Paper: It’s Here to Stay and It’s Loaded with Sensitive Data

August 12, 2019 at 1:56 pm by Paul Falcone

It’s quite ironic that in the digital age, there is still so much paper being used.

True, more and more organizations have “gone paperless,” whether it’s eStatements from your bank or the option for emailed receipts from retailers. And when you think about it, when was the last time you received a paper gift certificate, or flipped through a White Pages book to find someone’s contact information? (It’s probably been a while.)

Yet, there is still a plethora of paper out there, and even more so containing sensitive or otherwise private information. From mailed credit card offers and office correspondence, to business contracts, building blueprints and legal documentation. Medical records, birth certificates and social security cards are all printed on paper, as are government passports, all of which will likely not be issued in digital-only formats anytime soon. Even engineering plans for nuclear missiles are first presented on paper.

Our society operates with a literal paper trail that can be traced throughout our everyday transactions, which means we must take steps to ensure the protection of any personal, private and/or sensitive information that’s contained within it.nsa-listed-paper-shredder

Why It’s Crucial to Properly Dispose of Paper with Sensitive Data

Whether federal or personal, most types of paper documentation include what the government calls CUI, or, Controlled Unclassified Information. PII (Personally Identifiable Information) is one example of CUI on the consumer level. Unclassified government data such as those marked For Official Use Only (FOUO) or Sensitive But Unclassified (SBU) are considered CUI, as is any and all unclassified information throughout the Executive branch that requires safeguarding and dissemination control. CUI also covers nearly all government agencies as it relates to information for critical infrastructure, defense, export control, financial, immigration, intelligence, international agreements, law enforcement, legal, natural and cultural resources, NATO, nuclear, patent, privacy, procurement and acquisition, proprietary business information, provisional, statistical, tax and transportation documentation.

When documents containing CUI face end-of-life and need to be disposed of, it’s therefore critical to take the proper destruction measures for both the data and the media, to render the sensitive information unreadable, indecipherable and irrecoverable by any means.

For paper containing government-related CUI, the data destruction must follow NIST SP 800-88 standards. NIST SP 800-88 stipulates a 1mmx5mm or less final particle size for paper media (this is the same standard required by the NSA for classified information that’s reached end-of-life). This includes PII contained in a government document.

And although PII contained in non-government documentation does not require the same data destruction standards, it should still be treated with the same care and precision. If the documentation is to be shredded, the paper should be cross-cut—not strip-cut. Remember the Iran hostage crisis of 1979? (You know the one, when 52 American diplomats and citizens at the US Embassy in Tehran were held hostage for over a year by Iranian supporters of the Iranian Revolution.) During the hostage crisis, the Iranian hostage-takers gathered the strip-cut remains of shredded US intelligence reports and operational accounts and spent years painstakingly—and successfully—putting the shredded pieces back together. The sensitive data contained in the documents was made decipherable and readable, posing a major threat to the US government and our society.

cutting-shaft-p4
Paper shredded to a P-4 particle size.

To ensure something like that does not happen to any of your documentation with sensitive data that reaches end-of-life, you should follow DIN Standard 66399 for data destruction. DIN Standard 66399, in this case Material Classification P, refers to information presented in its original size, such as on paper. Within this DIN Standard, there are further levels of security ranging from P-1 (ideal for data carriers with general data) to P-7 (for data carriers with top secret information and the strictest security standards). Level P-4 is recommended for most non-government PII covered under HIPAA, FACTA, FISMA, PIPEDA, SOX and even GDPR regulations.Under P-4 standards, the maximum cross-cut particle surface area is 160mm² with a maximum strip width of 6mm, or 6x25mm or less final particle size. Shredded data at this size can only be reproduced using equipment that is not readily available commercially. Therefore, the P-4 shredding standard is safe to use for non-government-related documentation, such as those containing PII.

A Note on Data Destruction Machines

Paper documentation containing CUI that’s reached its end-of-life should either be incinerated or shredded with the correct destruction machinery. Be sure to look for signage or other indicators on the machine to inform you of whether it has been approved for CUI destruction. These machines should also be listed under the NSA/CSS 02-01- EPL for classified paper destruction.

All of SEM’s high-security shredders meet the NSA/CSS mandate. SEM also offers several cross-cut paper shredders for Unclassified paper destruction which meet the DIN Standard 66399 Level P-4. These machines are suitable for commercial, non-government paper shredding or Unclassified non-Executive branch shredding and can be viewed here.