Scanner or shredder?

[hownowbrowncow]

I am somewhat of a packrat when it comes to paperwork and trying to streamline as part of my long-term decluttering project.  I think most of these can go but wanted to hear what others keep vs. toss.

   • Old 1040s (dating back to 2001)
   • Old W-2s, 1099, 5498s, etc (dating back to 2001)
   • Certificates of prior group health coverage (dating back to 2002)
   • Final paystub from previous jobs (dating back to 2002)
   • Invoices/receipts for medical expenses - post reimbursement from insurance provider (dating back to 2005)
   • Invoices/receipts for FSA purchases - post reimbursement from account (dating back to 2013)
   • Unemployment check stubs (2008-2010…retire early and often right?)
   • Paperwork relating to cars no longer own (one 2008-2010, one 2011-14 - this one was totaled beyond repair in car accident )--> all this can go right? 

What goes to the shredder?  What goes to the cloud (after blacking out SSN)?

[Retire-Canada]

I keep anything tax related back 7yrs including the current year. Everything else lasts 12 months from when the last related transaction was concluded before it gets shredded.

-- Vik

[Spork]

My personal opinion (and lots of people will disagree with this):  You don't put anything on "the cloud" that you think is important.  You should always replace the word "the cloud" with "oh well, maybe someone else will take care of it."   If it's not under your own control, you don't know what will be done -- and not just hacked, but lost without even an apology. 

I've got no problems digitizing things, but I'd keep a copy locally and put another in a safe deposit box. 

If you do decide to put it on the cloud... don't black out things.  Just use good encryption.  And I mean really good encryption.  Lots of folks seem to be gathering data that is encrypted with the idea that "some day we'll have enough horse power to decrypt this."

[seattlecyclone]

Yes, encryption is key. As to cloud vs. not cloud, having things under your complete control is only better if you actually do it. If uploading encrypted files to the cloud is something you'll actually do, while updating your offsite backups is something you'll "get around to someday," go with the cloud storage. Any of the big providers (Google, Dropbox, et al) are exceedingly unlikely to just erase your content without ample warning. For better results, upload the same encrypted folder to three different services.

[hownowbrowncow]

You guys are right - forget the cloud.  I totally blanked on my external hard drive.  Currently gathering dust with plenty of room to spare.

[Learner]

Careful on single point of failure external hard drive.  I just did a recovery for a co-worker who had all his son's baby pictures, etc on one (that was his only source).  I was only able to get back about 70 / 150 GB, so who knows what he lost in the meantime.

Two copies should be pretty safe.  The idea behind offsite if you're unfamiliar is for disaster recovery, e.g. what if there is a fire?

[Scandium]

My personal opinion (and lots of people will disagree with this):  You don't put anything on "the cloud" that you think is important.  You should always replace the word "the cloud" with "oh well, maybe someone else will take care of it."   If it's not under your own control, you don't know what will be done -- and not just hacked, but lost without even an apology. 

I've got no problems digitizing things, but I'd keep a copy locally and put another in a safe deposit box. 

If you do decide to put it on the cloud... don't black out things.  Just use good encryption.  And I mean really good encryption.  Lots of folks seem to be gathering data that is encrypted with the idea that "some day we'll have enough horse power to decrypt this."

Do you consider a safe deposit box any safer than "the cloud" (whatever that means)? If so why? The bank can also loose your stuff, burn down or get robbed.

Dropbox, crashplan, spideroak etc keep multiple encrypted copies in several locations. I'd consider that at least as safe as a flimsy metal box in some building. And worse: how often will you actually take that failure prone HDD there..?

edit: for backup I'd recommend something like Crashplan. $50/year for unlimited storage that runs automatically in the background so nothing to remember to do. There are tons of ads for Carbonite but I used them and did not like it, I don't recommend them.

[acroy]

No need for paper records except (I think) such things as birth certs, titles, etc. We keep those in a small fireproof safe.

Scan and chuck the rest.

One digital copy at home and a backup at work (external hd) I manually update once a month.

[Capsu78]

Having suffered an unbacked up crash in 2007, I now have my PC and 3 external drives- 1 at my desk and 1 at each of my kids homes.  They are all the same make and model, so I don't even have to pull the powercord at my PC- simply unplug and swap out with the off sight ones.  I backup the remote units about every 6 weeks or when I know I have been scanning heavily.  I am closing in on 100,000 images that I manage- My "hobby" is digitizing our family pics and I have been at it for over 6 years now. 

[AmbitiousCanuck]

What goes to the shredder?  What goes to the cloud ?

That is entirely a personal choice, other than knowing that you need to keep 7 years of tax returns.  I went through this same process recently, and I decided to scan a copy of every one of my tax returns, for example, just for my own records.

But the rule of thumb here, is if you ever think you might need or want to look at the document in the future.... scan it.  It only takes a couple minutes.  Otherwise shred it.

I scan everything I possibly can as soon as I receive it, and only keep a small shoebox of certain things like receipts for purchases that have a warranty or I might need to return, old bus passes for taxes, etc.  Any important documents like a lease or birth certificate go in the safe.

[Spork]

My personal opinion (and lots of people will disagree with this):  You don't put anything on "the cloud" that you think is important.  You should always replace the word "the cloud" with "oh well, maybe someone else will take care of it."   If it's not under your own control, you don't know what will be done -- and not just hacked, but lost without even an apology. 

I've got no problems digitizing things, but I'd keep a copy locally and put another in a safe deposit box. 

If you do decide to put it on the cloud... don't black out things.  Just use good encryption.  And I mean really good encryption.  Lots of folks seem to be gathering data that is encrypted with the idea that "some day we'll have enough horse power to decrypt this."

Do you consider a safe deposit box any safer than "the cloud" (whatever that means)? If so why? The bank can also loose your stuff, burn down or get robbed.

Dropbox, crashplan, spideroak etc keep multiple encrypted copies in several locations. I'd consider that at least as safe as a flimsy metal box in some building. And worse: how often will you actually take that failure prone HDD there..?

edit: for backup I'd recommend something like Crashplan. $50/year for unlimited storage that runs automatically in the background so nothing to remember to do. There are tons of ads for Carbonite but I used them and did not like it, I don't recommend them.

I do.
Here's a quick handful of reasons... I think I could come up with more if I thought about it:
* I've been there.  I've seen the setup.  It is specifically set up such that only key holders have access.  It is specifically set up for fire.  It is not a flimsy metal box.  (Well, it is, but it is a flimsy metal box inside another box inside a big ass vault.)
* It is a pay service.  (This applies also to things like crashplan, but DOES NOT apply to things like google/dropbox/etc.).  Why this is important is: if you don't know how they're making money, then you are the product.  They're either mining your stuff to toss ads at you or they're working on a flimsy business plan.  EVEN IF IT IS A PAY SERVICE -- you need your own third party encryption on it.  If the service provide provides encryption and has the encryption key (or has it in key escrow) -- it shouldn't be considered secure. 
* Historically lots of cloud services have just evaporated.  Off the top of my head I can think of xdrive, ubuntu-one, ghost-cc, nirvanix, verizon and symantec's clouds that just went poof.  Google also has the reputation for just suddenly deciding they don't like a service and turning it off.  Dropbox has been accused of having their daemon browse through files on your computer that were outside of the dropbox folders.  I'm not sure this was ever proven -- but there was a bit of a scuttlebut about it.  They certainly do poke through your files once you upload them.
* It's not just will the data go away when you do not want it to... It is also how do you make the data go away when you do want it to?  Cloud services are likely to keep many multiple copies of your data.  Deleting your data is likely not to delete it elsewhere.  Items that are in your control can be physically wiped/deleted/destroyed in a manner that even a properly executed search warrant cannot get.   If there is an encrypted copy still in existence after you delete it, you can still be compelled to supply the encryption key (or held in contempt if you don't).
* You don't know (particularly with free services) how the data is shared.  More than a handful of large data companies seem to be sharing data both with business partners and governments.  You don't generally know what sort of Patriot Act type data seizures occur.  There is a much more established warrant procedure (or at least I think there is) with physical safe deposit boxes.
* Yes, safe deposit boxes get robbed.  Historically it is pretty rare.  And usually it is for specific valuable items (jewelry, gold, guns, etc.)   Data is not usually a target (though that could change).  Online robberies target data specifically and are more likely to take everything (and sort out what is valuable later).  I've watched a few online hacks happen in real time -- and this was long enough ago that personal bandwidth was a fraction of today.  Even then, TONS of data was taken.

Some of these things can be mitigated by very strong encryption.  But ... most people don't have an idea what strong encryption is.  And it is hard to know what key length is going to be good 10 years from now.  Storing things that are encrypted now for attack later is a real thing now.

How often do I take things?  Once a quarter.  I actually have onsite backups that run every other day (with about 30 copies onsite) with a once-a quarter offsite copy.  This isn't good enough for business use, but I think it's fine for personal use.

[Scandium]

How often do I take things?  Once a quarter.  I actually have onsite backups that run every other day (with about 30 copies onsite) with a once-a quarter offsite copy.  This isn't good enough for business use, but I think it's fine for personal use.

Sure, I guess. I'm just not as worried about the cloud as you are then, or as fond of bank boxes. I've never had a deposit box, just seems like an antiquated thing my dad used. Having to go to a bank during opening hours? Ohgod, no thanks. I barely manage to have time for an oil change 1-2 times per year..

If i want backup of my family photos, which can be several hundred in a week now with a new baby, I don't consider going there four times per year adequate. Constant backup on my PC is required. Yes crashplan has the crypto key. Russian hackers or the NSA can get my photos. Oh well I can live with that risk, which I consider less probably and lower damage than a fire destroying large part of my photos. And with spideroak (I think) you can choose to not give them the key at all. 448 bit encryption. I'm not sure at what point you'd be able to brute-force that, but by that time the data would be outdated anyway. If they key is only in your head you cannot be compelled to hand it over, per 5th amendment. I know this is somewhat contested, but I can't see how it can't end that way in the end.

All my tax and financial documents are encypted with Truecrypt with a 20+ character password on my HDD before it's sent to crashplan. (And the NSA getting my tax return? They're the government, they have that already!). I store this folder on dropbox, but trust the encryption enough.

Yes if you have something that can (seriously) incriminate you it shouldn't be sent off, but that shouldn't be stored digitally at all! Use an air-gapped PC, overwrite that HDD a dozen times and buy some termite.. 

So basically:
- Photos I trust the backup encryption enough and don't care a whole lot. And need immediate backup.
- Sensitive documents I encrypt myself and then send off. And there are options for stronger encryption with companies with deniability. (and majority of my sensitive documents involve the government so the NSA threat is somewhat moot)

Do whatever works for you, but I don't see this as inherently unsafe, or any less safe than a bank box. Which could be searched in a second with a warrant as well.

[Cpa Cat]

Up to the 6 year mark, your supporting tax documents are more important than your tax return. If you were ever audited, 6 years is the extreme limit (with 3 being the normal limit) - assuming you actually filed a tax return. If you didn't file a tax return, then keep those documents indefinitely. In an audit, you'd be asked to substantiate what you put on your return (supporting documents). You could always get a transcript of your actual return from the IRS.

After the 6 year mark, your actual return is far more important. Why? Because the IRS limits how long you can easily get a transcript (technically they limit it to 3 years, but if you were audited between 3-6 years, you could still get it from your auditor). If you did want to refer to your tax return, your copy is what you'd want. The main reason to look back at your returns are issues of basis. But sometimes you want to know income or other information. After 6 years, there's basically no reason to keep any of the supporting documents (W-2s, medical invoices).

If you didn't file a return - again - keep it forever. There's no telling when you might decide you need or want to file a return (Ok, it's pretty extreme to think that you'd need your old W-2 20 years after you worked there). Technically there is no statute of limitations on non-filed returns.

For checkstubs - think about why you're keeping them. If that money appeared in your bank account, then why would you need the checkstub?

I'm in the scan and shred department for everything. I try to stay paperless. I do the double external harddrive - one at home and one secured offsite. It's possible that the FBI is looting my safety deposit box even now.

[arebelspy]

Scan, then shred.

[Spork]

How often do I take things?  Once a quarter.  I actually have onsite backups that run every other day (with about 30 copies onsite) with a once-a quarter offsite copy.  This isn't good enough for business use, but I think it's fine for personal use.

Sure, I guess. I'm just not as worried about the cloud as you are then, or as fond of bank boxes. I've never had a deposit box, just seems like an antiquated thing my dad used. Having to go to a bank during opening hours? Ohgod, no thanks. I barely manage to have time for an oil change 1-2 times per year..

Part of it was: I already had one.  I had it for other reasons.  And: yeah, I'm old, so antiquated might == me.  ;)

If i want backup of my family photos, which can be several hundred in a week now with a new baby, I don't consider going there four times per year adequate. Constant backup on my PC is required. Yes crashplan has the crypto key. Russian hackers or the NSA can get my photos. Oh well I can live with that risk, which I consider less probably and lower damage than a fire destroying large part of my photos. And with spideroak (I think) you can choose to not give them the key at all. 448 bit encryption. I'm not sure at what point you'd be able to brute-force that, but by that time the data would be outdated anyway. If they key is only in your head you cannot be compelled to hand it over, per 5th amendment. I know this is somewhat contested, but I can't see how it can't end that way in the end.

For family photos, cloud seems fine as a backup.  I agree.  Especially at the rate you seem to be generating them.  I'm lazy.  I like to roll all my info up into one "security level" ... or I could probably do the same thing.

As for compelled to give up keys: I totally agree with your sentiment.  The courts seem to disagree though.  No, they can't force you to give it up.  But they can lock you up for contempt until you do.

All my tax and financial documents are encypted with Truecrypt with a 20+ character password on my HDD before it's sent to crashplan. (And the NSA getting my tax return? They're the government, they have that already!). I store this folder on dropbox, but trust the encryption enough.

Truecrypt is fine crypto. 
As for NSA getting my financial documents... I consider that if the NSA can get it, so can anyone else.  NSA is just the one in the news at the moment.

Do whatever works for you, but I don't see this as inherently unsafe, or any less safe than a bank box. Which could be searched in a second with a warrant as well.

Searching with a warrant is fine.  That's how it's supposed to work.  Bank vault probably means warrant.  Cloud storage these days is likely to mean search without a warrant.  That was my point.  And deleting something may still leave it in the cloud, still searchable without a warrant or by criminal elements.

If I sound a bit paranoid... well, maybe I am.  I've worked in net security a long time.  I've seen a lot of some of the back end issues that never makes the news.  I've seen a bit first hand what the spooks have access to. 

[Scandium]

Searching with a warrant is fine.  That's how it's supposed to work.  Bank vault probably means warrant.  Cloud storage these days is likely to mean search without a warrant.  That was my point.  And deleting something may still leave it in the cloud, still searchable without a warrant or by criminal elements.

If I sound a bit paranoid... well, maybe I am.  I've worked in net security a long time.  I've seen a lot of some of the back end issues that never makes the news.  I've seen a bit first hand what the spooks have access to.

Ah yes that is true. The cloud will likely make it's way to the NSA at some point, warrant be damned. Might be a valid concern. Thankfully from what I've seen I don't think they can break into the trucrypt container at this point. The recent code review seemed to back this up. And by the time it gets broken it should only be old data, and the newer data is at a higher crypto level. SMall risk, but worth it for the backup convenience to me. Not sure I'd send everything to dropbox without having my own encryption though, I agree with that.

And if the NSA or Russian hackers really want to target you they'll put a keylogger on your PC and get everything anyway. I'm paranoid too, but don't have an air-gapped PC covered in tin foil yet:)

[arebelspy]

Use veracrypt, not truecrypt, it has replaced it since they stopped developing truecrypt.

[Snow White]

We have two external hard drives and back up everything religiously.  One hard drive lives in the bank safety deposit box and we switch it out at the beginning of each month.  In case of a fire or total home loss, we will only be a month behind on financial records, photos taken, etc.  It takes a commitment to do it initially but it now is a habit.  We also back up our Quicken data onto a flash drive after any transaction and it goes with us on vacation or if we are gone for any length of time.  Probably overkill.

I wouldn't rule out the cloud at some future time but not until I feel sure we can protect, retrieve and delete anything placed there.  I don't trust that I can do that right now so until then, I trek down to the bank once a month with my external drive. 😎

[Mirwen]

I was trained as a tax professional by a guy who worked for the IRS.  You only need to keep the last three years of tax returns.  The exception to this is in cases of proven fraud.  If you aren't defrauding your taxes you only need the last three years. For example 2014 tax return should be kept until April 15th 2018 (unless you filed later, then it's three years from the date of filing).  Keep your w2s (or a scanned copy is fine) until you draw social security.  This is your proof of your contributions in case they make a mistake.

I keep copy of all my vital records and tax returns for myself and my clients on my home hard drive, on a backup drive and in "the cloud."  The cloud is my offsite copy in case my house burns down.  If something goes wrong with my cloud copy I can just duplicate one of my home copies. I would never rely on just one copy even if it was supposedly backed up by the cloud provider. If I had to leave my home town and I didn't have any documents with me, I could obtain copies of everything just by logging into any computer with internet access. 

You may want to read this blog about surviving Katrina.  http://www.theplacewithnoname.com/blogs/klessons/p/0005.html The guy is a prepper, but concentrates his focus on how to protect your life in documents, because in the current society this is vital.  He carries a thumb drive with him at all times.  Plus it's an amazing read.