Here at The File Depot, we have noticed there is a lot of confusion surrounding the 7 levels of shred size. Where there once were 6, there now are 7 levels, and the transition is catching some people off guard. Various government bodies and individual companies alike are increasingly referring to paper shredding in terms of these levels. Here is a short read breaking down the 7 levels for the destruction of “P” materials, or paper-based materials.
New vs. Old Shred Level Standards
As of August 2012, there were 6 data destruction levels for paper-based documents. September 2012 rang in a new set of standards, the DIN 66399, which usurped the old standards of the DIN 32757. The new standards, created by the German Deutches Institut Fur Normung split two of the old levels, 4 and 6, leaving 7 levels of specifications for the destruction of six types of materials.
Many U.S. bodies have regulations that encompass shredding; the NSA and the Department of Commerce are just two, but deciding to what P-level a document should be shredded is still the responsibility of each individual company. Remember, it is always a good idea to talk with your security officer about the proper disposal of media for your company.
Why Do American Data Destruction Companies Use German Standards?
We use the German levels for several reasons.
The DIN 66399 provides very detailed information. For each level, there is a maximum area and width of the shred particle and verbiage detailing what sensitivity of information ought to be destroyed to what level. Though the levels refer to different sizes of shred and not too different types of machines, the clear distinction between levels makes it possible to classify machines as P-7, P-3, etc. based on what particle they create.
Germany holds the market on office duty shredders. Most of the office duty shredders sold in the United States are manufactured in and imported from, Germany. Naturally, the German government would have an incentive to create its own high-quality standards for data destruction.
The German standards are neatly contained in one document. U.S. government standards, however, are not contained neatly in one document like the DIN 66399. Before the most recent DIN, there was much less consensus on levels.
These documents address the destruction of all media together, meaning sometimes the standards for different types of media overlap. Comparatively, the DIN is a well-organized document that echoes what the international community generally thinks data destruction standards should be, not only for paper but also for five other types of media.
What is the Significance of the “P” Prefix?
The DIN neatly attaches a letter to each of the seven security levels in order to distinguish the different destruction standards for each type of data carrier (paper, film, CDs, etc.). Below is an in-depth explanation of the security levels for shredding paper documents, P1-7.
The 7 “New” Levels of Shredding Paper
P-7 (The old level 6)
What is this mysterious P-7? Due to advances in technology, the ability to recover microscopic print has driven the NSA to create an even tighter classified destruction standard. In order for a machine to be labeled P-7, the area of the particle it expels must be half the size of a P-6 particle, or 5mm2. More importantly, the width of the miniature shredded rectangle must be less than 1mm. This minuscule size allows that no more than 4 characters on microfilm may be distinguished.
As far as recreating the data? Impossible. In the future, someone may invent technology capable of re-formulating media from particles the size of grains of rice, but at this moment in time, no one has. When someone finally does, rest assured, there will be no dispute over why someone would purchase this technology, which in itself should provide a method of security.
P-7 shredding is used to destroy classified documents including secret and top-secret documents dealing with Communications Security (COMSEC), Secure Compartmentalized Information (SCI), and Special Access Programs (SAP). This is the level of shredding is found in SCIFs.
It is important to keep in mind that the sophisticated crosscut head of P-7 shredding allows a low throughput. Generally, the most heavy-duty machines for paper-based products are only capable of handling around 10 sheets per pass. Paperclips and staples are the kryptonite of the high-security shredder– which increases the risk of doing your shredding in-house. Utilizing a professional shredder will ensure that all paperclips and staples are removed before shredding.
Level P-6 (formerly level 5)
The P-6 is the old level 5. Years and years ago, level 5 satisfied the requirements for destroying top-secret data, but no longer. P-6 is now essentially obsolete and has been replaced by P-7.
P-6 shredding does not produce a particle small enough to comply with the NSA regulations for the destruction of classified data. P-6 shred particle size is almost exactly the same as the old level 5’s shred particle (there is a difference of ¼” in length).
Although P-6 is no longer supported by the EPL, some high-security conscious organizations do still opt to use this shred size because of familiarity with the old specifications, and for peace of mind.
Level P-5 (formerly level 4)
P-5 shredding is ideal for sensitive, but not classified information.
With the introduction of P-4, the old level 4 is now the new P-5. We see this option becoming more and more popular in the future, with advances in technology that make reformulating strip-cut particle possible in a matter of minutes.
Though P-5 shredding does not create particles small enough to validate shredding classified documents, it is appropriate for shredding social security numbers and other data of this sensitivity. This level of shredding would be useful for a CEO who is particularly protective of his paper documents, but for the average office, a higher throughput would be a more sensible approach. P-5 shredding is also often used to destroy Personal Identifiable Information (PII) and Controlled Unclassified Information (CUI).
NEW! Level P-4
P-4 is supposedly a “new” level, but it actually encompasses a subset of shredding is considered to belong under the old level 3: basic crosscut shredding.
The boundary between P-3 and P-4 is marked by a transition in particle size. Crosscut shredding provides an extra level of security in the shape of its particles: instead of long strips in a neat pile, crosscut shredding creates a tossed salad of irregularly-sized paper pieces, making reconstruction extremely difficult. P-4 crosscut is noticeably smaller than P-3’s coarse crosscut.
Though throughput is diminished with the use of a crosscut shredding, data security is increased due to the smaller residue.
P-3
A P-3 shred is the most popular size that satisfies not only FACTA, but also HIPAA, the Health Insurance Portability and Accountability Act. HIPAA is an exercise in civil rights that requires your medical records to be reduced to pencil-sized slivers, should your medical history be deemed unnecessary to keep.
If you switch doctors, the old office is required by the Department of Health and Human Services to destroy the old documents with at least P-3 shredding.
P-3 shredding level sports the highest throughput and the biggest particle size that still satisfies HIPAA regulations. As of the date this article was published, HIPAA requires at least a P-3, but we suspect the regulations may change in the future to reflect the change in security levels. Then, a P-4 will be the minimum level for HIPAA.
P-2
A P-2 shred has the same functionality as a P-1 shred, except the strips are smaller in width. Smaller strips are more difficult to piece together, which provides for more secure data destruction.
Still, the relatively thick shred size means that names, figures and phone numbers may still be legible without too much reconstruction. Although more secure than P-1, we normally recommend using at least a crosscut shred (which starts at level P-3) to destroy any document or media containing personally identifiable information.
P-1
P-1 is the lowest level of paper destruction, ideal for paper volume reduction and recycling. It is characterized by a wide strip cut particle.
All companies that need to dispose of consumer credit card information are required by the Fair and Accurate Credit Transactions Act (FACTA) to destroy information with at least P-1 shredding.
The rule states,
“Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal”.
After this passage, the document lists several examples of proper data disposal, including shredding. This regulation leaves it up to the information handlers to decide what the “reasonable” level of destruction should be for their data.
Though frustrating and time-consuming, it is still relatively easy to piece together paper strips from a strip cut shred, compared to particles from a crosscut shred. Level 1 shredding is best suited for large scale paper recycling: newspapers, phone books, etc. Because of the simplicity of the shredder head, throughput is very high. P-1 shredding reduces paper volume quickly and efficiently.
Summary
We hope this in-depth explanation of each other the 7 data security levels makes it easier for you to decide when and where to dispose of your important documents. Remember, it is ALWAYS better to do as much of your data destruction with a professional shredding company.
Would you like to know more about the details of data destruction? Contact us today to find out how we can help!