Customer Misconception #6:
The Certificate of Destruction Removes
It is understandable that data controllers would be comforted by
believing that once they have a certificate of destruction from the
service provider, they are no longer responsible for the security of
the information. Unfortunately, there are still service providers that
try to capitalize on that misconception. At its worst, this position
is seen when a client says something like, “I don’t care about their
security, I have a certificate of destruction, and so, if it turns up, it
will be the service provider’s problem.” Of course, that is far from
the truth. The truth is that if records turn up, the client will have to
answer for the selection of that service provider. The client will also
be responsible for all the regulatory damages that result. In other
words, the certificate of destruction does not transfer any regulatory
responsibility from the client to the service provider.
Information Disposition stresses throughout that the only way to
transfer regulatory responsibility is through proper due diligence
and contractual language, and even then the transfer is only partial
and tenuous at best. It also, however, contains clear language to
dispel any misconception that a certificate of destruction is of any
value in that regard and that reliance on it alone is a very dangerous
On page 69 in Chapter 3: Records and Information Management
Data controllers sometimes also mistakenly view the
certificate of destruction (CoD) as transferring liability for
destruction to a service provider; the thought being that a
CoD issued by the service provider makes them responsible
for any damage should the information surface. This is a
dangerous misconception. Obviously, the previous discussion
on the difficulty associated with establishing proof plays
into this discussion. For example, if one cannot prove that an
item was in the batch or that it was the only copy, holding
the service provider accountable is problematic. While this
is true, the more significant reason the CoD is not capable of
transferring liability is because regulations do not allow for it.
Of course, the statement above builds on the point that data cannot
transfer regulatory responsibility to the service provider, which is
documented in Chapter 1: Data Protection Regulations.
Customer Misconception #7:
No Need for Written Information Destruction
There is a good reason Chapter 7: Information Disposition Policies
and Procedures is dedicate strictly to advising data controllers
on how to create their internal operating manual for destroying
obsolete media and information. That reason: it’s required by law
that they have them.
That point is first emphasized on page 14 of Chapter 1: Data
Protection Regulations, where it states:
Written Procedures and Employee Training
HIPAA, GLB, and FACTA require an organization to have
written information protection policies and procedures.
Again, it is easy to understand the logic. Not only are such
written procedures necessary to demonstrate internal
operational accountability, without them employee training
and guidance is non-existent from a regulatory standpoint.
It is clearly unreasonable to represent to authorities that an
organization can provide a reasonable level of direction to
employee without written procedures.
In fact, the absence of adequate written policies and
employee training are the two most frequently cited reasons
for regulatory penalties associated with data security
violations. On the other hand, having and implementing such
written procedures insulates an organization from the worst
consequences of a violation.
And, while the book includes the actual regulatory language
specifying the legal requirement to have written policies and
procedures, it also provides examples of what can happen if there is
a breach and such written policies are not available.
Below can be found on page 137, Chapter 7, Information Disposition
Policies and Procedures:
The following excerpt is taken from the press release by the
Massachusetts Attorney General in May of 2012, announcing
a $750,000 settlement stemming from the improper disposal
of protected health information.
“The allegations against South Shore Hospital in
the lawsuit are based on both federal and state law
violations, including failing to implement appropriate
safeguards, policies, and procedures to protect
consumers’ information, failing to have a Business
continued on page 38