As organizations and individuals alike struggle with the constant threat of data breaches and identity theft, understanding the intricacies of document destruction laws becomes most important. This article delves into the diverse landscape of regulations governing the secure disposal of physical and digital documents, exploring the legal frameworks that dictate how to handle and destroy information to ensure privacy, compliance, and the protection of sensitive information. From industry-specific requirements to overarching privacy mandates, this comprehensive guide aims to unravel the complexities surrounding document destruction laws.
Early Protections of Privacy
The concept of protecting the privacy of ordinary citizens did not gain prominence in the United States until the beginning of the information age. The problem came from the rise of identity theft. Leadership in privacy issues came from the U.S. Congress in the form of the following acts.
Social Security Act of 1934
This act makes it illegal to disclose an individual’s social security number and personally identifiable information that you can obtain using a social security number.
Privacy Act of 1974
In establishing this act Congress found:
- “The privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information.” The increasing use of computers and sophisticated information technology has greatly magnified the potential for harm to the individual.
- The misuse of certain information systems endanger opportunities for an individual to secure employment, insurance, and credit.
- The right to privacy is a personal and fundamental right protected by the Constitution of the United States.
- Protections were extended to any records containing individually identifiable information including but not limited to:
- Education
- Financial Transactions
- Medical History
- Criminal History
- Employment History
- Photographs
- Fingerprints
- Voiceprints
Right to Financial Privacy Act of 1978
This act, under the auspices of the FDIC, targeted industrial loan companies, trust companies, saving associations, building and loan companies, credit unions, and consumer finance institutions. It’s focus – financial transactions. The importance lies in its concentration within a specific industry, and this “industry-specific” model will replicate in the contemporary age.
An influx of state laws followed the example set by these acts, and various professions, including banking, medicine, legal, and accounting, have established a Code of Ethics. These ethical guidelines govern how information is utilized and are rooted in legal principles. The laws introduced penalties such as actual damages, punitive damages, and even imprisonment. Despite this, there was a notable absence of thorough investigation and enforcement. This lack of action created a scenario where privacy rights received only casual consideration from most stakeholders.
California v. Greenwood (1988)
The United States Supreme Court in California v. Greenwood presented a case that helped define Privacy Rights as it relates to material discarded as trash. Greenwood had thrown out information in his trash that incriminated him in a crime and the information was used to gain a conviction. He claimed that he was the victim of an unlawful search and that his privacy rights had been violated.
In its ruling, the Supreme Court stated that there could be no expectation of privacy in trash left accessible to the public. They further stated it is common knowledge that garbage is readily accessible to animals, children, scavengers, snoops, and other members of the public.
At least seven types of people are known to go through your trash:
- Criminals
- Investigators
- Journalists
- Scavengers
- Competitors and their agents
- Trash hauling companies
- Law Enforcement
Bringing this up-to-date, people now also know that some trash is sorted by waste management companies for recyclables and that identity theft often results from “dumpster diving.” In fact, at a recent privacy convention held in New York City, it was noted that the cannon fodder for the class action suits of the future would come from confidential information found in the trash of well-heeled organizations. The legal exposure of someone who claims that confidential materials were inadvertently discarded as trash is great – especially in the absence of an established document destruction program.
The Modern Era of Privacy Protection Legislation
Privacy protection is experiencing a rebirth in legislative activity. The runaway crime of “identity theft” is largely responsible for causing a groundswell of interest in the electorate and hence in our state and federal politicians. “Identity theft” also has a connection to national security issues and controlling it may become “a matter of life and death.” Here are a few of the major initiatives.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA covers health plans, healthcare clearinghouses, and healthcare providers. It established national standards for the protection of health information and a timetable for implementation. Enforcement includes civil and criminal penalties. The Department of Health and Human Services is responsible for enforcement.
Economic Espionage Act of 1996
This act helps companies recover damages from loss of trade secrets as a result of industrial espionage from interstate or foreign competitors. The Attorney General or organization can initiate action. One requirement of the act is that trade secrets must be the subject of adequate safeguards. This implies that trade secret information cannot be thrown in the trash for a prosecution to be effective.
Gramm-Leach-Bliley Act of 1999
Rules concerning financial information and privacy notices. Under the GLB Safeguards rule, there are requirements for adequate administrative, technical, and physical safeguarding of personal information. The FTC is responsible for enforcement.
Fair Credit Reporting Act of 2001
Promotes accuracy in consumer reports and is meant to ensure the privacy of the information in them.
Sarbanes-Oxley Act of 2002
The law raises the stakes for disposing of records to avoid prosecution and therefore more pressure on data privacy and on having formal rules for what information must be securely retained and what information can be destroyed. The law also raises the bar for oversight and the need to publicly report known problems.
Fair and Accurate Credit Transactions Act of 2003 (FACTA)
This act expanded several FCRA provisions to protect victims of identity theft and included one free credit report per year. The FTC is responsible for enforcement. The Disposal Rule requires disposal practices that are reasonable and appropriate to prevent unauthorized access to – or use of – information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to:
- burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;
- destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
- conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include:
- reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule;
- obtaining information about the disposal company from several references;
- requiring that the disposal company be certified by a recognized trade association;
- reviewing and evaluating the disposal company’s information security policies or procedures.
Just about every state has/is also passing laws to protect privacy. Even at the federal level, additional new laws, such as the “Comprehensive Identity Theft Protection Act,” are sponsored by Schumer and Nelson in the U.S. Senate. Some states like California and Georgia are being particularly aggressive and new laws even require “self-reporting” of any security incident.
The message should be crystal clear that private and confidential information should no longer disposed of be in the trash. You must destroy it using a reliable process as fast as the law allows.
A New Era in Enforcement
Keep in Compliance with Document Destruction Laws with Shred Nations
Shred Nations offers a variety of document destruction services that will help keep you in compliance with all of the laws above. Call us at (800) 747-3365, fill out the form, or use the live chat to start your project today. We are happy to answer any questions you have. You will have peace of mind that you are keeping compliant.