Tuesday, May 17, 2011

Defining Your Own "What I Need to Shred" Policy

What do I need to shred? The answer to that question isn't as simple as you might think. Some things are obvious: You'll want to shred anything with your social security number, for example. But when it comes to what else needs to get shredded, there are many gray areas. So let's look some recommendations that can help you set your own personal "what gets shredded" policy.

Your Credit Advisor has a useful way of looking at the issue; it breaks down different bits of information as having low, medium and high sensitivity.
Low: full name, address, phone number

Medium: date of birth, birthplace, mother's maiden name

High: social security number, bank account number, credit card number, PIN or password
How does this match up with the "expert" what-to-shred advice? Reasonably well, but far from perfectly — and, of course, the experts don't entirely agree.

The FTC says: "To thwart an identity thief who may pick through your trash or recycling bins to capture your personal information, always shred your charge receipts, copies of credit applications, insurance forms, physician statements, checks and bank statements, expired charge cards that you're discarding, and credit offers you get in the mail."

The FTC also says: "To thwart a medical identity thief who may pick through your trash or recycling bins to capture your personal and medical information, shred your health insurance forms and prescription and physician statements. It’s also a good idea to destroy the labels on your prescription bottles and packages before you throw them out."

The Washington State Office of the Attorney General says: "Dumpster diving, or rifling through trash cans for personal information, is a tactic used by identity thieves. You are taking a terrible risk if you don’t shred sensitive material. ... Destroy all sensitive information including bank and credit card statements you no longer need, carbon-copy charge receipts with your account information, insurance forms, physician bills, etc. ... Destroy all sensitive information including junk mail and paperwork that includes account numbers, birth dates, passwords and PINs, signatures, Social Security numbers. To protect your privacy, you should also consider shredding items that include names, addresses, phone numbers, e-mail addresses."

Experian, in writing about identity theft, says: "If you decide not to accept a pre-approved credit offer, shred it before you throw it away. That goes for any other document imprinted with your Social Security number, date of birth, driver's license, phone number and any type of financial account or utility account number. Your trash can be a gold mine for thieves, so make sure this critical information is shredded before it leaves your house."

A writer for the Fraud Prevention Unit of the Regional Federal Credit Union says: "In general, you should shred documents that contain any of the following: account numbers, passwords, PINs, signatures, Social Security number, date of birth. Basically, this is all the information that could be used by an identity thief to impersonate you. I also like to shred anything that has my name, address, email address, phone number and other less-sensitive information. Yes, I know most of this information is available in the phone book. It’s just a privacy thing. Still, not everybody needs to know I subscribe to Mother Earth News and Writer’s Digest.

"Oh wait, I guess now everybody does know."

The New York Times addressed this issue by consulting with Paul Stephens of the Privacy Rights Clearinghouse. Not surprisingly, he recommends shredding "anything that has your Social Security number and any account information" as well as courtesy checks from banks, credit card offers and applications, and "anything related to taxes and receipts with your signature." But there are also some more unusual suggestions:
There are other papers he recommends shredding, including any kinds of mailings from your financial institution (like advertisements or changes of terms). While such papers don’t have your account information, they do “give the fraudster a little more information” that could be used to commit identity theft, Mr. Stephens said.
The Times also notes:
When it comes to a document that just has your name and address, you may feel comfortable throwing it away if that information is listed and publicly available elsewhere, he said, especially if it’s just a catalog or an advertisement that isn’t from a financial institution. Still, “our recommendation would be to shred it anyway,” Mr. Stephens said.

As for receipts that just show the last four digits of your card number, Mr. Stephens said it’s O.K. to just trash those if they don’t have your signature.
Let's also look at the advice from Fellowes. Since the company sells shredders it obviously has cause to encourage you to shred more rather than less — but its recommended Top 20 list generally makes a lot of sense.
It's not difficult to determine what you should shred. Essentially, any document containing information that you don't want others to have should be shredded. People who buy their first shredder are surprised as they often end up shredding twice as much as they expected. It's a simple step that goes a long way toward securing your information. Here's a brief list of documents that should be shredded:

1. Obsolete financial records, including loan applications
2. Pre-approved credit card applications
3. Personal medical records or physician statements
4. Correspondence and tax preparation worksheets
5. Receipts for purchases
6. Bank statements
7. ATM receipts
8. Credit card statements
9. Cancelled checks
10. Mail and old records
11. Utility bills
12. Credit card charges
13. Insurance forms
14. Investment transactions
15. Expired charge cards
16. Mailing labels from magazines
17. Pay stubs
18. Old driver's licenses or passports
19. Expired insurance and membership cards
20. Any documents that may contain Social Security numbers, birth dates, your mother's maiden name and any account numbers or online passwords
And then there are the contrarians. This comes from security expert Bruce Schneier: "Years ago, when giving advice on how to avoid identity theft, I would tell people to shred their trash. Today, that advice is completely obsolete. No one steals credit card numbers one by one out of the trash when they can be stolen by the millions from merchant databases."

So what shredding policies do you want to set for your own household? Well, what's your idea of an acceptable risk? And how concerned are you about privacy, since there's information you may not want to share, even if it's never used for attempted identity theft?

Do you need to shred everything with your name and address? Since that information is often already easily found, many people say no — but others say "It can't hurt, and it might help." Ultimately, it's your own risk management decision.

However, I would definitely consider shredding papers with anyone else's address, phone number and e-mail address — and especially any multi-person listings of such information in a school or church directory, for example. It just seems like the courteous thing to do, since you've been given access to someone else's sensitive information.

And please don't set your personal policy based on the fact that you don't have a good shredder, and shredding is therefore a pain in the butt. Invest in a good shredder, or take your shredding to one of the many places that provides shredding services, such as Office Depot.

Photo: Fellowes PS-79ci shredder — the one I own. I found it selling for much less than the list price.


Lifeorganizer said...

Thank you - never gave this a thought before - in fact I hardly shred anything BUT you have changed my mind on that. I am definitely expanding my list of things to shred today.

Anonymous said...

I shred more than I thought I would, for privacy, but also because it takes less landfill space. I also shred some styrofoam to amend soil around plants to help the soil stay looser. (But only ornamentals, not food plants). Some shredded paper is also a good amendment to compost.

Marcie Lovett said...

I tell clients to shred anything that would allow someone else to impersonate them, e.g., account numbers, Social Security numbers, etc. I have to agree with Bruce Schneier, though, when he says that big-time thieves aren't going to rummage in your rubbish. More people lose information to computer hackers than to Dumpster divers. Even so, it's good to have a "policy" for what makes you comfortable.

If you don't own a shredder or have access to a store that offers shredding, ask your bank or local government if they offer a free shredding day. Groups hold these events periodically to encourage recycling and to help impede identity theft.

Mary Nolan of Logical Spaces said...

I shred anything that identifies me, including name and address. I also advise clients to do the same. While I agree with Bruce Schneier that big-time ID thefts come from database hacking, this doesn't mean you should be lax about the trash. I would advise all to remain vigilant, as many people DO dumpster-dive and those who do are unlikely to have the money to spend to BUY stolen database information. Those are the small time crooks that get you.

Jeri Dansky said...

Lifeorganizer, if this post made you think about what you choose to shred, it's a success!

Anonymous, thanks for that additional bit of information!

Marcie and Mary: Some of my clients definitely want to shred anything with their names. Others definitely don't want to bother. I think either stance is reasonable. It's only when it comes to more sensitive information that I STRONGLY recommend shredding. I respect Bruce Schneier a great deal - and I'm still going to shred anything with a credit card number.