Poor document management fuels ID theft

Fraudsters trawl through the rubbish bins outside business premises in search of personal details, says Cleardata.

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 16 Sept 2014

Businesses that fail to effectively dispose of documents containing personal details of customers and employees are placing these stakeholders at an increased risk of identity theft.

This is according to Gianmarco Lorenzi, MD of Cleardata - a group company of JSE-listed Metrofile - who says one of the easiest ways for fraudsters to obtain the necessary details to conduct ID fraud is by going through the rubbish bins of businesses. "Businesses often fail to realise the importance of effectively destroying documents containing client and employee personal information."

In SA, under the Protection of Personal Information (POPI) Act, companies that fail to protect their customers' or employees' personal information face a fine of up to R10 million - or a decade in jail - if they breach its provisions, and could also encounter civil class-action lawsuits.

The Act was signed into law by president Jacob Zuma in November last year, but a commencement date is yet to be announced.

Lorenzi says the number of identity theft cases reported to the Southern African Fraud Prevention Service (SAFPS) by the end of April 2014 increased by 16% year-on-year to 1 370 and could exceed 4 000 by the end of the year if the trend continues.

He says fraudsters trawl through the rubbish bins outside of businesses in search of personal details which they use to access credit reports. "Once they have the credit report details, they can access every account and bank number and use this to create new credit in the name of the victim."

Technology has played a role in making it easier for fraudsters as they simply use desktop publishing tools to scan and duplicate a variety of corporate documents - such as purchase orders, invoices, bank statements, cash and credit card receipts or even stock certificates - containing company logos, he says. "It is vital that these documents are properly destroyed by shredding them and not carelessly throwing them away in exposed bins."

He says small businesses, especially those located in rural areas, may be at more risk, as they are often under the misperception that only larger organisations situated in urban areas are targets for corporate identity theft. "This is actually not the case. Businesses of all sizes and in all locations can be exploited and must therefore employ effective document destruction practices."

Jason Schoultz, Nashua's business solutions manager, says making sure each and every document in a workflow adheres to compliance regulations can be a nightmare - even for the smallest of companies.

With proper managed document services in place, he says, compliance issues are easily automated and businesses can be assured that, should they ever undergo an audit, every document that was destroyed or was archived was done so in accordance with the law.

"With the proper managed document services processes in place, a document can move from point A to point B, but only if the rules that have been placed on that document are observed. Eventually, that document can move to a server for storage, or it can be moved off-site with the relevant reference codes," says Schoultz.

Lorenzi advises businesses seeking the services of a reputable document shredding company to ensure the firm has been certified by the National Association for Information Destruction, the international trade association for companies providing information destruction services, to ensure compliance with legislative requirements and industry best-practice for document destruction.

Those businesses not practising sound document destruction are simply placing the organisation, employees and clients under unnecessary risk of identity theft, concludes Lorenzi.