Destructive roles: Firms help clients comply with information security regulations

Ken Burns, owner of E-Waste Recyclers of Colorado, runs computer hard drives through a machine that shreds the components into so much metal confetti. In addition to recycling electronic components, E-Waste Recyclers offers electronic data destruction services. (Business Times photo by Phil Castle)

Scott Fasken tells horror stories about what happens to businesses when they don’t protect confidential medical and financial information.

Thieves break into an office and steal computers. A thumb drive is lost. Bins full of documents headed to a shredder tumble off the back of a truck and wallpaper a busy city street. Endings are seldom happy.

But the implementation of federal regulations that step up enforcement and impose increasingly harsh penalties on businesses that fail to properly protect and destroy confidential information makes those true tales all the more grim, Fasken says. “It’s a pretty scary place.”

Fasken works as vice president of Colorado Document Security, a Palisade firm that offers document destruction services across Western Colorado and into New Mexico and Wyoming. Fasken also serves as president of the National Association of Information Destruction, a trade association for companies like Fasken’s.

Steve Attarian handles sales and marketing for E-Waste Recyclers of Colorado. The Grand Junction-based company not only recycles electronic waste, but also offers electronic data destruction services.

Attarian couldn’t agree more with Fasken’s assessment. But many business owners and managers remain either unaware or unconcerned, Attarian says. “There’s no fear of enforcement of those laws.”

There should be, Fasken and Attarian say.

A growing list of federal regulations requires the security and proper destruction of consumer, financial and medical documents and electronic records.

Add to that list the final rules of the Health Information Technology for Economic and Clinical Health Act (HITECH) released earlier this year. The regulations hold not only doctors, hospitals and other health care providers responsible for securing patient records, but also the businesses with which they work. Businesses most not only comply with data protection laws, but also state their security procedures.

Provisions of the final rules require health care providers and businesses to alert authorities and patients when information is put at risk or discarded in an unsecured manner.

Provisions also impose mandatory fines for violations and increase maximum fines from $25,000 to $1.5 million.

In addition, state attorneys general have been empowered to prosecute violations and allowed to keep the fines, creating an incentive to go after a potential new source of revenues, Fasken says.

“It’s drastic,” he adds. “They are stepping up enforcement for real.”

The increased regulations and fines make information security and destruction more important than ever, Fasken and Attarian say.

Colorado Document Security offers clients the use of locked document disposal containers. Mobile shredding trucks destroy those documents on site so clients can watch the process.

Colorado Document Security holds AAA certification from the National Association of Information Destruction, meaning the firm undergoes an annual audit to assure it complies with policies and procedures for secure information destruction, Fasken says.

Colorado Document Security also holds data breach insurance that covers not only his firm, but also his clients, he adds.

In addition to recycling electronic components, E-Waste Recyclers offers electronic data destruction services at its facility on South Seventh Street in Grand Junction. A shredder destroys computer hard drives, tapes and other devices that store data. The firm also can transport the shredder to handle on-site destruction — at banks or medical facilities, for example. The shredder can destroy up to 600 hard drives an hour.

Customers receive documentation certifying their hard drives have been destroyed, Attarian says.

It’s not just computers and computer hard drives that pose risks, Attarian adds. Thumb drives and cell phones also can contain confidential information. Many printers, copiers and fax machines also include hard drives that store information.

In addition to information destruction services, Colorado Document Security and E-Waste Recyclers can assist businesses with training employees on information security and disposal procedures. Proper training constitutes yet another important component of compliance with federal regulations, Fasken and Attarian say.

Fasken says he doesn’t strictly sell document destruction services to his clients, but rather court-defensible risk mitigation.

Given the horror stories that occur when business don’t protect or properly dispose of confidential information — not to mention the increasing regulations and fines — it makes sense for them to take steps to avoid unhappy endings, Fasken and Attarian say.

“All the tools are out there. The question is whether they’re being used,” Attarian said.