The bulk of identify fraud happens because of physical documents that have been stolen or otherwise compromised, but South African companies and government entities continue to focus most of their attention on protecting electronic rather than paper-based information.
This is the view of Duncan Waugh, CEO of Document Security Solution Specialists, who says companies and government routinely underestimate how much information can be gleaned from paperwork.
With the Protection of Personal Information (PoPI) Act set to come into force in coming months, this could have substantial legal implications.
“There’s more information in a dustbin than I’ll ever get hacking a hard drive,” Waugh says. “Also, it’s not against the law to take something that’s been abandoned.”
The biggest problem, he says, is that many companies don’t realise they’re sharing information they shouldn’t be, which amounts to “vicarious liability”.
“PoPI puts a significant compliance burden on companies, particularly in terms of how information is disposed of.”
One of the problems is the disconnect between the need to destroy documents and the desire to recycle. “People think that if they put things in a recycle bin that they’re safe,” Waugh says. “You wouldn’t believe how mistaken they are. To protect information, you need to fine-shred.”
Information security depends on five pillars: protection, detection, reaction, documentation and prevention. “Protection, reaction and detection have been prioritised, but too little attention is paid to prevention and documentation,” he says.
Information security should include paper documentation, but most people focus only on electronic data.
Even in supposedly “paperless organisations”, Waugh says there is almost always the ability to print documents. “If you’ve got printers, photocopiers or fax machines, you’re not paperless.”
Common solutions to preventing hard copy data from being compromised include shredding or recycling using locked boxes. “But shredded documents can be reassembled and with recycled documents it’s unclear where they go when they leave the premises.”
Though PoPI requires companies to disclose security breaches, companies can’t disclose this if they don’t know it’s happened, Waugh says. — (c) 2013 NewsCentral Media