Information Destruction

By Steve Mark.

In February this year I was asked to deliver a speech at the 2013 National Association for Information Destruction Australia and New Zealand Conference (NAID-ANZ) in Sydney. I was specifically asked to address the responsibilities of organisations to protect information in accordance with new privacy legislation that was being enacted Australia-wide and the implications of failing to protect such information. Prior to my speech, a press conference was held marking the release of the results of an investigation by a licensed private investigator who had examined the contents of publicly accessible trash bins used by businesses in Sydney that had an established responsibility to protect client data. The private investigator did not break any laws or go to extreme lengths to access the trash bins but merely observed the contents of the bins as any curious passer-by might.

The Disposal Habits Study 2013, commissioned by the National Association of Information Destruction (NAID), revealed that of the more than 80 sites surveyed, 11 per cent of bins contained personal confidential information readily accessible to passers-by. According to the study, the worst offenders were banks, lawyers and doctors. At one site, a report detailing account holder’s information, such as their name, address, credit card number and credit limits, was found. At another site, the investigator found documents outside a solicitor’s office, including correspondence about a legal settlement for a real estate dispute, documenting the parties involved, the amount of the settlement, and bank account information for the account receiving the settlement. And at another site, the investigator found results of blood tests from a lab in the trash outside a doctor’s office. On the forms were patients’ names, addresses, social security numbers, and diagnostic information.

Although the results of the study were very disappointing, Sydney fared better than other cities where the same study was also conducted. In the same study conducted in Toronto, Canada; Madrid, Spain; and London, U.K., more than 40 per cent of commercial trash bins contained confidential information. The purpose of the study and use of the investigator was to highlight the lack of security that exists in the general commercial community of client data and information. This has been one of the primary reasons for the tightening of privacy legislation worldwide and was the subject I was asked to address.

While the paper I delivered on organisation’s responsibilities under privacy legislation addressed a very real and serious concern for the companies attending the conference, the Disposal Habits Study 2013 raised questions for me that went well beyond the concerns about breaching privacy legislation. After hearing about the study, I began to question the purpose of the information destruction industry and the responsibilities of such organisations.

Identity theft is the largest type of identity fraud affecting more than 11 million people worldwide annually. Online data breaches and online identity theft are the two most common forms of identity fraud. The cost to society of data breaches is significant. Identity fraud causes financial damage to consumers, lending institutions, retail establishments and the economy as a whole. The Australian Crime Commission conservatively estimates that serious organised crime costs Australia between $10-15 billion every year.[1] This cost comprises loss of business and taxation revenues, expenditure on law enforcement and regulatory efforts, and through the social and community impacts of crime. In 2011, research released by Symantec Corp and the Ponemon Institute revealed that the average cost of a data breach reported by Australian organisations had risen steadily for the third consecutive year, reaching $2.16 million in 2011.[2] The study also found that malicious or criminal attacks were the most common cause of data breaches and the most expensive type of breach overall for Australian businesses.[3]

Noting the increasing costs to society of data breaches, governments around the world have reacted by strengthening privacy legislation and declaring their concerns. In Australia, for example, we have seen the recent passing of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Act 2012) which introduces a number of key changes. These changes include a new unified set of Australian Privacy Principles (APPs) to replace the current dual system of Information Privacy Principles applicable to federal public sector organisations and National Privacy Principles applicable to private businesses; stronger restrictions on direct marketing such that personal information may not be used for direct marketing unless certain requirements are met and new requirements in relation to cross-border data transfer, including that businesses disclosing personal information to overseas recipients will remain liable in some circumstances for any breaches of the APPs by the overseas recipient.

Additionally, the Privacy Act 2012 requires organisations to actively maintain a privacy policy and ensure compliance on an ongoing basis; changes the credit reporting provisions; provides the Privacy Commissioner with enhanced powers and imposes significant monetary penalties of up to $220,000 for individuals and $1.1 million for companies for a serious or repeated interference with the privacy of an individual.

Last year, the Australian Government also decided to celebrate Data Privacy Day together with the United States, Canada and 17 European countries to commemorate the signing of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data in 1981.[4] The 1981 Convention is the first official international treaty about issues surrounding data privacy and cyber security.

These changes underscore an environment in which individuals are now demanding greater privacy protection. Ironically, this is occurring at a time when individuals through social media, companies through relaxed management systems or negligence, and governments by cyber-attack and inadvertent disclosure are releasing more private information than at any time in history. The legislation, which commences in March 2014, will require both public sector organisations and private businesses collecting and/or dealing with personal information in Australia or from Australian residents to review their privacy procedures to ensure compliance. Organisations that disregard their responsibilities to protect personal information run the risk of public embarrassment, increased scrutiny and significant regulatory sanctions.

However, this new regime does not just affect organisations that hold personal or private information. Organisations that are involved in the destruction of such information are also indirectly affected. The following two scenarios illustrate the affect. Firstly, where a data destruction organisation is instructed by a client to destroy data but that organisation does so improperly and the data is not destroyed. Secondly, where a data destruction organisation is asked to destroy data in an unethical manner. In the latter, for example, a client may instruct the data destruction organisation to destruct certain parts of the data only where they are actually obliged to destruct or dispose of all of the information.

An even more difficult, but no less important, question concerns the situation where an information destruction company is contracted to destroy information (held in either documents or computer records) but the organisation believes that the information should not be destroyed, because the client is a criminal cartel for example. Leaving aside the question of how they would know what the content of the information (or hard drive) was, in circumstances where the information is known, and the organisation decides not to destroy the information (perhaps in the public interest?) then who is its client? Is the client the government, the police or the general community? What about the contractual arrangement the organisation has with the client? Does it contain confidentiality clauses? Can the contract be breached in the public interest? I am concerned that these important but difficult questions are, by and large, not being appropriately addressed.

Over the last few years I have been particularly vocal about the need for those involved in the provision of security services to “professionalise”. I have advocated the need for security practitioners to recognise that they have a duty to the community which stands over and above the duty to their clients. It is this higher duty that denotes professional status. For example, lawyers have a higher duty to the Court. Similarly, doctors have a higher duty to the Hippocratic Oath and priests have a higher duty to God. This higher duty offers a level of “protection” to these professions who are faced with unethical or illegal requests. So when a lawyer is instructed by a client to do something unethical or unlawful, the lawyer can refuse by stating their higher duty to the Court.

The protection availed to the above groups is not yet available to security practitioners, however it may not be far off. Over the past few years, the security industry has been working to establish itself as a profession. The establishment of the Security Professional Registry of Australasia and their development in conjunction with the Australian Council of Security Professionals of competencies, principles and standards to ensure that private security service providers demonstrate consistent and ethical services while maintaining the safety and security of their operations and clients within a framework that aims to ensure respect for human rights, national and international laws, and fundamental freedoms, is evidence of this fact.

Although momentum towards professional status for the security industry has now started to take effect, efforts are, by and large, ad hoc. What is needed is recognition by all involved in the provision of security services, including organisations involved in the destruction of information, that a duty to the community must prevail. To achieve this, the security industry not only needs to continue to strive towards professional status, but be recognised by the community as such.

Steve Mark is the Registrar, Register of Security Professionals Australasia, and Director of Creative Consequences Pty Ltd. He can be contacted at steve@creativeconsequences.com.au

 

[1] Australian Crime Commission. Organised crime in Australia, accessed at http://www.crimecommission.gov.au/organised-crime, on 14 February 2013.

[2] Symantec, Press Release, “Data Breach Costs Rise for Australian Organisations, Reaching $2.16 Million Per Incident in 2011”, accessed at http://www.symantec.com/en/au/about/news/release/article.jsp?prid=20120328_01 on 14 February 2013.

[3] Ibid.

* In January 2010, Steve Mark was appointed Registrar, Australasian Register of Security Professionals which has been established to set competencies and criteria for the registration of security professionals in Australia and New Zealand. Steve is the Legal Services Commissioner of NSW at the Office of the Legal Services Commissioner (OLSC) and has held that position since 1994. The OLSC receives complaints about solicitors and barristers in NSW. The OLSC works as part of a co-regulatory system, together with the Law Society of NSW (professional body for solicitors) and the NSW Bar Association (professional body for barristers) to resolve disputes and investigate complaints about professional conduct.

[4] Council of Europe, accessed at http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm on 14 February 2013.

%d bloggers like this: