Seven things: records destruction vendors are afraid to tell you.

• Author: Johnson, Robert "Bob"
• Position: BUSINESS MATTERS

Information management service providers are often presented with a dilemma. On one hand, they have to give customers what they want. There are many competitive options out there, and service providers need happy customers. On the other hand, they have (or should have) considerably more experience and training than their typical customer and sometimes know that what a customer wants isn't prudent.

[ILLUSTRATION OMITTED]

Faced with this conflict, most service providers do not speak up for fear of offending a current or potential customer. They feel it is far less dangerous to just agree; it is difficult to tell the emperor he has no clothes. The unfortunate side of this is that customers remain unaware (or in denial) about factors that put them at risk.

Here are seven things organizations should know that secure destruction service providers want to tell them--but probably don't.

1 Don't Depend on Employee Compliance

"Quit letting every employee decide what information needs to be destroyed."

The typical data destruction program falls into two main categories:

1. The organization places a bunch of shredders around, instructing employees to use them to destroy confidential or regulated information.

2. The organization hires a service to destroy confidential and regulated information, instructing employees to place it into some type of secure collection container.

   The common problem with both programs is that they rely on employees' discretion and discipline. If they forget or ignore their responsibility and instead put this information--on paper or on electronic media, such as thumb drives, handhelds, and laptops --in the trash or recycling bin, the information is at high risk for exposure and, depending on the information, the organization could be in violation of regulatory mandates.

   Frankly, it makes no sense to give every employee the capability to put the organization's reputation, compliance, and profits at risk in this manner. No organization would consider giving every employee the discretion to bypass its firewalls, so it should not give them the discretion to undermine security, compliance, and client trust because they are too busy, too lazy, or too apathetic to properly dispose of protected information.

   The secure and compliant solution is to remove employee discretion from the equation by destroying all discarded media. Given the relatively low economic commitment, especially compared to the cost of the potentially devastating consequences, destroying all discarded media is the only sensible choice.

   2 Destroy All Media When It Is Time to Discard It

   "You should have the same consistently high standards for the destruction of all types of media."

   Destruction methods vary for each type of media, as does the oversight of each destruction process. For instance, stored paper records usually fall under records management's...