Document shredder leaves data security in tatters

A company's transition to electronic documentation takes an alarming turn when a major weakness is discovered

Document shredder leaves data security in tatters

Solid, functional IT plans don't always come together in one fell swoop. Instead, you have to tweak them and be ready for input when unforeseen problems arise. In our company's digital transformation, we were able to clear a couple of minor hurdles -- but a big stumbling block nearly undid our good work.

To comply with HIPAA regulations and ensure employee privacy, our payroll department initialized a move to convert all documents to electronic format on a secure server. This required the scanning of several years’ worth of documents into the system -- a time-consuming task.

However, the manager on this project figured it could be done on top of regular work. Therefore, the payroll employees were assigned to tackle the assignment in their “spare” time.

The IT department had purchased a scanner that was more than adequate for the task and the project was progressing well when the other shoe dropped: What to do with the paper copy?

Paper trail

The project lead decided the documents were to be shredded, and one payroll employee was charged with the dreaded task. This person was sent to a cubicle with the only shredder we had in the office: a small, business-size unit. I voiced my concerns but was told it would be fine.

I felt bad for the employee. The shredder could handle only 7 pages at a time, maximum. To make matters worse, the bin would overflow after about 10 minutes of feeding it paper. If the employee didn’t keep an eye on it, the shredded paper would fill up and clog the gears, and the whole operation would cease until the jam was removed.

The job moved forward slowly, and the employee was getting more and more frustrated since they weren’t able to tend to other tasks in the meantime. Overall, the work was not going well.

I suggested hiring a shredding contractor that would deliver a large locked container in which the paper could be inserted. The contractor would come by on a schedule or when called, then haul away the contents and shred them. We signed a contract, and the office ran smoothly once again, as the workers learned to deposit sensitive documents in the bin. Everyone seemed pleased.

Security snag

Cleaning up old files, I found a few credit card statements that contained the full credit card number, so I decided to deposit them in the bin. Imagine my surprise when I found the bin to be almost overflowing. But the real kicker: There was no lock on it.

Apparently, when it was last dumped, the contractor unlocked the padlock so that he could dump it. He never replaced the lock, and everyone had been tossing their sensitive papers into an “open” trash can. After a quick call and a hurried visit from the contractor, the lock was reinstalled.

As far as we know, nothing was compromised -- but it was a sobering experience for us all, as well as a reminder that security is only as good as the weakest link.