Social security numbers. Tax documents. Medical records. Personnel files. All bearing the name of a staffing company. And all found in a public dumpster at an Atlanta-area recycling center.
This TV news report that aired on CBS Atlanta, tells the story of two women, who don’t want to be identified, making a trip to drop off some junk at Recycling Bank of Gwinnett.
As they were dispending with their stuff, they noticed dozens of green folders. The folders, piled high in the dumpster and blowing around on the ground, contained thousands of documents with highly confidential personal information on them.
The documents shown in the CBS Atlanta news video bear the letterhead of Staffing Solutions, a temporary, temp to hire, direct hire and project managed outsourcing staffing company with locations in Alabama, Arizona, Colorado, Kentucky, New Mexico, Tennessee and nearby Alpharetta, Georgia.
Ironically, some of the documents contained statements assuring candidates personal information will be guarded and kept strictly confidential.
One of the women who located the documents told the station, “If anyone should know better than that I think it would be a staffing company.”
The second woman said, “People give their personal information to these companies thinking it’s going to be secure. What would these people think if they found all their information on a dumpster blowing on the ground?”
“People give their personal information to these companies thinking it’s going to be secure. What would these people think if they found all their information on a dumpster blowing on the ground?”
Although we couldn’t locate the corporate headquarters of Staffing Solutions, we did reach out to the company’s Alpharetta office in an attempt to find out if the documents detailed in the TV news report did in fact belong to them, and if they do, what chain of events put them in a public dumpster where they could be – and were – easily discovered.
We didn’t hear back.
But we did find out lawsuits against firms for negligent handling of personal information are becoming more common. Some states have passed laws allowing individuals to sue organizations that fail to safeguard their private data. Even if an organization prevails in court and is not found negligent, litigation costs can be substantial.
As a result, many employers are imposing new restrictions on who can take confidential records out of the office and are providing special training on how to keep data secure.
Nearly every state in the U.S. has enacted a data breach notification law. These laws require businesses to notify consumers of breaches of security. Many of these laws may impose additional obligations upon businesses.
Nearly every state in the U.S. has enacted a data breach notification law. These laws require businesses to notify consumers of breaches of security.
So of course data breaches can cost companies directly, and they can also be costly in terms of damage to corporate reputations.
Twenty percent of data-breach victims cut ties with institutions that compromised their privacy, according to one study by the Ponemon Institute.
When you dispose of waste and recycling paper, are all documents that contain personally identifiable information placed in secure padlocked containers or shredded? (Shredding should be cross-cut, diamond-cut, or confetti-cut shredding, not simply continuous [single-strip] shredding, which can be reconstructed.) Does your recycling company certify its disposal/destruction methods? Is it bonded?
When you dispose of waste and recycling paper, are all documents that contain personally identifiable information placed in secure padlocked containers or shredded?
When engaging an external business to destroy records or electronic media, do you check references? Do you insist on a signed contract spelling out the terms of the relationship? Do you visit the destruction site and require that a certificate of destruction be issued upon completion?
Those are some tough questions, and I’m sure there are lots of staffing companies that aren’t rigorous about document destruction.
Kroll Ontrack has created the following tips for developing and maintaining rules for record retention.
1) Make data management a business initiative, supported by company leadership.
2) Create a document review, retention and destruction policy, including a destroyed documents “log book.”
3) Create an employee technology use program.
4) Clearly document all company data retention policies.
5) Document all ways in which data can be transferred to and from the company.
6) Train employees on data retention policies.
7) Cease document destruction at first notice of a suit.
If you have some best practices we should add to the list, let us know in the comments section.
{ 3 comments… read them below or add one }
You’re right to bring up this issue of confidentiality however the electronic version of the problem as it pertains to the vast majority of small businesses is greater. So many times I’ve visited staffing companies without proper firewalls or virus protection. It’s no wonder identity theft is only getting worse as a problem.
Like or Dislike:
2 
0
Good point, Gregg. That’s why it is so important to have a strong technological foundation. To so many people, network security is an afterthought — until something bad happens.
For small businesses who don’t have a strong technical background, it is often recommended to have your data hosted by a reputable company who can provide ample security.
Like or Dislike:
0 
0
In my research I did of course keep bumping up against the subject of electronic recordkeeping, and the specific challenges contained therein. Since this particular story pertained to physical records and actual pieces of paper, I thought I would stick to that. The broader points are very well taken though. If you don’t have some rigor around your records, be they in filing cabinets or in your network, you are asking for problems. Identity theft is a huge problem, and growing constantly, because companies aren’t taking the proper steps towards preventing it.