Shredding Laws Apply To Every Business
Have you ever wondered why document shredding and data destruction services were invented, and why they're so important? Keep reading to learn about the laws governing document destruction and the history of document shredding services. And you're searching for a shredding service near you in South Florida, don't hesitate to contact Shred Monkeys via phone or email today.
Early Protections of Privacy:
The concept of protecting the privacy or ordinary citizens did not gain prominence in the United States until the beginning of the information age. The problem came from the rise of identity theft. Leadership in privacy issues came from the U.S. Congress in the form of the following acts:
Social Security Act of 1934
Makes it illegal to disclose an individual's social security number and personally identifiable information which is obtained by means of a social security number.
The Florida Information Protection Act of 2014 (FIPA)
The Florida Information Protection Act of 2014 (FIPA), which became effective July 1, 2014, expanded the requirements on covered entities that acquire, maintain, store or use personal information of Floridians. As part of a growing trend in state legislatures, Florida's new data breach and security law expands notification requirements on covered entities that experience a breach of security. These new requirements should be reviewed by any entity with a presence in Florida.
After a unanimous passage of Senate Bill 1524, FIPA was signed into law by Florida Governor Rick Scott on June 20, 2014. The new law repealed Florida's prior data breach notification statue, Fl. Stat. § 817.5681, and replaced it with § 501.171. The new statute made several significant modifications to Florida law that can reach businesses, government and other entities far beyond the state's borders.
Below is a brief summary of the Florida Information Protection Act, including significant changes from the state's prior data breach notification statute.
Any commercial or governmental entity that acquires, maintains, stores or uses personal information of individuals in the state is subject to this law. The new statute no longer has language limiting its application to those who "conduct business" in Florida.
Accordingly, although this is a Florida statute, companies in other jurisdictions, including international entities, should assume this statute will apply in the event they experience a breach of security affecting any individuals in Florida, regardless of their number.
Privacy Act of 1974
In establishing this act Congress found:
- "The privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information." The increasing use of computers and sophisticated information technology has greatly magnified the potential for harm to the individual
- The opportunities for an individual to secure employment, insurance, and credit are endangered by the misuse of certain information systems.
- The right to privacy is a personal and fundamental right protected by the Constitution of the United States
- Protections were extended to any records containing individually identifiable information including but not limited to:
- Education
- Financial Transactions
- Medical History
- Criminal History
- Employment History
- Photographs
- Fingerprints
- Voiceprints
Right to Financial Privacy Act of 1978
This act, under the auspices of the FDIC, targeted industrial loan companies, trust companies, saving associations, building and loan companies, credit unions and consumer finance institutions. It's focus - financial transactions. The significance is that it is focused within a single industry and this "industry-specific" model will be used again in the modern era.
A proliferation of states laws followed the lead presented by these acts and specific professions have developed a Code of Ethics in the fields of banking, medicine, legal and accounting. These Ethics restrict how information is used and they are based on the principles described by law. These laws provided penalties that included actual damages, punitive damages, and even jail time, but investigation and enforcement of these laws was lacking. This lack of enforcement led to a situation where privacy rights were given only casual attention by just about all stakeholders.
A Defining Case in 1988 - The Peril of Discarding Information as Trash
The United States Supreme Court in California v. Greenwood was presented a case that helped define Privacy Rights as it relates to material discarded as trash. Greenwood had thrown out information in his trash that incriminated him in a crime and the information was used to gain a conviction. Greenwood claimed that he was the victim of an unlawful search and that his privacy rights had been violated.
In it's ruling the Supreme Court stated that there could be no expectation of privacy in trash left accessible to the public. They further stated it is common knowledge that garbage is readily accessible to animals, children, scavengers, snoops, and other members of the public.
At least seven types of people are known to go through your trash:
- Criminals
- Investigators
- Journalists
- Scavengers
- Competitors and their agents
- Trash hauling companies
- Law Enforcement
Bringing this up-to-date, people now also know that some trash is sorted by waste management companies for recyclables and that identity theft often results from "dumpster diving." In fact, at a recent privacy convention held in New York City, it was noted that the cannon fodder for the class action suits of the future would come from confidential information found in the trash of well-heeled organizations. The legal exposure someone who claims that confidential materials were inadvertently discarded as trash is great - especially in the absence of an established document destruction program.
The Modern Era of Privacy Protection Legislation
Privacy protection is experiencing a rebirth in legislative activity. The runaway crime of "identity theft" is largely responsible in causing a groundswell of interest in the electorate and hence in our state and federal politicians. "Identity theft" also has a connection to national security issues and controlling it may literally become "a matter of life and death." Here are a few of the major initiatives.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Covers health plans, health care clearing houses, health care providers. It established national standards for the protection of health information and a timetable for implementation. Enforcement includes civil and criminal penalties. The Department of Health and Human Services is responsible for enforcement.
Economic Espionage Act of 1996
This act helps companies recover damages from loss of trade secrets as a result of industrial espionage from interstate or foreign competitors. The Attorney General or organization can initiate action. One requirement of the act is that trade secrets must be the subject of adequate safeguards. This implies that trade secret information cannot be thrown in the trash for a prosecution to be effective.
Gramm-Leach-Bliley Act of 1999
Rules concerning financial information and privacy notices. Under the GLB Safeguards rule there are requirements for adequate administrative, technical, and physical safeguarding of personal information. The FTC is responsible for enforcement.
Fair Credit Reporting Act of 2001
Promotes accuracy in consumer reports and is meant to ensure the privacy of the information in them.
Sarbanes-Oxley Act of 2002
The law raises the stakes for disposing of records to avoid prosecution and therefore more pressure on data privacy and on having formal rules for what information must be securely retained and what information can be destroyed. The law also raises the bar for oversight and the need to publicly report known problems.
Fair and Accurate Credit Transactions Act of 2003 (FACTA)
This act expanded several FCRA provisions and provides protection for victims of identity theft and includes one free credit report per year. The FTC is responsible for enforcement. The Disposal Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to - or use of - information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to:
- burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;
- destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
- conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include:
- reviewing an independent audit of a disposal company's operations and/or its compliance with the Rule;
- obtaining information about the disposal company from several references;
- requiring that the disposal company be certified by a recognized trade association;
- reviewing and evaluating the disposal company's information security policies or procedures.
Just about every state has/is also passing laws to protect privacy and even at the federal level additional new laws are being considered such as the "Comprehensive Identity Theft Protection Act" sponsored by Schumer and Nelson in the U.S. Senate. Some states like California and Georgia are being particularly aggressive and new laws even require "self-reporting" of any security incident.
The message should be crystal clear that private and confidential information should no longer disposed of be in the trash. It must be destroyed using a reliable process as fast as the law allows.
Our highly trained Document Security Specialists can provide detailed information about exactly which privacy laws apply to your business or answer any questions that you may have.
Shred Monkey's Shred Size
Competitors Shred Size