My friend Nick Owen of Wikid Systems pointed me to an article in the Atlanta Journal and Constitution about lots and lots of PII being disposed of at a local recycling center. This just goes to show how lack of understanding can affect your privacy and your identity. That or how apathy can affect them.

It seems that a local law firm needed to dispose of lots of documents and decided that taking them to the local recycling center was the environmentally responsible thing to do. Not to mention it’s lots cheaper than actually paying a shredding service to shred them securely. They had boxes and boxes of W2 forms, bankruptcy documents and other records containing all sorts of PII. Just think about what kind of info could/would possibly be on just the bankruptcy docs. Name; Address; SSN; Bank Info; Employer; Employment history; and I don’t even know what else. (Luckily, *knock on wood* I’ve never had to file for bankruptcy).

There are a couple of issue in this that I want to touch on and they both have to do with lack of understanding of privacy and identity theft. The courier who was dumping the boxes made the following statement.

“I was just instructed to dispose of the documents and my understanding was it was a secure site because it’s a very high and large dumpster,” he said. “My understanding is that once stuff goes in nobody can take anything out because it’s very deep.”

There is a part of me that hopes that he was just grasping for something to say to keep out of trouble. Who honestly thinks that a “deep” dumpster provides security for physical documents. Or is he just that uninformed as to the potential risk. I shouldn’t be too hard on him because most likely he was just doing what he was told to do. Someone at the firm probably told him to dispose of them and suggested the recycling center. Now that is better than the office dumpster but I have to wonder did they not suggest the dumpster because it wouldn’t hold all the documents. Maybe they figured that they would have to pay extra if they filled it up.

The real question is why did they not hire a secure shredding service? Surely they know and understand the danger of just throwing away these types of documents. Was this just oversight on their part or just plain apathy as to the potential impact to their clients. Maybe they don’t charge enough an hour to afford secure disposal. (Sorry the more I think about this the more cynical I become).

So why blog about this on a security blog? Because this is a part of a good information security program. It goes beyond electronic data. It includes physical data, it includes audible data, it includes awareness. It includes helping others understand their responsibility in protecting the data that they work with. It’s about helping the business understand the risk that they face and giving them the means to mitigate the risk.

Who wants to take a guess at which company has their shredding business by the end of business today. :)