06/ 14/ 2007
by Charles R. McConnell
Electronic versus paper
In these days of creating and retaining information electronically, old-fashioned paper documentation sometimes fails to get the attention it deserves. Given the growing presence of electronically processed information and the increasing effort expended to protect it, it's reasonable to assume that most of today's electronic information is more secure and better protected than information retained in hard copy. Though paper records are steadily giving way to electronic records, they remain far from vanishing completely, and except for the simplest of records, they are replaced electronically only with considerable effort. Because most of today's information security efforts focus on information processed and stored electronically, it is becoming easier to overlook security considerations for hard-copy documents.
Much of what is recorded electronically also exists on paper. Some of this duplication is out of necessity, bowing to a perceived need for backup in the event of loss, but much of it happens because people aren't comfortable with electronic retention only, even when the information is backed up. Some need to feel assured of the true existence of the information and can do so only when they can lay hands and eyes on the hard copy. This is all well and good, but the existence of information duplicated in hard copy creates an increased risk of document security breeches.
Although more information than ever is retained electronically, many businesses remain unable to get away from paper in a number of critical forms. Consider employee personnel files. Though much employee information is likely retained electronically, most of the information in today's personnel files exists only on paper.
Document security is inextricably linked to today's growing concern for individual privacy and our burgeoning problems with identity theft. That's why you should consider setting rules or procedures for creating, processing, retaining, accessing, storing and eventually destroying sensitive documentation.
The problem with hard copies
Much of the paper created in business is actively used for a while, but then it becomes essentially useless for current or continuing needs. Once a document has passed its peak of usefulness, this hard copy is at risk. Many users tend to ignore this "obsolete" documentation because they have no more use for it; however, this information is frequently valued by those who might misuse it. Consider the fate of a particular company's all-employee listing that was updated and reissued monthly. For some time, when a new listing was generated, the superseded listing was simply "blue-boxed" for recycling. When someone became concerned about discarding employee information where anyone could take it, the recycle box was abandoned in favor of a "burn box." It was later discovered that the maintenance person assigned to do the burning supplied a nearly-up-to-date employee listing to a union organizer.
Payroll records are also often at risk. Presently, most payroll reports are created and retained electronically and printed for strictly limited distribution. However, payroll input documentation, such as time sheets or time cards, exist in hard copy and must be retained for a period specified by law. (Federal law requires most employers to retain payroll input documents for three years.)
Hard-copy documentation is most vulnerable immediately after it has served its primary purpose--as it's no longer important to the job, it's often forgotten. However, it can still be "important" to someone who shouldn't have it.
Document security
For the security of important documentation, consider the following guidelines for treatment of hard copy:
- Keep sensitive information locked away when not in use; never leave important documents lying around.
- Ensure that payroll input records are kept in secure storage and open just to strictly limited access.
- In disposing of confidential records, forget direct recycling. If disposing by burning, do so under the direct supervision of the records' originators or legitimate users. If disposing by shredding, do so within the originating or using department.
- Allow strictly limited access to employee personnel files. It's best to leave all filing and retrieval of employee information in the hands of a few people (specifically designated human resources employees, for example) and allow no general access by any others.
- If a sensitive document is no longer needed, don't keep it. Don't allow unneeded paper to accumulate.
- Finally, always limit access to hard-copy documentation to as few individuals as possible. The strictly observed principal criterion for access to any sensitive documentation should be the legitimate need to know.
