When it comes to data breaches, you might not think it can happen to you. Perhaps it would help for you to know that there have been over 5,000 data breaches since 2005 affecting over 900 million records.
That means about 1 in 7 (14% of the population) have been victims of data breaches. Those are just the ones we know about that have been documented. The real number is likely much higher.
What those numbers do not tell us is how the breaches were exploited. These days, when we think data breach, we think computer breach. And while that is a natural suspicion to have, it ignores an even more likely candidate: paper.
We Do Not Live in a Paperless Society
Point blank: the dream of the paperless society is unrealistic in our lifetimes.
No statistics or deep insight need be applied to recognize the truth of this proposition. All that's needed is to recall the last time you checked out at a grocery store and received a paper receipt. Regardless of what you did with yours, the store maintained a copy.
The doctor's office you last visited probably still has the sign-in sheet where you printed your name and insurance information.
Remember that mound of papers you signed when you purchased your last house or automobile? Some version of that stack of papers will be waiting for you the next time you make such a purchase.
To obtain your most personal information, one need not hack a computer. Picking the lock of a file cabinet will do quite nicely. A little corporate dumpster diving will also do the trick.
While we are learning about encryption for digital data, it is more important than ever that we are reminded of the importance of shredders for analog data.
Making the Cut
Not all shredders are created equal. A shredder you might use for junk mail may not be sufficient for your business needs. While shredder quality and durability are factors to consider, it all comes down to the type of cut the shredders make.
Strip-cut: Apply scissors to paper until you get between 40 and 50 strips. You have just emulated the work of a basic strip-cut shredder.
The size of the cut is inversely related to the security of the shredder. The larger the cut, the lower the security. The smaller the cut, the higher the security.
The strip cut you just did can be pieced back together by someone with enough time and incentive. This may be enough to deter common thieves from reassembling your junk mail. But it will not do for protecting even more sensitive data.
Cross-cut: Take those 40 pieces you just made. Stack them together. And cut them ten more times. Now, you have done the work of a cross-cut shredder. Good luck piecing those 400 shards back together.
Regardless of how little you think of your consumer documentation, I recommend making the cross-cut (sometimes called confetti-cut) shredder the minimum security level for your shredding needs.
Now take all those pieces you have made with scissors, and run them through the shredder of your choice. You have just performed a micro-cut. To meet your highest level business security needs, start here.
Price vs. Cost
The price of a good business shredder can run into the thousands. But due to the risk of data breaches, the cost of not having one can run into the millions.
Companies that focus on the price of security will inevitably pay the cost. At the low end, expect to pay three-quarters of a million dollars for a breach. The average is more like $3.5 million. On the higher end of the scale, a data breach can run into the tens of millions to resolve.
A data breach costs a lot more than money. There is also an inconvenience, and not just for you, but for your customers.
First, there is the sinking feeling you get when you discover you have been robbed. You have to assess the damage, stop the bleeding and get set up all over again. That feeling of vulnerability never completely goes away.
There are things you can change, like your password, and maybe your email address (though this is highly inconvenient). But other things like your physical address, name, and social security number are almost impossible to change. That information is permanently out there in the hands of people who mean you ill-intent.
Customer Dissatisfaction
The customer feels extremely helpless after hearing about a data breach. They entrusted you with their most sensitive information. Now, they don't know where to turn. All they know for sure is that they can no longer trust you.
At this point, all that is left for the company to do is damage control. No matter how conscientious you are, your best efforts will not give the customer back that which they have lost. They are not thankful for that one free year of credit monitoring you will offer.
The criminals are almost never caught. And the only one they can blame is you. Their anger is understandable. And it will be even greater if they discover their identity was compromised because you didn't use an appropriate shredder for discarded documents.
Regulatory Compliance
Before you shred, make sure you are within regulatory compliance. The Department of Consumer Protection has some important guidelines for shredding and preserving documents.
Some documents like birth certificates and college transcripts should never be destroyed. They should be kept securely in an appropriate lockbox. Other documents should be securely shredded after a certain period of time. Here are a few examples:
- Shred canceled personal checks after 1 year unless needed for tax purposes.
- Shred bank transaction receipts after verification of completion.
- Shred tax filings after 7 years.
As a consumer, a shredder is optional but recommended. As a business, a high-security shredder is a necessity. Spending thousands on hardware and software encryption means nothing if you don't plug the analog hole with a quality shredder.
Remember, money is not the only thing on the line. At the end of the day, it is not about money. It is about protecting the people who entrust you with their vital information.