It is generally a good idea to make sure that any document, whether it is a paper document or an electronic document, is
completely destroyed when you no longer need it if it contains information about you or your business, any of your customers, potential customers, or employees. Here are some general and easy-to-follow guidelines.
- Destroying paper records yourself
- Destroying electronic records yourself
- Hiring a company
Checklists
Destroying Paper Records Yourself
- Shred all sensitive paper documents. Never just deposit them in the trash or dumpster.
- Ideally, use a shredder that cross-cuts, confetti-cuts, or particle-cuts.
Destroying Electronic Records Yourself
What works
- Use data wiping software. It removes information by writing new, meaningless information on top of old information.
- Use specialized shredders to destroy CDs and DVDs.
- "Magnetically degauss" hard drives in old computers. Magnetic degaussing uses extremely strong magnets to remove the magnetic encoding that stores data. Although degaussing machines are expensive, many companies charge less than $10 to degauss a hard drive.
What does not work
- Breaking an old computer. Breaking an old computer does not mean that you are breaking the hard drive where data is stored. Although it is possible to remove the hard drive and then physically destroy it (e.g., drilling a hole through it) this can be time-consuming and dangerous if you don't have the right equipment.
- Microwaving CDs and DVDs. Although microwaving a CD or DVD destroys the data on the disk, it may also release toxic fumes into your microwave or cause a fire.
- Placing it in the "Recycle Bin" on your desktop, or clicking "Delete." It may disappear from your screen, but it still exists and could be recovered by a computer expert.
Hiring a Disposal Company
- Consider using a certified disposal company. The National Association for Information Destruction (NAID) audits their member companies for compliance with the association's standards.
- Ask if they have been independently audited or certified, and request a copy of the audit or certification.
- Ask for several references and call the references.
- Ask for a signed agreement that explains the company's procedures for destroying documents.
U.S. Laws Governing Data Disposal
Federal Laws
The Fair Credit Reporting Act (FCRA) and the Federal Trade Commission's Rule concerning the Disposal of Consumer Report Information and Records (the Disposal Rule) requires small businesses that obtain consumer information from consumer reporting companies (e.g., Equifax, Experian, or TransUnion) to take "reasonable measures" to properly dispose of that information. Health care providers and financial institutions may have additional obligations to destroy consumer information under the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA).
State Laws
Approximately 24 states have statutes that require small businesses to dispose of records that contain personal information. Similar to the Disposal Rule, the majority of these statutes require small businesses to take "reasonable steps" when destroying records. Some of the state statutes only apply to specific types of small businesses, such as health care providers, financial institutions, or tax preparers. You should consult an attorney to determine whether any state laws apply to your business
