The drugstore chain CVS is being sued by the Texas Attorney General for failure to properly dispose of customer records including credit card and debit card numbers, drivers license numbers and medical prescription forms with name, address, date of birth, issuing physician and the types of medication. According to news reports, the store was being closed when over 1,000 papers with confidential information were found in the dumpster behind the store. (1,000 records would be 2 reams or about 10 pounds of paper and could easily have come from a single office-sized trash can.)
Dumpster-diving for sellable information is an increasingly common problem. Last year, a local Westfield Office Manager drove into his office's parking lot early one morning and surprised a man and a woman fishing papers out of the building's dumpster. Before he could even get parked, they jumped into their pickup truck and sped away. (Because the members of the office follow Westfield's "shred everything" policy, none of our customer information was compromised but we did notify the other tenants of the building.)
Failure to properly destroy confidential information is a violation of the Federal Trade Commission's regulation on disposal. In addition, it is a violation of several Texas laws and carries potential penalties of $50,000 per violation and/or $500 per abandoned record. This one incident could cost CVS's parent company over $500,000 in regulatory fines alone. The company is also reported to be under investigation by the US Office for Civil Rights and the Illinois AG for similar failures in other states.
In addition to the legal penalties, CVS is expected to suffer in the marketplace. According to a recent study by Javelin Strategy & Research, 77% of consumers said that they would stop shopping at stores that suffer data breaches. While it's unclear how many customers will realistically carry through with that threat, independent research estimates that a security breach costs $200-300 per lost record when you include the costs of disclosure, increased call centers costs, lost employee productivity, legal fees and the loss of investor and customer confidence.
While the law requires only that confidential documents be properly destroyed, I strongly recommend a policy that all papers must be shredded when they are no longer needed - that no office paper may go into the regular trash stream. There is too much chance that a social security number or unlisted phone number will be overlooked on the back side of a page.
For offices below about 10 employees, the most cost-effective solution is usually to invest in a good quality cross-cut shredder. For larger offices, consider contracting with a shredding vendor who can provide secure bins where papers can be collected until the vendor's scheduled pick-up. Require that all paper trash be placed in one of these bins.