What to shred and when - a security guide for small businesses


Today, in the modern, digital landscape, the need to be cyber secure is imperative to ensuring future business success - no matter your seat size or industry. While new trends such as zero trust security, or VDI can help strengthen your cybersecurity, today we want to revisit a more analog version of cybersecurity that is imperative to keeping your employees, clients, and your business data secure: shredding. 


Document destruction services such as shredding should not be overlooked when reviewing your company’s cyber hygiene. Easy access to physical documents can jeopardize your business, whether that be your company’s financial information left on a printer unattended,  or an employee’s social security number left on the desk of human resources. 


This blog will guide you through what to keep, what to shred, and how to train your employees to be more cyber secure. 


Tax Records


The Internal Revenue Service has some straightforward guidelines for how long you should keep your tax records. 


Rule of thumb: Keep all tax returns - these should be permanently on hand. All other supporting documents can be kept up to seven years - when the period of limitations for the tax return runs out. Supporting documents include records that support an item of:


  • Income
  • Deduction
  • Or credit shown on your tax return

However, if you are very thorough with your tax documents ( i.e. if you filed your return, if it was genuine (not fraudulent)), you can reduce the period of limitations to three years. 

See IRS for the complete list. 


Employment Tax Records


Keep employment tax records for at least 4 years after the date that the tax becomes due or is paid, whichever is later. These records include: 


  • Your employer identification number.
  • Amounts and dates of all wage, annuity, and pension payments.
  • Amounts of tips reported.
  • The fair market value of in-kind wages paid.
  • Names, addresses, social security numbers, and occupations of employees and recipients.
  • Any employee copies of Form W-2 that were returned to you as undeliverable.
  • Dates of employment.
  • Periods for which employees and recipients were paid while absent due to sickness or injury and the amount and weekly rate of payments you or third-party payers made to them.
  • Copies of employees' and recipients' income tax withholding certificates (Forms W-4, W-4P, W-4S, and W-4V).
  • Dates and amounts of tax deposits you made.
  • Copies of returns filed.
  • Records of allocated tips.
  • Records of fringe benefits provided, including substantiation.


Bank and Credit Statements


If you still only receive your bank or credit statements via paper/mail, hold onto these records for twelve months. If the record is tax-related, such as charitable statements, hold onto those for three years. 


If this information is accessible via online portal, shredding paper statements sooner can help protect this information from prying eyes1


Property Purchase Records


Keep these records to help you figure any depreciation, amortization, or depletion deduction to figure the gain or loss when you sell or otherwise dispose of the property. 


To be safe, you can shred your property documents seven years after you no longer own that property. 


Human Resource Documents


According to Home the U.S. Equal Employment Opportunity Commission (EEOC)2, employers must keep all personnel or employment records for one year. If an employee is involuntarily terminated, his/her personnel records must be retained for one year from the date of termination. Other employee documents and their timeframes include: 


  • Payroll records = 3 years
  • Employee benefit plans (pension and insurance) = FP
  • Written seniority or merit system = FP


*FP = Full period the plan or system is in effect and for at least one year after its termination


Legal Documents


Keep all legal documents - contracts and legal correspondence should never be shredded. Hang onto documents related to any legal claims or lawsuits, even the potential ones. 


Training your employees


Aside from what is listed above, the Better Business Bureau has one very simple rule when it comes to shredding: 


If you don’t need it, shred it - responsibly. 


To help teach your employees to shred everything on a regular basis, consider implementing a Shred-All Policy. 


What is a Shred-All Policy?

A Shred-All Policy is pretty straightforward - shred every document once it is no longer needed. Shred-All Policies are effective for preventing security breaches by eliminating the chance for human error (i.e. confidential paperwork doesn’t have the chance to fall into the wrong hands), and it helps your organization stay compliant if you fall under laws like HIPPA or FACTA. 


Implementing a Shred-All Policy also helps eliminate employee confusion on what to shred and what not to shred. By keeping the rules simple - shred everything - employees no longer have to decide what is and what is not confidential. 


How to Implement a Shred-All Policy

Shred-All Policies can be implemented in just three easy steps: 


  1. Place secure collection bins throughout your office
  2. Train your employees on your Shred-All Policy and encourage them to use the secure collection bins
  3. Designate someone in your company to keep the policy on track. Have quarterly audits on the Shred-All system to ensure every department is following the Shred-All policy guidelines.


Consider implementing a Clean Desk Policy

Another “analog” method to cybersecurity you can use is implementing a Clean Desk Policy. 


A Clean Desk Policy specifies how employees should leave their working space when they leave their office. Most policies require employees to clear their desks of all papers at the end of the day such as: 


  • Confidential documents
  • Confidential letters
  • Binders
  • Post its
  • etc


We recommend taking a step further and ensuring all employees put their computer to sleep every time they leave their computer to ensure their computer isn’t accessible to bad actors. 


Implementing a Clean Desk Policy requires employee training on policy guidelines, providing locked storage for valuable documents (that aren’t ready to be shredded), and ensuring managers perform regular spot checks. 


Who to trust to do your shredding

Whether you’re looking to perform yearly purge jobs, or you’re interested in implementing a Shred-All Policy, a third-party shredding provider can help you securely and responsibly destroy and dispose of your confidential documents. 


VLCM Intellishred offers professional, high-level, secure document destruction services for the State of Utah. We specialize in onsite shredding, secure containers, recurring pickups, proof of protection, and are NAID Members - which means we strive to adhere to the stringent security practices and procedures established by the National Association for Information Destruction. We also offer 1-time scheduling, purge jobs, hard drive destruction, and securely recycle the job once it is destroyed.


Talk to one of our shredding experts today by visiting www.vlcm.com/intellishred

  1. https://www.investopedia.com/ask/answers/090716/how-long-should-you-keep-bank-statements.asp 
  2. https://www.eeoc.gov/employers/recordkeeping-requirements