PII Secure Destruction & Disposal: Recommended Practices

Healthy-Paranoia
PII shredder
Page content

TL;DR

Use a micro-cut shredder to destroy documents that contain PII. Mix paper particles together so destroyed confidential and non-confidential documents are indistinguishable. Randomize the frequency and batch size you discard and the manner in which you dispose of it.

Terms & Tech

Personally Identifiable Information (PII) is anything that contains your name, address, phone number, account number, bar codes, etc. This includes shipping labels, envelopes, and even junk mail with your address. PII are puzzle pieces. Others can impersonate you and/or steal your identity if the puzzle pieces are combined and while it’s difficult to mask PII from online sources, you can destroy printed PII as part of your trash disposal. ISO/IEC 21964 / DIN 66399-2 describes destroyed particle conditions, shapes, and sizes, and classifies the destroyed paper particle sizes using a range from P1 to P7. P1 is the largest particle size and P7 is the smallest. The National Security Agency (NSA) publishes several Evaluated Products Lists (EPLs), and the October 2022 Paper Shredders document lists devices that shred down to the P7 size at no larger than ≤5mm2 (1mm x 5mm). A shape this size can convey a single character up to about a size 14 font and since most documents use a font size smaller than that, the particle is likely to contain at most three to four characters. The shredders listed in this document are not intended or priced for home use, but the information is helpful for establishing the best-in-class outcome.

Recommendations

  1. For those who choose to shred documents commercially, the recommended practice is to coordinate a pickup or dropoff with an organization that will shred the documents and provide a National Association of Information Destruction (NAID) compliant Certificate of Destruction document. NAID certified organizations are audited and must meet criteria proving they securely destroy documents and/or other items, e.g. hard drives, film, etc.
  2. For those who choose to shred at home, commercial terms for consumer paper shredders are usually cross-cut (P1, P2, P3, and P4) and micro-cut (P5, P6, and P7), but these are not industry standardized and the specifications should be carefully examined to be sure about what’s being purchased.
  3. Purchase the highest rated shredder you can afford. It may seem frustrating to spend $x00+ on a shredder, but it’s way better than looking back retrospectively wishing you’d spent more while recovering from identity theft. P5 shredders destroy documents much more effectively than cross-cut shredders and they’re reasonably priced with some units in the low $1xx range.
  4. Shred documents that have no confidential value at all. Mixing these particles with confidential data introduces noise for any attempted reconstruction process.
  5. Place all shredded materials in a large container and mix them around. Select variably-sized, randomly chosen clumps in small batches, e.g. three to six handfuls per disposal. Anyone attempting to collect material from your trash will never have a complete set of materials in a single collection, and this will be on top of the fact there’s added noise from non-confidential data, AND the particles are barely large enough to convey four legible characters.
  6. Don’t discard the shredded particles the same way each time – be as unpredictable as possible.