The Saga of Shredding in the U.S.: A Privacy Advocate's Perspective
By Beth Givens, Director
Presentation at Conference of the National Association for Information Destruction
San Diego, CA
Good morning. It is a pleasure to speak to you today. I commend you on being active members of NAID, and for the positive contributions you are making to privacy protection.
I have been listening to consumers' complaints for 12 years now. In what I call our "Dear Abby" role, we invite individuals to phone and email us with their questions and complaints about privacy matters.
Back in our early years - 1992, '93, '94 - I made the observation that we appear to be a nation of sloppy information handlers. My staff and I noticed that many of the privacy complaints we received from individuals were the result of carelessness, errors, and faulty security practices by companies and by government agencies.
During those same early years, we started hearing from victims of identity theft, although back in 1993 it wasn't yet being called identity theft. I think it's fair to say that we were the first consumer privacy organization to offer assistance to victims and to publish guides on how to prevent and recover from this crime.
I remember back then being puzzled about identity theft. I could understand how one's existing credit card account could be hijacked by the thief who stole one's wallet or purse. But how could an entirely new account be opened up, especially if there was no theft of the victim's wallet or of any other physical items like one's mail? After all, the Social Security number is the key to being able to impersonate someone by obtaining new credit accounts. How did the thieves obtain these SSNs?
That's when I learned about dumpster diving. Remember, this was a decade ago. A Los Angeles area detective told me that often when he got a search warrant and searched a suspect's car, apartment or motel room, he'd find trash containing personal information. In other words, identity thieves were obtaining SSNs, credit account numbers, banking and investment account numbers by digging through trash bins outside of homes and businesses, and then using that information when filling out credit applications.
Even though since those "early years" in our identity theft work shredding has become a household word and shredders are a common household item, trash is still a lucrative source of Social Security numbers and other useful bits of personal information for those who perpetrate identity theft.
You might be interested in some recent statistics on identity theft. A Federal Trade Commission survey released last September 2003 found that nearly 10 million individuals in the previous year were victims of this crime. (See http://www.privacyrights.org/ar/idtheftsurveys.htm and http://www.ftc.gov/os/2003/09/synovatereport.pdf)
About two-thirds of them experienced application takeover, when the thief uses an individual's existing credit account to pay for goods and services. This form of identity theft is relatively easy to recover from.
About one-third of victims experienced application fraud, where the thief is able to open entirely new accounts, a process that is usually invisible to the victim until they check their own credit report, commonly when they themselves need credit, for example, when purchasing or refinancing a house, applying for a credit card, or renting an apartment. This is the more serious form of identity theft and is the most difficult to recover from, usually taking several months, even years.
As I said earlier, I've observed that we are a nation of sloppy information handlers. But little by little, we are improving. And your industry is playing a large role in that development.
The goal of every workplace today - and that includes businesses, government agencies, nonprofits, as well as households - should be the creation of a "culture of confidentiality." From top to bottom, everyone in the organization must be aware of the necessity of safeguarding and effectively destroying records containing sensitive personal information - no matter what medium they are in, whether paper, computer hard drives, CD-ROMs, magnetic tape, microfiche, you name it.
Evidence of the improvement in our collective information handling practices and in our culture of confidentiality is the passage of document destruction laws in 3 states - Wisconsin, California, and Georgia. [And if you know of other states, please let me know.] Further evidence is the passage in late 2003 of the federal Fair and Accurate Credit Transactions Act, FACTA, which contains a provision requiring document destruction. Randy Moss and Quinn Hudson will discuss this further after the break.
Let me tell you the story of how the California document destruction law came to be:
Several years ago, before the implementation of California's document destruction law, a San Diego TV reporter at our CBS TV affiliate did a two-part story on his treasure hunting exploits in dumpsters behind several businesses. To the tune of "Mission Impossible" the camera showed him climbing into and out of dirty dumpsters and retrieving an unbelievable amount of unshredded credit card receipts, bank documents, credit applications and the like.
A state legislator representing San Diego saw these news segments and said "there ought to be a law!" His name is Howard Wayne, and he is now a prosecutor for the California Attorney General's office here in San Diego. He introduced what became California Civil Code 1798.81. And his success in getting the bill through the legislature was due in large part to playing the videotape of those TV news segments.
I must say, the media has played a significant role in connecting the dots between the improper disposal of documents and identity theft and other privacy abuses - and that not only includes improper disposal of paper documents, but also recycled computers.
In fact, if you have not already figured it out, the media loves dumpster diving and shredding stories, especially local TV news stations.
Here are a couple more TV news stories from here in San Diego:
Our ABC affiliate contacted me several years ago - before passage of California's law - about a prominent medical laboratory whose dumpsters they visited - based on a tip from a disgruntled staff member. They found boxes and boxes of unshredded lab records - containing patients' names, addresses, phone numbers, SSNs, date of birth, and medical diagnoses. Even after the story ran on the local TV news program, the lab didn't shred its trash. The TV station visited the lab's dumpsters a month later and found the same thing - reams of unshredded lab files.
Here's another story, and I think you'll get a kick out of it.
I received a call from a local NBC TV reporter. He said, "Beth, you aren't going to believe this one." The reporter had been contacted by a San Diego woman who had ordered an arts-and-crafts kit on paper making from a Santa Fe, New Mexico, mail order company. The kit contained some shredded paper - which is part of the paper making process, involving the moistening of the paper and making it into a kind of mush.
She got curious about the shredded paper when she realized she was able to read words on the paper. It turns out that the paper was shredded with a strip-shredder, and the paper was inserted the wrong way, because she was able to make out entire lines of text.
She then realized that the paper was from Los Alamos National Laboratory, which is not far from Santa Fe. This was during the time of the Wen Ho Lee security breach scandal in 1999, if you recall that incident. The reporter asked her to bring the shredded paper to the studio, and the two of them then reconstructed a couple of documents from the Los Alamos National Laboratory - as it turned out, pages from a staff directory - names, titles, divisions, and phone numbers.
I'm sure you can tell me the moral of the story. First, for heaven's sakes, load the paper the right way. And second, use an industrial strength cross-cut shredder, especially if you are a top secret national lab.
I could tell you many more such stories. And I'm sure you can add many more of your own.
Provocative media stories like these are not limited to the medium of television. The Philadelphia Inquirer just a few days ago featured a story about a company called Power-Shred and about the growth of the shredding industry. Let me read you just a few sentences:
A gaggle of smoking office workers scattered when Ron Miller eased his noisy, hulky black truck alongside the Citadel Federal Credit Union headquarters in central Chester County.The paper shredder had arrived.But this was no puny cutter that fits over a wastebasket. Miller and his wife, Joanne, own Power-Shred, an Exton startup company, and Miller had brought his $200,000 mobile shredder to devour a ton or more of sensitive credit union documents ready for slicing and dicing - right at the doorstep.
Miller climbed from the cab and threw some switches on the side of his rig. . He opened a panel to reveal a video screen wired to cameras inside the truck, trained on a viciously whirling set of blades and a huge mound of finely chopped paper.
The story went on to describe the growth of the industry, now at least $1 billion, and the factors leading to its growth such as the new federal medical privacy law, HIPAA. And the story mentioned your trade association, the National Association for Information Destruction. [Reid Kanaley, "Service shreds away privacy concerns," Philadelphia Inquirer, May 18, 2004.]
I want to close by making a couple of recommendations to those of you who operate information destruction services.
It's important to do background checks on those who handle materials containing personal information, including paper documents, computer hard drives, CD ROMs and the like. You do not want to end up on the evening news for a privacy breach like the media stories I've just relayed.
In the same light, I encourage you to adopt privacy policies for your own companies. In other words, practice what you preach, and preach what you practice.
Our web site and the web sites of many other organizations have information on how to develop privacy policies. Our web site address is www.privacyrights.org. (See, for example, Fact Sheet 12, "Checklist of Responsible Information-handling practices," www.privacyrights.org/fs/fs12-ih2.htm, and our guide on how to prevent identity theft through proper workplace information-handling practices, www.privacyrights.org/ar/SDCountyIT.htm. )
Thank you for the opportunity to speak with you today.