What Documents Should You Shred After Filing Your Taxes?

April 26, 2021 at 6:16 pm by Amanda Canale

Ah, tax season. A time to reflect and reevaluate on the past year’s finances, and a wonderful excuse for some major spring cleaning!

In this blog, we’ll break down all of the documents you can say, “bye-bye” to and the ones you may want to keep around for a bit longer. It’s important to note that this is simply a condensed breakdown, but more information on record retention policies (RRP) can be found in our blog, Records Retention Schedules: When Will Your Data Expire?

Bye-Bye Junk!

  • ATM and deposit receipts: These can be shredded once they are compared against your monthly statement.
  • Credit card bills: Once your bill has been paid, shred away!
  • Utility bills: Keeping utility bills once they are paid is not always necessary. However, it is recommended to save all of your utility bills for one year if you are claiming a home office deduction.
  • Pay stubs: Pay stubs should be saved for one year but once your taxes are filed, they are ready for the shredder.
  • Insurance policies: Once your policy is renewed (either with the same insurance company or a different one), feel free to feed it to your shredder.
  • Receipts: No need to pile up your desk or filing cabinet with every UberEats and Postmates receipt from the past year. It is only necessary to keep receipts from bigger purchases or items that will be deducted.
  • Monthly bank statements: Your monthly bank statements should be saved for one full year and then shredded after you receive your annual statement.
  • Monthly investment statements: All annual statements and the most recent monthly statement should be kept on file; however, feel free to shred the rest!

sell-sheets

Documents for Next Tax Season

  • Income: Whether your income comes from wages, interest, or other business, any W-2, 1099, or K-1 forms, and bank and brokerage statements should be kept leading up to your next tax return.
  • Deductions and credits: Any receipts pertaining to childcare, medical and dental expenses, using your home as your business, alimony, or charitable donations should be kept leading up to your next tax return. In addition, any receipts or invoices, cancelled checks, and bank or credit card statements.
  • Home and property documents: Whether they are closing statements, proof of payments, insurance records, or home and property renovation receipts, these types of documents should all be kept for a year leading up to tax season.
  • Investments: Any and all 1099 and 2439 forms, brokerage statements, and mutual fund statements should also be kept prior to filing your taxes.

With all of this being said, it is important to mention that there are some financial documents that should be kept for a specific amount of time after you file your taxes. The Internal Revenue Service (IRS) has three years to assess additional tax and audit returns, meaning it would be a smart move to keep any documentation to support your recent claim should be kept on file.

Shred Away!

Now is the fun part: shredding time! While there are various ways to destroy a paper document (as detailed in our recent blog, How NOT to Destroy Paper Documents), we at SEM know it to be best practice to use a high security paper shredder (no, big box store shredders won’t cut it — pun intended!) when destroying all of your end-of-life paper documents. By adopting a secure shredder policy, you can be sure your financial information does not get into the wrong hands. We suggest the SEM Model 1324P deskside shredder for all of your at-home shredding needs. This device offers a DIN 66399 P-4 particle.

P-7, shown above, is the standard for the destruction of classified material on paper

At SEM we have an array of high-quality NSA listed/CUI and unclassified paper shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.

Records Retention Schedules: When Will Your Data Expire?

January 21, 2021 at 8:00 am by Amanda Canale

In the growing age of Big Media, it is imperative now more than ever that companies and organizations develop and maintain a Records Retention Policy, otherwise known as RRP. An RRP is a policy that defines a company or organization’s legal and compliance bookkeeping requirements. An RRP ensures that corporate documents are managed and destroyed in a way that is lawful, effective, and efficient.

When establishing an RRP, there are several key questions to keep in mind. Who is responsible for overseeing the RRP? How long should records be retained? What type of records should be retained? What should we do with those records after the required retention period has passed?

Within any type of business, there are a multitude of records you’ll need to keep track of, from accounting and bank records to corporate and employee information, just to name a few. Just as the type of record may vary, so does the retention period. Let’s break down some of the more important record types and retention periods.

identity-theft
Accounting Records

It is a good rule of thumb to keep the majority of accounting records permanently. These types of records can range from income taxes, asset records, training manuals, general ledgers, and more. Patents and related papers, insurance claim documents, legal correspondence, capital stock and bond documents require permanent retention, along with real property records, such as deeds, bills of sale, and appraisals.

While the majority of accounting records should be kept permanently, there are some types that you can safely destroy after a period of seven years. These types of records can be in the form of electronic payment records, employee expense records, inventory listings, and timecards. These records are still crucial to your accounting team but are not necessary to harbor forever.


Employee Benefit and Personnel Records

When it comes to employee benefit and personnel records, the retention period can vary. Any financial statements, documents from the Internal Revenue Service (IRS) and Department of Labor Correspondence, and plan and trust agreements should all be kept permanently.

Normal employee personnel files, employment applications, individual employee contracts, and employment applications should be kept on file for two to three years from the date of termination. Other personnel records, such as worker’s compensation and employment eligibility forms can be kept for three to five years.


Insurance and Legal Records

Insurance records, such as accident reports and settled claims, fire inspection and safety reports, and expired insurance policies should all be kept for seven years. It’s important to note that any accident reports and settled claims should be kept for seven years from the date of the settlement, not when the accident occurred. When it comes to legal documents, the retention period can vary. Records of expired contracts and leases and employment agreements can be kept for seven years, but other documents, such as effective contracts and leases, meeting minutes, partnership agreements, and legal correspondences should be kept permanently.

It is also important to keep in mind that records are not just paper documents but can consist of electronic documents and data as well. This includes, but is not limited to, word processing, emails, databases, spreadsheets, and so forth. Any device on which files are stored, optical media, flash drives, and HDDs or SSDs are considered to be electronic documents and must follow the same RRP guidelines the corporation sets forth for paper documents retention and disposal.

The disposal of these records is just as important as retaining them. Having an appropriate shredder is crucial to ensuring that your data is not falling into the wrong hands.

Although the non-permanent records are no longer required to be kept in your possession, this does not mean that the information on those records has necessarily expired or become any less important. If records are disposed of in an unsecured manner and important corporate or employee information falls into dishonest hands, the results can be catastrophic for both the corporation and the employee. (You can read about the monetary consequences of data breaches here.)

In conclusion, establishing an RRP is a crucial step in ensuring that corporate documents are managed and destroyed in a way that is lawful, effective, and efficient. Management of these records include, but is not limited to, securing the information they contain, even upon disposal of those records. Records that no longer require retention should be destroyed by means of shredding, disintegration, or degaussing, whichever is appropriate depending on the storage method and applicable industry regulatory requirement. Although it is not necessary for a corporation to maintain the same destruction requirements as a government facility, the proper destruction should not be considered any less vital. With any company or organization policy, an RRP relies on its employees to maintain and enforce it.

How to Destroy Tipping Foil, RFID and EMV Chips, and Magnetic Stripes in Credit Cards

June 16, 2020 at 10:00 am by Flora Knolton

Tipping foil is used to enhance and secure financial institutions’ cards. The metallic ribbon is fixed on the card’s embossed characters, helping to bring out the embossed characters even more. This results in clearer alphanumeric characters that are easier to read. This ribbon also improves bank card durability, as it’s designed to resist daily wear and tear and to maintain plastic card quality over the years. They are like the “makeup” for the face of the card. Tipping foil is essentially stamped onto the raised lettering during the in-line vertical personalization process. What is important to remember is that the embossed, foiled letters are now reversed on the sheet of foil they were stamped from, much like a typewriter ribbon. The physical impression left behind on the foil is why it is so critical that tipping foil needs to be destroyed prior to throwing away.

However, this method of creating credit/debit cards is currently being phased out. Many years ago, numbers had to be raised and embossed on the front of the card so when it was run through a card reader, an imprinted image of those numbers would appear on a slip of paper for the customers to sign. But traditional magnetic stripes are well on their way out as “microchip” card readers are becoming the new way to pay. Magnetic stripes on cards contain all of the cardholder information needed to make a purchase or duplicate the card. As technology advances, so do the world’s best hackers, and the magnetic stripe is significantly becoming easier for people to steal data from.

The EMV® (Europay, Mastercard, and Visa, after the three credit card networks that originally developed the protocol) credit and debit cards equipped with computer chips are now the global standard used to authenticate transactions. The data stored in a magnetic stripe is stagnant — it is how it is, and always stays the same. On the contrary, the chip in the card generates a unique code for each transaction and is only used once. If a thief were to copy the chip’s information to validate during a transaction, they wouldn’t be able to. No two transaction codes are ever repeated, so each code becomes useless following the completion of the transaction it represents.

The difference between contactless (RFID) transactions and chip transactions is the method by which the data is transferred. Radio frequency-enabled cards require the card to be within a short proximity of the payment terminal, rather than inserting the card into a cheap reader. EMV chip cards and contactless cards are both more secure than the magnetic stripe. Although, cards equipped with chips do not equate to fraudulent immunity by any means. NFC (Near Field Communication) skimming is where EMV-enabled cards can still be subjected to information being stolen. Near field communication skimmers utilize a wireless technology that allows data to transfer from a mobile device to a card reader within a short distance.

Consumers and organizations alike must properly shred their expired or useless cards that contain PII, whether that be in form of an EMV chip or residual printed tipping foil that still withholds information. Luckily, companies like SEM offer a host of devices specifically designed to ensure everyone has the opportunity to securely take control of their personal data and destroy it once and for all.

The Model DS-400 is one of our top multipurpose turnkey disintegrators. This powerhouse high security model was evaluated by the NSA, listed on the NSA/CSS EPL, and specifically designed to destroy metal cards and license plates. This device can also securely destroy classified paper and CDs as well as other unclassified media stored on smaller forms of e-media such as flash and thumb drives, solid state drives (SSDs), and SIM chips.

The Model 0205NANO is just one part of a revolutionary SSD destroyer duo. The NANO is a mobile crushing solution that was solely designed for the destruction of the world’s smallest forms solid state media. From Compact Flash Type 1 drives to SOIC-8 and SD cards to PLCC-32 drives, the 0205NANO crushes the SSD beyond recovery by the specially crafted and designed internal rotors.

The second solution in the 0205 SSD disintegrator duo is the Model 0205MICRO. Like the NANO, the MICRO was specifically designed to destroy a wide variety of other SSD media such as, cell phones, PC boards, IronKeys, small tablets, and more.

The key to understanding how to destroy something properly is by first having an understanding of how said technology works. A number of our disintegrators would also do the job for destroying tipping foil, EMV chips, SSDs, and various media, at a number of different volumes. We also have devices that can easily destroy tough metal credit cards.

Classified or unclassified, there’s a way to destroy it. Leaving data in a stockpiled room “unsure of what to do” with it is not excusable, and yet many still haven’t educated themselves further to see how their negligence is putting their lives and companies at risk. Mitigate those risks today and be smart when handling personally identifiable information (PII) with Security Engineered Machinery. We’re always eager to help answer questions and can assure you we will help you meet your destruction requirements.

Credit Cards & Identity Theft: There’s More Exposure Than You Might Think

August 19, 2019 at 12:23 pm by Paul Falcone

Beyond convenience, credit cards can also provide the cardholder with the ability to build credit (which is necessary for major purchases like buying a home or car) as well as to earn rewards and cash back. However, credit cards can also pose a major threat for identity theft, and likely in more ways than most realize.

Credit Cards & PII

Do you have a credit card? If so, take it out and look at it for a moment. From a glance, there’s a host of obvious Personally Identifiable Information (PII) that’s printed right on it—your name as well as the primary account numbers (PAN), which include the card number, CVV code and expiration date. This PII is certainly sensitive data and in the wrong hands could be used for credit fraud and identity theft.

However, there is also PII contained on your card where you might not think of it. For instance, PII data such as card holder name, service code, expiration date, CVV code and PIN numbers are also stored in the magnetic stripe of the card. Another unseen piece of technology within your credit card that holds the same PII data is an RFID chip. The only way to tell if your card has an RFID chip is if it has the words “Blink,” “PayPass,” or “PayWave” on it, or else a symbol that looks like a Wi-Fi signal turned 90 degrees clockwise.

RFID chips provide further cardholder convenience by allowing payment to occur simply by tapping the card on a pad near the terminal instead of inserting the card into a reader. Even though security codes for your RFID chip are generated every time you use it, it only takes one time for a criminal with the right equipment to intercept your RFID chip communication as you perform a payment transaction and steal all of this sensitive information. (Although the RFID signal is very weak and can only be read from a short distance of a few inches.)

And, even though your credit documentation is likely kept at home or in a credit app, there’s still the threat of theft from the paper trail or digital-document trail of PII connected to the credit card. This includes statements, bills and other communication mailed or digitally transmitted to the cardholder.

Issuers, Printers & PII

You don’t just get a credit card out of thin air. There are other players involved who will also have access to your PII for the application of the credit line as well as the creation of the credit card itself. Obviously, the financial institution and/or lender company that issued the line of credit and therefore the credit card to the cardholder also has full matching records (stored via print and/or digital media) of the cardholder’s PII to authorize and process card transactions.

What is often overlooked is the generator of the credit card, the security printer company that the financial institution and/or lender works with to create the cards. A printing plate unique to the cardholder is used to create the design, lettering and even some security features that are printed onto the card. This means the printing plate contains a copy of your PII. And the tipping foil that’s used to personalize cards can also have PAN left on the foil after it’s been used.

Proper Destruction of Credit Cards & PII Contained

It goes without saying that consumers must properly shred their expired credit cards and shred, pulverize or incinerate all paper documentation related to that credit card that contains PII. If the documentation is stored digitally, the data and the device need to be properly destroyed via software or hardware to clear the data and by overwriting non-sensitive information, or by degaussing the media and rendering the magnetic field permanently unusable, and by destroying the media by shredding, melting, pulverization, disintegration or incineration.

SEM EMP1000-HS Degausser

For a shredder data destruction machine, consumers should follow DIN Standard 66399, at a minimal Level P-5 for the end-of-life destruction of the credit card and ensuing paper documentation. Shredding at P-5 standards ensures the final particle size has a maximum cross-cut surface area of 30mm2 with a maximum strip width of 2mm, or 2x15mm. Shredded data at this size is unlikely to be reproduced even with special equipment.

The financial institution and/or lending institution should practice the same proper end-of-life destruction with their paper and/or digital record trail of the account information containing the consumer’s PII. The financial or lending institution should also ensure that their security printers practice the same standards for the end-of-life destruction of the printing plates and tipping foil used to create the consumer’s card. For these organizations, it’s recommended that they follow DIN Standard 66399 Level P-5, whether it’s for paper or digital media that stores the PII attached to the card and line of credit.

PII Theft Prevention: Complying with Intergraf

In addition to practicing proper data and device destruction when the printing plate and tipping foil reach end-of-life, the security printer should take preventive steps in the creation of the cards and the materials used. One such way to do so is for the security printer to use only printing machinery that’s Intergraf-certified.

Intergraf is a European-based federation for print and digital communication which works to ensure security of the sensitive data stored within those mediums as they’re created. An Intergraf-certified security printer machine provides: a clear structure of requirements and responsibilities, trusted security for printers and suppliers, recognizable reference for governments and industries, prevention of forgery and counterfeiting, maximum security from development to deployment and increased customer confidence and satisfaction.

Intergraf has developed an international standard for security printers and suppliers (.e.g CWA 14641, CWA 15374 and ISO 14298) that also help to direct how these organizations should destroy the printing plates and tipping foil to render them unusable and irrecoverable. For instance, Intergraf stipulates that the destruction standard for printing plates is DIN 66399 P-1, which renders the particle size to a maximum surface area of 2,000mm2, or 12mm strips.

Finding the Right Data Destruction Machine

SEM has both high-volume and high-security shredders that meet the DIN 66399 standards. It’s important to note, too, that SEM recommends on both consumer and commercial level that the machinery is purchased or leased and kept on-site with the consumer or organization. This ensures contact with the sensitive data is limited to only those authorized to receive it.

Destroying Metal Credit Cards – What’s the Difference?

March 8, 2019 at 6:40 pm by Paul Falcone

Destroying Metal Credit Cards – What’s the Difference?

Metal credit cards are becoming more and more common in today’s high tech environment. Originally reserved for the well-off, these flashy cards have become almost commonplace. Although they often offer the same functionality and benefits as their plastic counterparts, they all come with what’s called the “plunk factor”. Their heavier, sleek design and luxurious feel get you noticed when you plunk them down to pick up the check. However, this plunk factor gives the cards an added density and thickness that means they sometimes need to be destroyed differently than their plastic counterparts.

Metal-Credit-Cards

More Durable. More Information.

Increases in cybersecurity awareness and data breaches have led to a greater demand for better and more secure solutions to control credit information. The need to be able to destroy these heavier more durable cards has become more important than ever, with customers and companies alike looking for the safest and securest way to do so.

Metal cards today can be produced with brass, copper, stainless steel, and even composite mixes of metal and plastic. While data used to just be stored on the print and magnetic strip on a credit card, the push for more security has seen most major card producers add a chip that also stores sensitive information. So we have more durable cards with even more areas with sensitive data on it – data and information that can still be accessed even with the card has expired.

How to Destroy: Shred or Disintegrate?

When it comes time to dispose of metal credit cards either due to expiration or possible fraud, credit card issuers will offer to send customers a pre-paid envelope to send cards back for destruction. Once returned, the credit card company is responsible for recycling or destroying the cards. The PCI Security Standards Council guideline for destruction is to destroy credit cards by “shredding or grinding such that the resulting material cannot be reconstructed”.

One method of destruction is with a heavy duty shredder capable of accepting different types of media including paper, CDs, credit cards, staples, and paper clips. The SEM model F65 cross-cut shredder with a capacity of up to 65 sheets per pass can be used for light volume of metal credit card shredding. It can effectively shred these cards into strips similar to shredded paper strips. Once shredded, there is little chance any of the information on the card can be accessed.

Shredded-Metal-Credit-Card

Another method of destruction for metal credit cards is with a disintegrator.  These machines use rotary knife mill technology to destroy a variety of bulk material.  A disintegrator can shred larger volumes of metal cards at higher capacities and can also be customized to shred to a specific particle size.  Available with larger horsepower motors and customizable particle sizing screens, disintegrators like the SEM Model 1012 are designed to be used in multiple applications where secure destruction at higher capacities is needed.   Disintegrators offer greater assurance that the data bearing elements (magnetic strips and chips) are destroyed so that the information stored on them is no longer accessible.

Deciding between a shredder or a disintegrator can seem challenging.  The proper solution should be based on the needs of the application.  Material being destroyed, desired volume and throughput, particle size, and power requirements are all important factors to consider when selecting a destruction device. SEM has experience working with several different credit card manufacturers and various credit card types. If you would like to send us samples of the cards you need destroyed or want to visit us in person to view our capabilities, SEM is here to work with you to ensure your needs are met.

The Criticality of FACTA-Compliant Data Disposal

January 31, 2019 at 8:58 pm by Heidi White

Along with the Fair Credit Reporting Act (FCRA), creditors, accountants, lawyers, financial institutions, and other organizations dealing with consumer credit information must follow the regulations set by the Fair and Accurate Credit Transactions Act (FACTA). FACTA is an addendum to the FCRA and limits how consumer information can be shared as well as controls how this private data is disposed of, to ensure protection of the individual in which the information pertains from identity theft.

FACTA-Compliant Data Disposal

0101 crusher
Destroying a rotational hard drive in a SEM 0101 crusher

When it comes to the proper disposal of consumer information, FACTA stipulates that reasonable measures must be taken by the organization to prevent the theft or otherwise unauthorized access and use of the protected data.

The Rule mandates said data be destroyed by the pulverization, shredding, or burning of all papers in which the consumer information is printed, rendering the information unreadable and otherwise unable to be reconstructed in any manner. FACTA disposal policies also extend to the electronic media housing the protected consumer information. Appropriate disposal methods for electronic media include overwriting non-sensitive information with software or hardware to clear the data, degaussing the media and rendering the magnetic field permanently unusable, or destroying the media by shredding, melting, pulverization, disintegration, or incineration. As with the actual data, the electronic media must be rendered unreadable and otherwise unable to be reconstructed.

If you’re working with a third party data disposal company to comply with FACTA data destruction, you are required to conduct an independent audit of the process to ensure the integrity of the disposal and to ensure complete data destruction.

Lastly, you may need to incorporate your data disposal policies into your organization’s security information program as required by the Federal Trade Commission’s Standards for Safeguarding Customer Information, 16 CFR part 314 (“Safeguards Rule”) and for persons subject to the Gramm-Leach-Bliley Act.

Consequences of a FACTA Violation

FACTA-data-disposal
Failing to adhere to FACTA data disposal requirements can lead to hefty fines

Failure to comply with FACTA for either the data or the drive destruction can result in major damage to your company’s reputation and financial standing. If you become victim to a data breach and have not maintained FACTA regulations, the affected individuals of the breach can seek damages under the law. Your organization may face a class action lawsuit and fines up to $1,000 per individual violation, regardless of whether the persons suffered identity theft.

Moreover, the reputation of your company may be tarnished by the data breach and subsequent FACTA violations. This could mean the loss of existing customers and potential new business, furthering your organization’s financial loss and eroding economic stability.

When it comes to working with third-parties for data destruction, however, there is a reality of risk that needs to be considered. If your third-party experiences a breach, your organization maintains its sole liability for the data you have collected and stored; meaning you will still face civil penalties, and not the third-party.

It is therefore highly recommended that you partner with a vendor like SEM who can provide both data and drive destruction devices for your organization to use and keep in-house. By controlling who, where, when and how your data and drives are destroyed, you can better ensure data protection at every step during destruction.