Most business owners have a pretty good handle on the main rules and regulations they have to follow. You probably know the basics of paying tax, treating employees fairly, and taking care of any health and safety issues relevant to your industry.
Did you know, however, that you are also at risk if you fail to protect the personal information of clients, workers and other third parties?
This is where security levels for paper shredders come in.
Over time, industry bodies and others have come up with a set of guidelines regarding how thoroughly different types of confidential information should be destroyed before ending up in the trash. If you follow these, your legal liability is nil.
If, on the other hand, you simply use whatever paper shredder happens to be on hand, there is a possibility that you’ll be hit with serious financial penalties, especially if you do business in the European Union.
Aside from consequences like these, it’s simply a good idea to be responsible about getting rid of all confidential records and correspondence. Criminals do indeed sift through the garbage of both households and companies looking for information they can use. Should they find something, the results can include identity theft, fraud, hacking, or even simple but profound embarrassment.
The DIN 66399 System of Security Levels for Paper Shredders
The most widely used classification for document security shredding levels is called DIN 66399. (DIN stands for German Institute for Standardization, in German). Within this, there are seven grades ranging from P-1 to P-7.
Note that a better security shredding level doesn’t always translate to a higher price. Factors like speed and noise while operating will also play a major role in your buying decision.
There’s no mystery to determining a particular machine’s P-level even if it’s not stated. Compared to most industrial standards, DIN 66399 is refreshingly simple.
Here’s how it works:
- P-1: strips ≤ 12 mm (½”) wide
- P-2: strips ≤ 6 mm (¼”) wide
- P-3: strips ≤ 2 mm wide
- P-4: cross-cut fragments ≤ 160 mm² with width ≤ 6 mm
- P-5: cross-cut fragments ≤ 30 mm² with width ≤ 2 mm
- P-6: cross-cut fragments ≤10 mm² with width ≤ 1 mm
- P-7: cross-cut fragments ≤ 5 mm² with width ≤ 1 mm
What the Different Security Shredding Levels Are Used For
P-1 shredders are exceptionally fast but not suitable for any kind of sensitive documentation. Anyone can reconstruct a document shredded into half-inch wide strips by hand (though picking the right pieces out of an entire dumpster full of them will require some dedication).
P-2 isn’t much better in terms of security, but is almost as cheap and quick. This level is recommended for shredding general, non-sensitive business documents. It’s easy to forget about details that may be found in stuff like general memos, but these can often be used for nefarious purposes.
P-3 shredders don’t cost much more than P-2s but add a layer of complexity to the reassembly process. It’s worth getting one even for documents containing information that doesn’t seem to be too sensitive: do you really want to share your suppliers’ addresses with unknown parties, or your employees’ home phone numbers? P-3 is the minimum shredding security level deemed compliant with HIPAA requirements, though P-4 or higher is recommended.
P-4 is where things start to get serious. These shredders cut an A4-size page into roughly 400 pieces and can be used for sensitive personal documents like bank statements, price lists and so forth. Most small businesses won’t require anything better, though it’s worth mentioning that many cross-cut economy shredders produce particles much smaller than 0.25 square inches and therefore approach P-5 levels of security.
P-5 shredders are what you should find in managerial and executive offices. They are suitable for company records like financial statements, high-level meeting memos, sensitive contracts, and details of trade secrets.
P-6 shredders are more commonly found with government agencies than private companies; accordingly, they’re pretty expensive. They’re also slow and, outside of the military and intelligence community, are used only in very sensitive areas like cutting-edge research labs.
P-7 protection implies that no more than 4 characters will be legible on any given paper fragment, which apparently is enough to satisfy the NSA. Conceivably, these can still be reassembled using specialized software, which leads us to another important point: simply having a highly secure shredder doesn’t help much if it’s not accompanied by robust document handling policies.
Better Shred than Sorry
As the saying goes: set a thief to catch a thief.
Ordinary people simply aren’t used to thinking in terms of exploiting criminal loopholes. These don’t need to be a breach in a security fence or a car with its keys left in the ignition, either. Some examples of how improper shredding can affect people include:
- An employee stumbles on a copy of a colleague’s pay stub, potentially causing jealousy.
- A leave request can tell burglars when someone will be out of town.
- A printed email mentions the names of two of your friends; this can provide an opening for a spearphishing attack.
- An internal switchboard number can allow a stranger to pretend to be an employee and ask for confidential information, including computer passwords.
All of these are from relatively innocuous business documents, not something that would pique James Bond’s interest. This is why it’s so important to shred pretty much everything, or have it shred by a professional company. You may not have time to wait for a P-5 shredder to chew through all your paperwork, but you can at least secure it against casual snooping.