Shred It (In-House) or Regret It

Opinion: Companies are learning that they need to work harder to protect data.

JPMorgan Chase on May 4 confirmed that the papers pulled from its trash cans by Service Employees International Union representatives are legitimate bank documents.

The documents taken from the trash by the SEIU included loan applications and other documents containing confidential information such as names, Social Security numbers, bank transaction histories and phone numbers.

John Pironti, chief information risk strategist at IT services firm Getronics, advises clients on preventing and recovering from data breaches. He told me he would have advised JPMorgan Chase to bring in on-site removal services that the bank could have controlled and monitored with a staff of its own.

"Youd have logs of when bins were picked up and where the chain of custody occurred," he said. "Then you can observe them doing on-site shredding. Thats typically what we advise banks. … We have a lot of firms that started hiring companies to help them purge a lot of these documents."

Note that theres a big difference in having an official procedure for how to destroy confidential documents and in having it done on-site where you can see it. JPMorgan Chase has an official procedure in place in which employees are trained to put confidential documents in large locked bins that have slits on the top. When those bins are full, theyre removed and the documents are shredded.


The bank is still trying to figure out where its procedure broke down, Kelly said.

"A lot of times its college kids doing this [shredding work]," Pironti said. "Thats kind of what we see happening."

A separate issue, unrelated to the JPMorgan Chase incident, pertains to the passing of federal guidelines for e-discovery (PDF), effective December 2006, which mandate that any information that can be associated with litigation or a legal activity must be easily discoverable and maintained.

Can you say "Shred it, fast?"

"You can [easily] say I didnt expect this to be used in litigation, so I purged it," Pironti said.

Unfortunately, some organizations have the mistaken impression that confidential data captured from a public source, such as a mortgage deed filed with a town hall, is in the public domain. Hence, the thinking goes, such data doesnt need to be protected, and businesses can dispose of it without worry.

/zimages/5/28571.gifClick here to read about the major TJX data theft that began in 2005.

The way it really works in most cases is that once an organization takes ownership of data as a private corporation, that organization is in fact responsible for safeguarding the information in an appropriate fashion, Pironti said. However, that idea hasnt been translated into corporate culture in many businesses, he said.

"A lot of times its something they dont want to admit they know," Pironti said. "Deniability is a wonderful thing."

Indeed, senior management teams have told Pironti that theyd rather not know they have to protect information. Knowing that, they would have to take action, he said. "Ive been involved in situations where senior management doesnt want to be briefed because of that," he said.

Is getting off the hook really that easy?

The answer can come in litigation.

"Theres some common sense [involved] here: If I capture 100,000 Social Security numbers, I probably should be protecting that data," Pironti said. "I probably shouldnt be crying ignorance on that."

Those kinds of conversations are now starting to be heard. Texas, for example, has put into place mandates against redacting user-identifiable information from public records. "Were starting to see a shift at the federal and state levels," Pironti said. "Even government agencies are starting to realize they have to put stricter controls in place for this data."

Its a recognition that the threats have changed. Identity theft predates the Internet. Whats different now is that adversaries are smarter about capturing, using and selling confidential information, thanks to the underground marketplaces the Internet has enabled.

Security professionals have been saying it for a long time: Instead of having to secure the data, maybe we shouldnt be collecting it and storing it in the first place. At any rate, if your organization feels the need to collect it, to store it and to allow any employee who wishes to print it out, just remember: Having an official procedure for how to destroy confidential documents, even if it includes locked bins and shredding, wont save your hide if those documents turn up in a trash can.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.