the drive completely inoperable, which should always be the end goal. Once the device has been degaussed, it should be physically destroyed. The combination of degaussing and physical destruction for HDDs is without a doubt the most secure method of ensuring your end-of-life data stays at the end of its life.

It is also important to remember that a data breach is a data breach, no matter the level of impact. While not all degaussing machines are adequate to demagnetize all rotational hard disk drives, at SEM we have an array of various high security NSA listed/CUI and unclassified magnetic media degaussers to meet any need and regulation.

Most Notorious Data Breaches

February 26, 2021 at 8:00 am by Amanda Canale

From January to June 2019, it was reported that there were approximately 4,000 publicly disclosed data breaches, all of which had resulted in close to 4.1 billion compromised records. (That is half of the amount of people living on Earth!) In 2020, the rate of data breaches had decreased slightly, but studies show that there is no sign of them slowing down. While data breach tactics are constantly evolving, there are a multitude of ways a company or individual can prevent their most sensitive and confidential information from being stolen.

We’ve broken down some of the more infamous data breachers below and included best practices to ensure that your data stays protected.

U.S. Department of Veteran Affairs

In May 2006, the U.S. Department of Veteran Affairs found themselves in the midst of some hot water when they publicly announced that a data breach had compromised the records of 26.5 million veterans. Among the private and sensitive information that was stolen were names, dates of birth, and Social Security numbers in addition to other personally identifiable information (PII), such as disability ratings.

The breach was caused by a Veteran Affairs data analyst who had taken a laptop and external hard drive home from the office that had contained the unencrypted information of all 26.5 million affected veterans. The laptop and hard drive were then stolen from the analyst’s home during a burglary which ultimately led to the breach.

While the department stated that there was no evidence to prove that the stolen information had been used illegally, unfortunately, that is not a risk one should be willing to take. It’s important to note that there is no statute of limitations on data breaches; just because the information wasn’t misused then, doesn’t mean it won’t happen in the future. Therefore, it is always safer to leave that sort of information at the office or to have a secure system in place if that information needs to be accessed remotely.

Exactis

Marketing and data aggregation firm Exactis suffered a major breach in 2018 when a database containing sensitive information on 340 million individuals was accidentally released to a publicly accessible server. The stolen data totaled out to about 2TB worth of information on not only American individuals but businesses as well. (Remember: one-tenth of the Library of Congress can fit on a 1TB drive. Now double that!)

This breach, luckily, did not contain individuals’ credit card information or Social Security number, but it did contain names, email addresses, phone numbers, and even the ages and genders of a person’s children. This aspect of the breach is especially important to mention because even with a lack of financial or sensitive information, the information that was stolen can carry just as many negative consequences as it is all personally identifiable.

Having secured workspaces, servers, and data security protocols in place is just as vital to preventing a data breach as an in-house data destruction plan.

SOX data destruction

TRICARE

In 2011, military health program TRICARE announced that several of their computer tapes were stolen. The tapes in question were backup tapes of a military electronic health-record system that was in use from 1992 to 2011 and reportedly held the personal health information (PHI) of approximately 4.9 million subscribers.

The breach occurred when a TRICARE employee was tasked with transporting the tapes to an off-site storage facility as part of the company’s routine backup procedure, and the employee’s car was subsequently burglarized. While no financial information was held on the tapes, information pertaining to Social Security numbers, addresses and contact information, and even personal health data such as clinical notes, prescriptions, and laboratory tests were among the data stored.

While the military insurance carrier deemed the breach as a low risk to the affected individuals, only some of the information had been encrypted, meaning that most of the information would be fairly easy to pull and use for illegal purposes.

data-security

A common denominator in the data breaches above is not only human error but the misuse during storing and transporting of drives containing sensitive information. We understand that destruction does not always happen immediately after the drives and data are deemed end-of-life. Businesses may not have the proper equipment in-house or budget to outsource destruction, but it is this reason in particular why we at SEM stress that precautions and protocols should be in place to securely store and protect all data once it meets its end-of-life.

Whether the company is a small business, government agency, or health insurance carrier, all information and data should be locked up in a secure location, regardless of its end-of-life status. By leaving drives, whether encrypted or not, in unlocked office desk drawers, easily accessible boxes, or even in your personal vehicle and home, they are left vulnerable to hackers and thieves, and carelessness. We have more information on how to properly store your end-of-life data while awaiting destruction in this blog post.

When it comes to the destruction of data, it is always best practice to have an in-house destruction plan in place. At SEM, we have an array of various high-quality, high security NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your company or federally regulated destruction needs.

Data Privacy Day 2021

January 27, 2021 at 8:00 am by Amanda Canale

It may seem contradictory, but, even in the age of Big Media, millions of people are still uneducated on how to keep their information safe and uninformed about how it is being used or shared. This is where Data Privacy Day comes in. Data Privacy Day (DPD) is part of an international effort to heavily encourage people to not only comply with privacy laws and regulations, but to also educate people on how to protect and manage their personally identifiable information (PII).

Every year on 28 January, the National Cyber Security Alliance (NCSA) creates an engaging and informative campaign in order to raise awareness about data security and protection best practices, especially in regard to social networking. The campaign is targeted towards anyone with an online presence of some sort, whether it be business or personal, and offers collaborative opportunities for various industries, such as government, academia, privacy experts, and nonprofit organizations. This internationally recognized day was initially established in 2008 in North America as an extension of Data Protection Day in Europe, which has been in effect since 1981. It is the first legally binding international treaty to recognize data privacy concerns.

In 2020, the world experienced what felt like an onslaught of events that directly disturbed people’s lives – environmental disasters, social justice movements, an economic downfall, a pandemic, and much more. Technology has astronomically advanced over the past year in order to keep up with the world as it changes, but what about data privacy? Have best practices been left behind for the sake of keeping up the pace?

This year’s theme for Data Privacy Day is Own Your Privacy. A 2019 Pew Research Center report stated that 84% of consumers want more control over how their data is being used.

Shredded paper with text.

Protect Your Data: At Home

When it comes to keeping our PII safe, it is crucial that we follow data security and privacy best practices as that information is extremely valuable to hackers and thieves. Information such as your IP address, purchase history, and location can offer hackers a wealth of knowledge as to your income, spending habits, card information, and where you live, for starters.

It helps to think of your personal information as being as valuable as the money in your bank account and wallet, simply because it really is. According to the IBM and Ponemon Institute report, the cost of an average data breach in 2020 is approximately $3.86 million. While most of these costs are from business reputation maintenance and regulatory fines, the costs can still add up when it’s your PII on the line. On an individual level, people can experience identity theft, monetary theft, changes in credit score, and much more, all of which can cost money and time to rectify. You wouldn’t willingly give up money from your personal wallet, so be sure not to do the same with your information.

As important as keeping that mentality is, it is just as crucial to keep track of where you find yourself willingly offering up your information; every time you are asked for your information (whether in a webform, email, mailing list, etc.), think about whether you can really trust the inquiry. While nobody thoroughly enjoys reading the terms and conditions’ fine print, if data protection is your goal, as it should be, it is highly recommended that you do so.  According to a 2019 Pew Research Center report, 74% of people rarely or never read a company’s policy before accepting it. By reading a company’s policy, people will have a much better understanding on whether the information in question is required or even relevant for the services they are offering.

In addition to reading the fine print, it’s suggested that people routinely delete accounts and apps that they no longer utilize, update their applications, and manage their privacy settings. In just a few moments, you can completely update your privacy and security settings to your comfort levels. The NCSA offers great resources on how to locate your privacy settings for online services and popular devices. This way, you are mindful of your information’s worth, what information you willingly give out, and are aware of a company policy and what information is necessary to give out.

For tips on how to keep your data safe while working from home, refer back to our previous blog, How to Properly Handle Information While Working From Home.

Hacked data concept. Data unsafe, computer crime, security breach. Words and binary code, depth of field effect

Protect Your Data: At Work

Data privacy and security best practices may vary between businesses and individuals, but they are just as important. As we get further and further into the digital age, hackers and thieves no longer just need to breach a facility’s physical barrier in order to steal information. They can access all of your confidential information remotely through methods of phishing, hacking the cloud, and other more advanced virtual methods. (Don’t forget about dumpster diving for hard drives, USB drives, and paper too!)

From January to June 2019 alone, there were over 3,800 publicly disclosed data breaches that resulted in 4.1 billion compromised records. Yes, four billion records compromised within a short, six-month time window. As discussed above, data breaches can cost upwards of millions of dollars in reputation maintenance and fees. The most expensive type of record is client PII, which can average out to about $146.00 per compromised record. Multiply that amount by the number of compromised records (keeping in mind that one single hard drive can store a LOT of data) and your company now has a burning hole in its pocket.

Businesses can keep their clients’ information safe by instilling secure processes for collecting and maintaining relevant information for legitimate purposes. The motto should always be, “if you collect it, protect it.” One of these processes can be researching and designing a privacy framework your company can use to help manage risk assessment, along with conducting routine assessments of your data collection practices. Keep up to date on privacy laws and records retention schedules so you know when your client and employee information will expire, and what laws and regulations apply to your specific business. Train and educate current and future employees of their and your business’ obligations to protect personal or confidential information.

In addition to these methods, transparency about how your collect, use, and share consumer information is crucial. Be up front and honest with your clients, users, or consumers about what they can expect their information to be used for and offer them other settings to protect their information by default.

And last but not least, when your information-bearing media reaches end-of-life — whether hard drives, portable IT storage, or even paper — destroy it to prevent leaks that could happen for many years down the road.

You can find more information about the costs of data breaches by visiting our previous blog, Cost of a Data Breach vs. Hard Drive Crusher: How You Can Save Millions.

Records Retention Schedules: When Will Your Data Expire?

January 21, 2021 at 8:00 am by Amanda Canale

In the growing age of Big Media, it is imperative now more than ever that companies and organizations develop and maintain a Records Retention Policy, otherwise known as RRP. An RRP is a policy that defines a company or organization’s legal and compliance bookkeeping requirements. An RRP ensures that corporate documents are managed and destroyed in a way that is lawful, effective, and efficient.

When establishing an RRP, there are several key questions to keep in mind. Who is responsible for overseeing the RRP? How long should records be retained? What type of records should be retained? What should we do with those records after the required retention period has passed?

Within any type of business, there are a multitude of records you’ll need to keep track of, from accounting and bank records to corporate and employee information, just to name a few. Just as the type of record may vary, so does the retention period. Let’s break down some of the more important record types and retention periods.

identity-theft
Accounting Records

It is a good rule of thumb to keep the majority of accounting records permanently. These types of records can range from income taxes, asset records, training manuals, general ledgers, and more. Patents and related papers, insurance claim documents, legal correspondence, capital stock and bond documents require permanent retention, along with real property records, such as deeds, bills of sale, and appraisals.

While the majority of accounting records should be kept permanently, there are some types that you can safely destroy after a period of seven years. These types of records can be in the form of electronic payment records, employee expense records, inventory listings, and timecards. These records are still crucial to your accounting team but are not necessary to harbor forever.


Employee Benefit and Personnel Records

When it comes to employee benefit and personnel records, the retention period can vary. Any financial statements, documents from the Internal Revenue Service (IRS) and Department of Labor Correspondence, and plan and trust agreements should all be kept permanently.

Normal employee personnel files, employment applications, individual employee contracts, and employment applications should be kept on file for two to three years from the date of termination. Other personnel records, such as worker’s compensation and employment eligibility forms can be kept for three to five years.


Insurance and Legal Records

Insurance records, such as accident reports and settled claims, fire inspection and safety reports, and expired insurance policies should all be kept for seven years. It’s important to note that any accident reports and settled claims should be kept for seven years from the date of the settlement, not when the accident occurred. When it comes to legal documents, the retention period can vary. Records of expired contracts and leases and employment agreements can be kept for seven years, but other documents, such as effective contracts and leases, meeting minutes, partnership agreements, and legal correspondences should be kept permanently.

It is also important to keep in mind that records are not just paper documents but can consist of electronic documents and data as well. This includes, but is not limited to, word processing, emails, databases, spreadsheets, and so forth. Any device on which files are stored, optical media, flash drives, and HDDs or SSDs are considered to be electronic documents and must follow the same RRP guidelines the corporation sets forth for paper documents retention and disposal.

The disposal of these records is just as important as retaining them. Having an appropriate shredder is crucial to ensuring that your data is not falling into the wrong hands.

Although the non-permanent records are no longer required to be kept in your possession, this does not mean that the information on those records has necessarily expired or become any less important. If records are disposed of in an unsecured manner and important corporate or employee information falls into dishonest hands, the results can be catastrophic for both the corporation and the employee. (You can read about the monetary consequences of data breaches here.)

In conclusion, establishing an RRP is a crucial step in ensuring that corporate documents are managed and destroyed in a way that is lawful, effective, and efficient. Management of these records include, but is not limited to, securing the information they contain, even upon disposal of those records. Records that no longer require retention should be destroyed by means of shredding, disintegration, or degaussing, whichever is appropriate depending on the storage method and applicable industry regulatory requirement. Although it is not necessary for a corporation to maintain the same destruction requirements as a government facility, the proper destruction should not be considered any less vital. With any company or organization policy, an RRP relies on its employees to maintain and enforce it.

Security Engineered Machinery Supports Asheville Man’s Budding Paper Shredder Business

January 14, 2021 at 8:30 am by Amanda Canale

Security Engineered Machinery, Co., Inc. (SEM), global leader in high security information end-of-life solutions, donated a commercial-grade paper shredder to Asheville, NC resident Austin Ferrell after seeing a local news story featuring Ferrell and his years-long passion for shredding. Ferrell, who goes by the alter-ego “Austin Shreds,” has made a name for himself in his local community by spending his free time shredding paper documents for area businesses and organizations. Ferrell operates out of an office he shares with his mother, Janet Price-Ferrell.

“As a parent of a kid with a disability, you’re always looking for something that your kid enjoys,” said Price-Ferrell. “He will shred for three or four hours a day!” Price-Ferrell added that she was ecstatic for her son to receive his new shredder, adding that “The one he was using did not keep up with him!”

An advocate for others like Austin with intellectual disabilities, Janet Price-Ferrell is also Executive Director of FIRST, a non-profit organization that provides persons with disabilities and their families with programs and advocacy to support and foster healthy, inclusive, and self-determined lives.

“All of us at SEM were so touched by Austin’s story and our shared passion for paper shredding,” added Heidi White, SEM Director of Marketing. “SEM’s heritage is in paper shredders — our company founder actually innovated the world’s first paper disintegrator — and so we wanted to show our support for this incredible young man and his business venture by sending him an equipment upgrade.”

SEM arranged for white glove shipment of a brand-new paper shredder for Ferrell to utilize. The SEM Model 2125PSP is a robust, commercial grade shredder, making it faster, more durable, and far less prone to jams than Ferrell’s existing shredder. It also offers a DIN 66399 P-5 (2mm x 15mm cross-cut) final particle size, making it a more secure shredder option for Ferrell’s blooming business.

When he received his new shredder, Austin was ecstatic to say the least. “He kept saying, ‘awesome,’” said Price-Ferrell. “He shredded for three hours straight and it never overheated.”

Those living in the Asheville, NC area can bring their paper documents to Austin Shreds for destruction in exchange for a donation. To learn more, visit the Austin Shreds Facebook page. To see Austin and the paper shredder in action, visit our YouTube page here.

Austin Ferrell of Austin Shreds
Austin Ferrell of Austin Shreds

Tips From Santa: How To Keep Your Information Safe This Holiday Season

December 17, 2020 at 8:00 am by Amanda Canale

Ho Ho Ho! It’s that time of year, everyone — the holidays are upon us! This time of year is not only one of the happiest, but it is also the busiest and most expensive (and you’re talking to the king of Christmas!). Unfortunately, hackers and thieves don’t take this time of year off like the rest of us; they work overtime. Here are some helpful tips Mrs.Claus and I have learned over the years to help keep your most sensitive data private this holiday season.

Utilize Your Digital Wallet or PayPal

If you choose to shop for your loved ones in-person this holiday season, Santa says, “forgo the plastic!” Instead, I suggest you use your digital wallet. Digital payment options such as Apple and Google Pay use a unique encryption system that replaces your card’s information with information that can only be used one time. That way, if a rogue elf wanted to steal your information, they wouldn’t be able to.

If you’re shopping online this year, try to use PayPal Checkout. PayPal allows you to forgo entering your credit card information directly on a retailer’s website. This offers your information a barrier between it and the retailer so you can keep your financial information secure.

Don’t Shop on Public Wi-Fi

Mrs. Claus is always making this mistake when shopping at the North Pole Mall. It’s quite easy for rogue elves to intercept traffic on public networks and swipe credit card information and other sensitive data. You can set your phones and devices to ask before joining so you don’t mistakenly join fishy networks. Whether you’re waiting on your friend for a hot chocolate at the café or at the local ice-skating rink, wait until you’re on a secure network to do all of your online shopping.

Be Wary of Social Media Ads and Phishing Emails

Old Saint Nick is guilty of this one himself (I love a good deal!). My mailbox is always overflowing with messages this time of year from wish lists for children all over the world, to messages from operations and packaging, to emails of clearance and holiday sales from all of Mrs. Claus’s favorite stores. They’re never ending! Because of this, it makes it difficult to weed out which emails may be from fake accounts trying to steal your credit card information. Before making any purchases, make sure you research the company and ensure you’re on their actual site. Be leery of deals that sound too good to be true, as well; as Mrs. Claus always says, “if it sounds too good to be true, it probably is!”

Sign Up for Banking Alerts

As a businessman, I have a few people close to me who have access to my credit card information. One time, I was able to catch Rudolph trying to buy himself and all the other reindeers treats behind my back because I had gotten an alert! (He was originally in charge of getting new brake lights for the sleigh.) If you share your credit or debit card with anyone else, whether it be a spouse, child, or have an accessible company card, make sure you sign up for banking alerts so you can easily spot potential fraud.

Don’t Autosave Your Passwords

We all forget our passwords sometimes. It’s okay! However, those rogue elves can be quite sneaky. If you’re making a purchase online with a saved password or credit card information, it’s much easier for them to hack your information. Keep your data safe and sound this holiday season by taking the extra time to retype your information and passwords.

Out with the Old and In with the New (Technology)

One item that is usually on everyone’s Christmas list are new devices. From iPhones and tablets to laptops and MP3 players, everyone wants something new and techy! While the excitement of unwrapping that new shiny toy can be overwhelming, it’s important to take the special time and care needed to securely wipe your old devices clean. Make sure to always back up your data and information and unpair it from other devices first. If it’s a new phone or tablet, make sure you follow the hard reset instructions from the device company. Remember, though — cell phones are SSD-based, meaning they will always have residual data, even after a hard reset. Therefore, just like the intelligence community, Mrs. Claus and I always destroy our old iPhones when we upgrade. After all, we wouldn’t want the personally identifiable information (PII) of all the world’s kids getting exposed!

If you’re looking to get rid of old rotational hard drives, we suggest using National Security Agency (NSA): Degauss and Destroy. Contrary to popular belief, a simple erasure or overwrite and degaussing are not the same thing. Degaussing is when magnetic fields sanitize the magnetic tapes within the drive, wiping it clean, and then rendering it inoperable. Once your old device has been degaussed, it should then be physically destroyed.

Mrs. Claus and I are big fans of all of SEM’s high security end-of-life destruction devices as we work with a lot of sensitive data such as names, addresses, and phone numbers. (As for the Naughty List, we destroy it every 26 December with an NSA listed/CUI paper shredder. Can’t let that list get leaked to the press!)

It doesn’t matter what your holiday looks like this year, there are always ways to ensure that your most private and sensitive data stays safe. My friends over at SEM are always on the Nice List so feel free to reach out to any of them should you have any other questions about keeping your end-of-life information secure.

From all of us here in the North Pole, we wish you and your loved ones a safe and happy holiday!

Classification Breakdown: Match Your Data to Its Destruction Method

December 11, 2020 at 8:15 am by Amanda Canale

In the age of social media, it’s quite normal for many people to put their entire lives online. Whether it’s someone spilling all of their secrets in forms of podcasts, vlogs, and blogs or sharing too much about their assets and wealth in an Instagram post, it doesn’t seem like there is much that isn’t shared with the world wide web.

However, there are many types of information that not only just shouldn’t be shared but cannot be shared, especially when it pertains to our National Security. Let’s break down all of the different levels of information out there and the varying security classifications applied in order to properly identify and safeguard this information.

Top Secret information (TS)

Top Secret (TS) information is also known as classified information. Access to this level of information is highly restricted and is upheld by law or regulations to particular groups of people. It is sensitive enough to matters of national security that it must be protected at all times. Information of this nature can range from nuclear weapon launch codes to government secrets.

When it comes to the destruction of these types of information, best practices can vary. The question you should always ask yourself is as follows: is my end-of-life data destruction equipment designed to securely destroy this information? To ensure the highest security data destruction, the federal government requires that classified data only be destroyed with devices listed on the NSA Evaluated Products List (EPL). This equipment is suitable for TS information and utilizes stringent destruction criteria determined by the NSA. You can find more information about NSA-mandated destruction of storage devices here.

Regardless of the classification level and type of data you are looking to destroy, any one of SEM’s NSA listed paper shredders, disintegrators, degaussers, and IT crushers are fully equipped to securely destroy all of your end-of-life data.

Sensitive Compartmented Information (SCI) and Special Access Program (SAP)

Sensitive Compartmented Information (SCI) and Special Access Program (SAP) are considered highly classified information that is controlled and designated by the National Intelligence Agencies and shared within certain Department of Defense branches. SCI and SAP access levels are only granted to those who already hold a Top Secret (TS) clearance.  This information ranges from intelligence sources and methods to analytical processing and targeting, as well as information unique to a specialized program or project. This information is only accessible by those granted “a need-to-know basis” and thus safeguarded at the highest levels due to the nature of the classified information. Therefore, this information should only be destroyed with NSA EPL listed devices.

nsa-listed-paper-shredder

Communication Security (COMSEC)

Communication Security (COMSEC) is used to deny unauthorized persons access to information obtained from telecommunications of the U.S. Government concerning issues such as national security. This information is handled and protected by the U.S. Department of Labor (DOL). Since COMSEC material is considered sensitive, it should be destroyed to the same standard as classified information, meaning using NSA EPL listed equipment. COMSEC typically includes cryptographic security, emissions security, transmission security, and the physical security of COMSEC material.

information-destruction

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is all of the different kinds of unclassified information throughout the Executive Branch of the United States government that requires safeguarding or circulation control that is consistent with applicable laws, government policies, and regulations.

On November 4, 2010, the Executive Order 13556 “Controlled Unclassified Information” was established to create transparency throughout the federal government and non-government stakeholders as previous characterizations of sensitive but unclassified information (SBU) was not always consistent. This classification process standardizes these practices across over 100 different government departments and agencies, ranging from state and local, to tribal and private sectors. The Order also mandated that end-of-life media must be destroyed to NIST 800-88 specifications. For paper, this specification is a 1mm x 5mm particle size, which is the same as for classified information.

Typically, CUI information can consist of technical information with a military or space focus, legal material and law enforcement, federal healthcare, technical drawings and blueprints, immigration, and more. All of SEM’s IT destruction devices are NIST 800-88 and therefore CUI compliant. In addition, all paper shredders listed on the NSA EPL are also CUI compliant.

Personally Identifiable Information (PII)

Personally Identifiable information (PII) is any kind of information that can identify a specific individual. PII can be tricky as it is not anchored to any one category of technology or information.

SOX Act

The range of what kind of information qualifies as PII is quite vast: social security numbers, IP addresses, passport and license numbers, mailing and email addresses, login IDs, and other specific information are all personally identifiable.

While data breaches should always be taken seriously, a breach of this kind of information can put the exposed people at an extremely high risk of identity theft and fraud. Take for example, the recent security breach at financial institution, Morgan Stanley. The incidents, which have occurred over a span of four years, were caused by an ITAD (IT asset disposition) vendor misplacing a number of various computer equipment that were being used to store customers’ PII. You can read more about our thoughts on this breach here.

Personal Health Information (PHI)

Personal Health Information (PHI) is similar to PII in that it is identifiable information that can be linked to a specific individual.

PHI is an umbrella term given to any kind of health information that is dated, received, transmitted, or stored by the Health Insurance Portability and Accountability Act (HIPAA) and their entities and business associates in relation to healthcare operations and payment. This information ranges from Social Security numbers and medical record numbers to test results and insurance information. Both PII and PHI are sensitive information, so should be destroyed to completely prevent reconstruction or recovery using the same standards that apply to CUI.

Whether you’re looking to destroy personally identifiable, controlled unclassified, or top secret information, it is always best practice to follow data sanitization mandates. At SEM, we have wide array of high-quality end-of-life data destruction devices that not only meet NSA/CSS specifications, but are on the NSA/CSS Evaluated Products List, and follow the Controlled Unclassified Information (CUI) Executive Order.

Any one of our exceptional sales team members are more than happy to help answer any questions you may have about your data classification and help determine which machine will best meet your company and federally regulated destruction needs.