Appetite for destruction

March 1998... Punch magazine carries out some undercover work, including a random check on rubbish bags outside 14 banks. Reporters uncover what should have been confidential information concerning more than 5,000 customers (which would have rendered the banks liable to Court proceedings under the Data Protection Act 1998)...

1999... In the Mohammed-Al-Fayed versus Neil Hamilton Court case, documents detailing the proposed line of questioning by Hamilton’s legal team are allegedly discovered in bins outside their premises. These documents are then sold on to the Harrods business mogul ahead of the trial...

Later in the year, a number of ‘wiped’ computers from Deutsche Bank are obtained by individuals who re-constitute the hard drives and duly uncover details of share dealings involving high profile customers such as former Beatle Paul McCartney...

2000... The rubbish bins of three Cabinet ministers are rummaged as part of a ‘dirty tricks’ campaign. It emerges that one of Tony Blair’s key advisers has thrown away sensitive memos received from the Prime Minister along with the rest of his household waste...

There’s more... 75% of the UK’s local authorities claim that the ‘tactic’ of ‘bin raiding’ is taking place regularly within their areas of jurisdiction (‘Is it really a load of old rubbish?’, SMT, June 2005, p43-44). Those bin raiders would have had a field day if they’d come across the findings of a recent report published by credit reference agency Experian investigating the information disposed of by businesses and private householders alike. An agent to the stars, for example, was found to have ‘canned’ records containing the names, addresses and mobile numbers of well-known film and TV personalities... A travel agent discarded photocopies of passports showing passport numbers, dates of birth and photos.

Again, there’s more... An educational establishment threw away the full financial details of applicants for some of its courses... A mortgage broker had disposed of numerous completed mortgage applications containing clients’ financial details.

ID theft: a massive problem

Whether you are a security professional, the head of a corporation, a politician or a member of the general public, the latest Government statistics on identity theft make for uncomfortable reading. Home Office studies estimate that more than 100,000 individuals are affected by this type of theft each year, costing the British economy over £1.3 billion per annum.

Today’s more intelligent breed of criminal is committing identity theft by stealing personal information – either in written form, by making contact with someone and pretending to be from a legitimate organisation or by logging-on to the Internet. On that note, cybercrime – as the computer ‘whizzkids’ have dubbed it – is now costing UK businesses something in the region of £2.4 billion every year. Unsuspecting individuals are susceptible to identity scams when they’re shopping online, banking online or even when voting in a General or Local Election (as demonstrated by the controversy surrounding postal ballots submitted for the recent St Albans By-Election in Hertfordshire).

From a business perspective, confidential data in the form of directors’ signatures and financial information can provide criminals with more than enough ammunition to defraud a company. And don’t forget customer records, marketing plans, internal memoranda, the minutes of meetings, payroll data, costings, (new) product information, personnel details, flipchart materials from seminars and workshops. Even rough notes. Oh yes, and let’s not fail to mention computer hard disks and CDs/DVDs. In the wrong hands, information gleaned from all of these media might even bring a business to its knees.

Sadly, a great many corporations are ignorant of this problem and its side-effects. They remain so at their peril... An increased focus in society on personal privacy and wider confidentiality issues inevitably means a far greater scrutiny of business performance in relation to this issue. Perceived shortcomings may well lead to reputational damage that is nigh on impossible to repair.

The Data Protection Act 1998

Ignorance is most certainly not bliss. The responsibilities of organisations relating to confidential data have become far more stringent since the implementation of the Data Protection Act 1998 from March 2000. Companies must destroy (under secure conditions) any data containing personal information (including name, address, financial and legal details). The Act itself covers computer records, information held in manual files (eg index cards and filing systems, etc), computer disks and CDs.

Corporate concerns must now have a Data Control Policy in place, and use processing methods that indicate they are employing appropriate methods to prevent unlawful processing/disclosure of data, and the accidental loss or destruction of – or damage to – personal data. Putting information in the bin and hoping that it will be destroyed in an appropriate manner at a later juncture was never the answer, and most certainly isn’t now.

The aforementioned Act states that if a company’s appointed Data Controller (ie those originating the data) is using a sub-contractor as their preferred data processor, then they must choose one that offers cast-iron guarantees on security measures, and one that takes reasonable steps to ensure compliance with those measures. There must also be a legally-binding, written contract in place between Data Controller and Data Processor such that destruction is evidenced in writing (this is covered under Principle 7 of the Act).

Make no mistake that both client and data destruction company are both liable for any breaches of the Data Protection Act 1998. Penalties for non-compliance can now include a fine of up to £5,000, the threat of a criminal record for company directors and/or the company Data Controller and, ultimately, the closure of a going business concern. As you can see, ID theft and the need for destroying confidential data are very serious matters indeed. Be warned: at present, the trend is that prosecutions are on the increase.

Assess your security risks

Security and IT managers seeking to tackle this issue need look no further than the British Security Industry Association (BSIA), which has just produced a dedicated audit procedure (see panel ‘The Security Waste Audit’ on page 31) designed to encourage all businesses to assess the risk of identity fraud and related crimes.

Quite rightly, the Association’s emphasis shies away from the use of conventional waste or recycling companies since they are unlikely to provide the necessary degree of security to ensure that important documents do not fall into the wrong hands. The employment of professional information companies, on the other hand, can help in ensuring that your Data Protection requirements are met by shredding documents to a size from which vital details cannot be obtained, using thoroughly vetted personnel and providing a full and comprehensive audit trail concerning the whereabouts of confidential data.

In practice, professional information destruction companies will collect confidential waste at source and provide a fully-trackable service up to the point of destruction. The actual destruction process consists of waste collection by secure transport, inspection, the removal (and destruction) of rubbish and the shredding, pulping and recycling (or incineration) of other materials. Some companies also provide mobile services that can take care of destroying waste on site.

Those on the BSIA’s list of endorsed companies include: Brett Waste Management, the Control Recycling Group, Confidential Destruction Services, London Recycling, the PW Commercial Company, Securishred and Shredall. A full listing is available on the BSIA’s web site at www.bsia.co.uk/shredding

Checklist for in-house managers

For the in-house security manager to guarantee this level of professional service from their chosen information destruction company, they must make sure that the organisation they select to entrust with their data is reliable, and operates to quality standards. A useful checklist by which to abide runs as follows:

• ensure that the information destruction company has a genuine understanding of your needs and is capable of helping you to improve upon your ID processes (ie they must not be providing a mere ‘off-the-shelf’ solution);
• ensure that the company concerned is well-equipped to undertake ID work in your region (ie are their only premises away from your region, and what problems might this cause?);
• check on their ability to provide a quality service that’s consistently in line with your company’s needs (BSIA-registered and approved companies, for example, must be registered to the quality system standard BS EN ISO 9000, and adhere to the Association’s defined Code of Practice);
• adherence to standards should encompass staff vetting… do the company’s procedures instil you with confidence in relation to their employees’ honesty and professionalism?;
• the ID company you choose must have a demonstrably comprehensive knowledge and understanding of the Data Protection Act 1998, and be capable of giving you advice on this;
• the company should be officially registered as a waste carrier with the Office of the Information Commissioner (this can be verified by logging on to the Data Protection web site at www.informationcommissioner.gov.uk)

A reputable data disposal company will also provide you with a signed Certificate of Destruction for each completed batch of documents, etc. Be aware of the need for a signed Duty of Care waste transfer note when waste is handed over for destruction.

What is being done?

In collaboration with other Government departments, various private sector organisations, finance houses and the police service, the Home Office has established the Identity Fraud Steering Committee (www.identity-theft.org.uk) with the aim of leading a cross public/private sector work programme aimed at tackling identity theft and identity fraud. The programme is designed to co-ordinate existing activity while also identifying new projects and initiatives.

In terms of developing and sharing Best Practice, the Home Office, the UK Passport Service and the Driver and Vehicle Licensing Agency have worked closely with the Association of Payment Clearing Services, the Finance and Leasing Association and CIFAS (the UK’s Fraud Prevention Service) to support the production of ‘Identity Fraud: The UK Manual’. This manual includes examples of known security features from UK passports and driving licences, providing guidance to help spot forgeries immediately.

In addition, last September the Home Office minister Andy Burnham launched an awareness campaign to advise members of the public on how to avoid becoming a victim of identity theft and fraud, and details of the action to be taken if you’re ‘caught’.