A large portion of the data breaches that occur each year involve human resource related information. Bryan Cave has put together a multi-part series to help human resource managers understand, prepare for, and react to, a data breach.
This part discusses a specific type of data security breach – throwing sensitive material out without shredding it.
Many employers know that they should protect sensitive information relating to employees that is in their possession but mistakenly think that the need to protect information ends when they no longer have a use for it. At least 31 states and Puerto Rico have enacted laws requiring data destruction or disposal of personally identifiable information that renders it unreadable, unusable, and undecipherable. Some of these statutes give examples of proper disposal methods of both electronic and paper documents, including shredding, burning, pulverizing, destroying, or erasing information. Some of these states impose a civil penalty per person when a company fails to ensure that personal information is not securely disposed.
Companies should develop and implement a data retention policy that governs how long employee personal information will be kept and sets forth a plan for the destruction of both paper and electronic records containing such information. The policy should ensure accountability by designating a specific person or department to take ownership of ensuring data destruction occurs after an employee leaves the company and the information is no longer required to be maintained. The designated person should be required to certify that such information has been securely destroyed, including identifying all sources of that information. Because simply deleting electronic information may not actually permanently erase it, your IT department should be consulted on methods for ensuring permanent removal of information from company hard drives.
TIP: If you provide information about your employees to a business partner who assists your company with facilitation of employee-related services (e.g., benefits, payroll), your contract should set forth clear expectations for the destruction of personal information after an employee leaves your company. The person within your company who is in charge of data destruction should also be tasked with communicating with business partners when an employee leaves.