Be Diligent About the Records and Files You Should Keep vs. Those that Should be Destroyed.

How many times have you had an important document in your hand ready to destroy, but hesitated because you didn’t know if you were breaking some regulation, rule or just an old wives’ tale about how long to keep that information?

Oh, “let’s just keep it”, you say… to be safe.

A year later those files you decided to keep now become boxes, and a year later those boxes have multiplied like rabbits. Now you’re contemplating storing them offsite, or worse, taking up precious office space with information that should be destroyed.

In this article we will give you some tips on not only what you should keep, but the best way to destroy it.

We have a caveat to this important subject: There are rules upon rules, and regulations upon regulations that the government has instituted. But, there are also rules and regulations in many industries such as banking, accounting, legal, healthcare, etc. For example, doctors are required to keep patient records for extended periods of time.

There are far too many rules to try to cover in this article, so always—always—check with your accountant or attorney if you are unsure what to destroy.

Retaining Tax Records Generates the Most Questions and Stress for SDD’s Clients.

There aren’t many documents that businesses produce that contain more sensitive information and get sent outside of the business than tax records.

When you file electronically, for example, isn’t there a moment of near-sheet terror before you hit that “send” button?

There’s no reason to keep tax records longer than is required.

The Internal Revenue Service provides great information on its website. Here are its general guidelines:

“The length of time you should keep a document depends on the action, expense, or event which the document records. Generally, you must keep your records that support an item of income, deduction or credit shown on your tax return until the period of limitations for that tax return runs out.

“The period of limitations is the period of time in which you can amend your tax return to claim a credit or refund, or the IRS can assess additional tax. The information below reflects the periods of limitations that apply to income tax returns. Unless otherwise stated, the years refer to the period after the return was filed. Returns filed before the due date are treated as filed on the due date.”

Many customers believe there is a “7-year rule” that applies to the retention of tax records. While a safe guideline, the IRS has more specific rules depending on your situation (https://www.irs.gov/businesses/small-businesses-self-employed/how-long-should-i-keep-records):

1. Keep records for 3 years if situations (4), (5), and (6) below do not apply to you.
2. Keep records for 3 years from the date you filed your original return or 2 years from the date you paid the tax, whichever is later, if you file a claim for credit or refund after you file your return.
3. Keep records for 7 years if you file a claim for a loss from worthless securities or bad debt deduction.
4. Keep records for 6 years if you do not report income that you should report, and it is more than 25% of the gross income shown on your return.
5. Keep records indefinitely if you do not file a return.
6. Keep records indefinitely if you file a fraudulent return.
7. Keep employment tax records for at least 4 years after the date that the tax becomes due or is paid, whichever is later.

As for specific records you should keep the IRS recommends records that “clearly show your income and expenses”. While a broad statement, the implications are significant depending on your industry, as some industries have stringent rules on record keeping. Here is more information from the IRS: https://www.irs.gov/businesses/small-businesses-self-employed/recordkeeping

There are Important Non-Tax-Related Records that Should be Retained.

While the IRS focuses on records that support your income and expenses, there are many, many, many more records in your files that need a decision made on whether to keep or pitch.

In an excellent article on smead.com (http://www.smead.com/hot-topics/records-retention-guidelines-1394.asp), they provided common sense guidelines for general information.

“Keep everyday paperwork for 3 years. It’s rare that anyone is going to want to see an electric bill or credit card statement dating back more than a year. But, you may choose to keep the following non-tax-related items for up to 3 years for internal use:

• Monthly financial statements
• Credit card statements
• Utility records
• Employment applications (for businesses)
• Medical bills in case of insurance disputes”

Smead also identifies other types of records that don’t easily fit into specific categories, for example:

• Car records (keep until car sold
• Credit card receipts (keep until reconciled on your credit card statement)
• ATM and deposit slips (keep until reconciled on your bank statement)
• Insurance policies (keep for life of policy)
• Pay stubs (keep until reconciled with your W-2)
• Property records / builder contracts / improvement receipts (keep until property sold)
• Sales receipts (keep for life of warranty or life of the item on large purchases)
• Warranties and instructions (keep for life of product)
• Other bills (keep until the payment verified on the next bill)

Onsite Shredding Ensures Your Important Documents are Securely Destroyed.

Holding important documents the required period of time is only half the challenge.

When you are ready to dispose of the documents, Secure Document Destruction of St. Louis recommends onsite versus offsite. The differences between the two are significant:

• Offsite shredding. The service provider comes to your office (or residence), picks up your un-shredded confidential documents and materials, and takes them to a facility to be destroyed. For however long it takes that truck to get to the facility puts your important information at risk. The offsite service truck may make as many as 15-20 additional customer stops.
• Onsite Shredding by SDD of St. Louis. SDD’s onsite document shredding services for businesses or onsite shredding services for residences eliminate the risks of offsite shredding. We use state-of-the-art mobile shredding service trucks that shred your documents in real time, in full view within feet of your business. SDD’s bonded, uniformed Security Specialists are there monitoring every step of the process. When we leave your office, your important information is destroyed.

Regularly Scheduled Shredding Greatly Reduces Your Risks in Destruction of Important Documents.

Whether your schedule is monthly, weekly or even daily, SDD’s process is secure:

1. SDD places locked containers throughout your facility to hold sensitive materials to be purged.
2. An SDD shredding service truck comes to your office on your schedule.
3. The truck’s automated handling system securely deposits your confidential information into the truck.
4. The contents are immediately destroyed while you watch via closed-circuit cameras. No information leaves your office without being destroyed… ever.
5. You will receive a Certificate of Document Destruction before we leave your office.
6. The destroyed materials are disposed of at a recycling center.

SDD serves clients in some of the most highly-regulated industries which have strict requirements for information security, such as accounting, legal, banking and healthcare.

SDD’s regularly scheduled services offer the most secure and cost-effective way to regularly destroy your important information and materials. Click here today for a no obligation quote.

Our digital business world certainly has its positive attributes, but you must protect your small business data.  We can hold video conferences with clients across the country, or send documents to co-workers instantly no matter the time of day.

As long as we have wi-fi, our office can be anywhere.

That’s scary.

Unfortunately, as incredible as the technological advances are, it has become far too common to wake up in the morning and read about yet another massive data breach that disrupts a large organization with an important online presence.  All the while, disrupting innocent and unsuspecting customers using their service and leaving their suffering in their wake.

This doesn’t just happen to big companies.

All it takes is one employee mistake.  Whether it’s an executive using the wrong Starbucks wi-fi or your assistant making the misstep of sharing his or her passwords.  One simple slip can put your small or medium business at the top of the list for a security breach.

 

We at SDD want to minimize the risk your employees face to being subject to a security hack.  Therefore, we’ve compiled the five worst corporate security breaches of all time, how they happened and some important tips so this won’t happen to you.

Educate your employees about the latest phishing scams attempting to infiltrate your network.  Use SSL certificates for your website’s transaction security.  These act as padlocks to thwart identify thieves from stealing your sensitive information.  Also, make sure you have the proper malware blockers installed to your network, these security systems protect your business from destructive viruses.  And, always keep your employees in the know of the latest password rules and regulations for your business.

So please, read carefully and never stop working to keep your small business safe.

#5: eBay

The fifth on our list, the digital buying and selling giant, and one of the most widely used services in the history of the internet.

Here’s what happened.  Targeted eBay employees were sent phishing emails, which are fraudulent messages appearing to come from legitimate sources, in attempts to get them to divulge sensitive information.  When these employees clicked on the embedded link, malware was installed on the computer and the attacker gained control of their computers, eBay’s network, and all customer information.

What’s troubling here is that their database was hacked between late February and early March and the breach was not detected until May, allowing hackers access to eBay customers’ names, their encrypted passwords, email, registered addresses, phone numbers and date of birth.

Within five months the hackers breached a total of 145 million user accounts.  However, eBay and its users were all fortunate the hackers did not gain access to PayPal’s financial information, thankfully leaving customer purchase data safe.

Phishing attacks have become increasingly common in the business world and a key strategy for thieves to gain access to secure information.  However, thieves are taking it one step further by using new social engineering tactics.  The thief will send a phishing email to your employee, and then follow up with a phone call, making the interaction that much more believable.  The call will always be used to persuade the employee to click on the link, which would install the malware.

If it can happen to eBay, it can happen to your business.  At a minimum you should have an SSL certificates to protect your transaction activity and malware blockers installed.

For more information on keeping your digital sector of your small business secure please visit https://www.godaddy.com/web-security for a variety of different layers and tactics that can and will help identify and prevent your company from being breached.

#4: LinkedIn

Back in 2012, LinkedIn was the victim of an unauthorized access and disclosure of more than six million members’ passwords.  The security breach gave hackers access to users’ email addresses, passwords and other information. 

LinkedIn’s IT security responded immediately and required a mandatory password reset for all the accounts it believed were compromised. Not all employees complied.

Very shortly after the first breach, the LinkedIn security teams became aware of a second massive breach.  Despite LinkedIn’s enhanced efforts to protect user passwords—called salting and hashing—the Russian hacker known as “Peace” was able to infiltrate LinkedIn’s system, which resulted in an overall breach of a staggering 117 million LinkedIn members.

Even though LinkedIn’s security and IT departments had taken major precautions by hashing and salting every password in their database, which is adding an additional piece of code that encrypts the user’s information, it was still accessed.

We suggest you do two things right away.  First, visit a small business expert like https://www.godaddy.com/web-security for more information on how to properly protect your business and your customers’ digital information.  Second, tell your employees to reset their passwords with some type of phrase only they would know and make sure they’re always on the lookout for phishing scams.

For your personal or business hardware and paper destruction needs, please visit https://sddestruct.wpengine.com/business-document-shredding/ we’d be happy to help.

#3: Myspace

While Myspace is no longer making headlines, breached user data never really dies.

In 2014, a large set of stolen Myspace usernames and password combinations were discovered available for sale in a dark web online hacker forum.  Myspace tracked the information and was able to trace it back to Peace, the same Russian hacker who infiltrated LinkedIn the same year.

The original reports stated that there were more than 360 million accounts breached.  Each record contained an email address, password, and in some cases, a second password.  Security researchers stated that it was the largest data breach of all time.

Much like LinkedIn, the passwords were salted and hashed.  Myspace’s security force confirmed that the breach had no effect on any of its other platforms, apps, subscriber information, or other media properties, nor did the leaked data include any confidential financial information.

A near-foolproof option for employees is to use more complicated passwords (like phrases only they would know), reset them periodically, and take advantage of password management tools like https://www.lastpass.com to help keep track of your logins.

For any additional questions, please contact us. We’d be happy to help.

#2: Yahoo

You may want to be sitting down for this one.

In sheer size, it’s the most widespread data breach in history.  In 2013, it was first reported that email usernames and passwords of around six million of its account holders had been breached.

Yahoo’s PR and tech security teams swiftly dealt with the issue, notifying users with emails to change their login credentials. 

At the time, Yahoo believed it had nipped the problem in the bud.

However, throughout the Verizon merger process in 2016, Yahoo discovered the security breach had affected every single user account that existed at the time.  Not six million, but three billion users!  Three billion, and the majority of those were not notified that their account was hacked.

The sad truth is that if you had a Yahoo account from 2013 to 2016 your account was hacked.  Plain and simple.  The names, email addresses and passwords, of your and my email accounts were breached.

Yahoo still has not provided any information about the suspected hackers.  They required multiple password changes and invalidated unencrypted security questions to protect user information.

Our tip to you, for any questions or concerns for your business, check out https://www.godaddy.com/web-security/website-security for expert advice on small business web security.

Remember, try to have your employees consistently update their passwords and implement multiple step authentication on all their accounts.  Make sure they’re not accessing confidential information on shared or unsecure wi-fi connections, and always have conversations about the latest tools and tactics to avoid the ever-present phishing scams.

If you ever have any questions or concerns about hardware destruction, please see our article on hard drive destruction.

#1: Equifax

You couldn’t have traveled far enough away to escape hearing about its monumental mistake.  Without a doubt, Equifax’s breach is the most significant data breach in history. 

This breach wasn’t so much about the quantity of customers effected, but the quality and importance of the content that was breached.

Where almost all digital IT thefts in the past have involved stolen email addresses, phone numbers, and login credentials, Equifax’s information was much more sensitive.

Plain and simple, this 143-million-person breach went to the core of some of the most important information about Americans: names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers.

 

More than two months went by before Equifax reported the breach.  Once again, even with a highly sophisticated security team and an immense budget, they still were targeted.  If your business is ever the unfortunate victim of a security breach—immediately—contact a small business security expert like GoDaddy, or visit https://www.godaddy.com/web-security/malware-removal for an efficient and effective strategy on virus removal.

A greater emphasis on privacy helps create a culture that values security and employee privacy.  Keeping your business secure will take a combination of security tools and employee education if you are to stay ahead of thieves.

If you have any questions, concerns, or tips, we’d love to hear from you.

Please visit our website at www.sddstl.com or if you’d like to learn more, give me—John Steinhauser—a call at (314)795-0004 or email me at john@sddstl.com

And, stay safe out there!

John Steinhauser, co-owner, Secure Document Destruction of St. Louis (SDD).