Later in the same section, there is a warning regarding the
dangers of turning to non-governmental particle size specification
Unfortunately, in the search for some direction on
this particle size, data controllers sometimes mistakenly
interpret and/or apply standards where they are
unnecessary or, worse, where reliance on particle size
provides a false sense of security. In any case, but
especially when information destruction is outsourced,
the overall process is the critically important factor.
Particle size is simply one aspect of that process. The
problem with relying only on particle size guidance is that
the more important factors (the written procedures, the
training, the employee screening, the secure staging, the
custody transfer, the access control, and the disposition of
destroyed material) are often ignored.
Though it may sound a bit cavalier; if particle size were
the key to compliance, compliance could be met using
unscreened, known criminals on a vacant lot in the most
crime-ridden neighborhood in town.
The fact that no data protection regulation includes a prescribed
particle size is also the subject of discussion in Chapter 1, where
the requirements of each regulation are described in detail.
Customer Misconception #9:
It’s Okay to Store Records Indefinitely
At its worst, the conversation unfolds something like this:
Service Provider: “I would like to discuss your records
Data Controller: “That’s not necessary. We keep everything
And even though the data controller may not say it so blatantly,
it is common knowledge that many, if not most, companies don’t
destroy retained records when they have reached their retention
period. Of course, this is bad news - for them, because it puts
them at risk, and for secure destruction services, because they
are robbed of the opportunity to properly protect their customers.
This risky misconception is confronted directly on page 56 of
Chapter 3: Records and Information Management Principles, in
the section titled Liability of Retaining Unnecessary Records.
The risks delineated within this section include Legal Discovery,
Adverse Inference, and Increasing Risk of Unauthorized Access.
In all, almost two pages of text describe in detail why the data
controller should not retain records longer than legally required.
It should be noted that the short conversation above
characterizing this misconception is to as an issue also signals
that the data controller does not consider the daily flow of media
as something that requires destruction. Readers will remember
that was covered in Customer Misconception #3. So, when you
hear a data controller say they don’t need a records destruction
service because they keep everything, you probably have
two misconceptions to overcome – and good use for the new
Customer Misconception #10:
A Compliance Officer is Unnecessary
NAID members rated this issue as tenth in our survey of
misconceptions that prevent them from providing service to their
customers and prospects. Personally, I think it is in reality much
higher. I believe that if every company had a person on staff
responsible for the organization’s compliance, there would be a
lot more data destruction occurring.
Information Disposition makes it very clear that the assignment
of a compliance officer should be a major priority. It not only
describes why all data protection regulations require it, it
describes what will happen if there is a data breach and it is
discovered that there was no compliance officer appointed.
As early as page 14 of Chapter 1, we read:
Designation of Accountability
HIPAA and GLB require organizations to appoint
an individual to be responsible and accountable for
compliance. Of course, from a practical perspective, it
is easy to understand why that is important. Without a
person assigned accountability for compliance, it would be
very difficult if not impossible to achieve and enforce.
In the event of a data security breach or an audit,
regulators will almost certainly first ask to speak to the
individual responsible for the organization’s compliance.
Of course, admitting that accountability has not been
designated, in addition to being non-compliant with the
regulation, is also very likely to be considered negligent,
and, in the case of HIPAA, could well rise to the level of
Not all regulations are as clear as HIPAA and GLB on the
issue of assigning internal compliance accountability.
However, even where that is the case (FACTA and state
laws), practically speaking, it is still incumbent on an
organization to assign such accountability. Were there