Generally, that's a bad idea. I also understand from conversations with a
commercial records center in the past that they will not deliver to
residential addresses, primarily for insurance reasons. In most cases, the
delivery point would also need to be "authorized" by the account owner. I
had considered testing that policy in the past by requesting that a box be
delivered to my house, but never pursued that for a variety of reasons.

I've had this question come up in the past. Similarly, remote employees
have asked to have shredding trucks stop by their homes.

This is something that should be documented in policy and tied into your
organization's approach to remote workers. The primary issue that is of
concern would be information security. In many cases, an employee's
residence cannot provide equivalent security for sensitive information. Any
information delivered to a residence could be exposed to visitors to the
home, service workers, relatives, etc. -- none of whom have signed (or
could be legally bound) to a non-disclosure agreement. While the
information is in the hands of the employee, the company could lose
oversight over the material. As we all know, it is often difficult to get
employees to return charged out boxes in the office -- what do you do if
the box is inside someone's home?

Another concern would be regulatory in nature -- your company likely is
regulated with regard to certain types of financial and personal
information. In the case of the PCI-DSS, very specific questions are asked
about the protection of payment card information including where it resides
and how it is secured. It would be difficult to impossible to perform a
physical security audit on every remote worker's residence and ensure that
sensitive information was protected adequately.

A secondary concern would be insurance-related. Over and above the
potential for the commercial records center to have concerns about
insurance on the employee's property (what happens if the CRC's employee
slips on ice and is injured?), some insurers may not provide coverage for
loss or damage of physical company information that is outside named
company (and service provider) facilities. What happens if someone's home
office is in the basement and the basement floods, damaging boxes of
company records?

The net of this is that companies need to have well-defined policies and
expectations relating to remote workers. In certain instances, a company
will provide certain kinds of office equipment to remote workers (chairs,
monitors, printers, shredders, etc.); in other situations, the employee
will be expected to provide these items on their own or via a company
stipend. Management also has to look at each employee and their role and
determine the fitness of both the employee and the role for remote working.
Technology is a great thing these days when it comes to working at home (as
I am doing today), but not every person or role is suited for this. If a
person's role requires regular access to physical records, it is likely not
a suitable role for remote working. If reviewing physical records happens
rarely, then the company should build in a mechanism to ensure that the
employee can get to a suitable company location.

Patrick Cunningham, CISM, FAI

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]