Laws and Regulations Concerning Document Destruction...
The increase in
identity theft crimes has resulted in the enactment of several federal laws
designed to protect consumers private information. Some states have
also enacted laws, including the states of California, Wisconsin and
Georgia. In the state of Georgia, the primary law all businesses should
concern themselves with is the Georgia Information Privacy Act SB475.
Georgia Information Privacy Act SB475
Georgia State Bill 475 was passed to insure all companies properly
destroy any document that contains individuals’ private information.
Specifically, section 10-15-2 states:
A business may not discard a record containing personal information unless it:
- Shreds the customerīs record before discarding the record;
- Erases the personal information contained in the customerīs record
before discarding the record;
- Modifies the customerīs record to make the personal information
unreadable before discarding the record; or
- Takes actions that it reasonably believes will ensure that no
unauthorized person will have access to the personal information
contained in the customerīs record for the period between the recordīs
disposal and the recordīs destruction.
In addition to Georgia’s law, the following Federal Laws also require
businesses to properly destroy any document containing personal
information.
FACTA
The Fair and Accurate Credit Transactions Act of 2003 also known as the
FACT Act was signed into law on December 4, 2003. The Act amends the
Fair Credit Reporting Act (``FCRA''). The Act contains a number of
provisions intended to combat identity theft and consumer fraud and
related crimes. Specifically the act requires the destruction of PAPERS
CONTAINING CONSUMER INFORMATION. Virtually every business or
organization is bound by this law.
The DISPOSAL RULE
Sec. 682.3 Proper disposal of consumer information.
(a) Standard. Any person who maintains or otherwise possesses consumer
information, or any compilation of consumer information, for a business
purpose must properly dispose of such information by taking reasonable
measures to protect against unauthorized access to or use of the
information in connection with its disposal.
(b) Examples. Reasonable measures to protect against unauthorized
access to or use of consumer information in connection with its
disposal would include:
(1) Implementing and monitoring compliance with policies and procedures
that require the burning, pulverizing, or shredding of papers
containing consumer information so that the information cannot
practicably be read or reconstructed.
National Consumer Law Center: http://www.consumerlaw.org/initiatives/facta/nclc_analysis.shtml
Federal Trade Commission: http://www.ftc.gov/os/statutes/fcrajump.htm
Privacy Rights Organization: http://privacyrights.com/ar/FTC-DocDisposal.htm
HIPAA
Health Insurance Portability and Accountability Act (HIPAA), was
enacted in 1996 and includes provisions intended to safeguard the
privacy of patient health records. HIPAA is a significant piece of
legislation with onerous penalties. For a full text of the SUMMARY OF
THE HIPAA PRIVACY RULE from the Department of Human Services, available
online go to: http://www.hhs.gov/ocr/privacysummary.rtf. See page 14 of
this document in regards to shredding information.
Penalties for HIPAA Violations: http://www.utmb.edu/compliance/hipaa/hipaa-overview.htm#penalties
American Medical Association: http://www.ama-assn.org/ama/pub/category/11805.html
Health and Human Services: http://www.hhs.gov/ocr/privacysummary.rtf
GLB (Gramm Leach Bliley)
Gramm Leach Bliley (GLB) is another federal law with a much broader
scope than HIPAA. This law was designed to compel financial
institutions to "respect the privacy of its customers and to protect
the security and confidentiality of those customers' non-public
personal information." This language suggests that paper documents
containing such personal information should also be protected when in
use and safely destroyed when no longer current and usable.
Senate Banking Committee Report: http://banking.senate.gov/conf/confrpt.htm
Federal Trade Commission Report: http://www.ftc.gov/privacy/glbact
|
