Document Destruction: Shredding for the Law
To build a compliant shredding strategy, start by learning which federal and state regulations affect your business; then team with a trusted partner to comply. In the process, you’ll avoid headaches, lawsuits and stiff penalties.
Sometimes even the best of intentions can result in your business violating federal and/or state regulations. Consider this unfortunate scenario:
After completing a successful marketing promotion, your business starts to dispose of customer information—including partial Social Security numbers, email addresses and other identifying information—gathered during the campaign. But when the sole shredder suddenly burns out at 4:30 p.m., your time-crunched colleagues simply box up the folders and leave them for cleaning crew.
What they can’t know is that a disgruntled employee who’s well acquainted with the contents of those files will take a bunch of them home instead. She’s got identity theft in mind. A nightmare now begins, from which your business may never escape—all because your team didn’t consider “life after disposal.” As a result, your company could be in violation of Fair and Accurate Credit Transactions Act (FACTA) guidelines—and pay as much as $1,000 per affected customer.
Seven Million Reasons to Comply
A data breach is an expensive mishap. In fact, the average security break costs $7.2 million, according to recent reports from the Ponemon Institute. This fact alone should be enough motivation to develop and maintain a sound compliance plan. If that’s not enough to keep you on your best data-management behavior, consider the $1 million fine and 10 years of imprisonment that can come your way for submitting a flawed certification of your company’s financial information under the Sarbanes-Oxley Act. And the consequences of noncompliance don’t end with federal rules; every state has its own laws regarding information privacy and data breaches. Flaunt them and you face stiff fines and prolonged lawsuits.
So how can you avoid these potentially lethal threats and achieve total compliance? When you simply shred everything as part of a comprehensive, well-monitored secure shredding program, you all but eliminate the risk of data breaches. However, you need to know the laws with which you must comply. And regulations are springing up or changing regularly. Take, for example, California’s Senate Bill 24, approved by Governor Jerry Brown on August 31, 2011, which details what a business must report to the state in the wake of a data breach.
Capitol Hill and Information Security
Information privacy and data-integrity protections, as well as basic records-destruction guidelines, are all part of the following federal regulations. Remember, size doesn’t matter when it comes to your regulatory responsibilities; even a small firm can violate one of these laws.
Health Insurance Portability and Accountability Act (HIPAA). This law takes aim at any organization that handles protected health information, including Social Security numbers, prescriptions and other medical records.
Fair and Accurate Credit Transactions Act (FACTA). The Fair and Accurate Credit Transactions Act of 2003, which applies to all creditors and credit reporting agencies as well as financial institutions with “covered” accounts, protects consumer information collected by lenders and credit card companies. It preempts state laws.
Sarbanes-Oxley Act (SOX). This much-publicized law governs all public companies in the U.S. and all accounting firms, as well as international companies with debt security or equity registered with the Securities Exchange Commission. SOX holds them accountable for financial practices and carries stiff penalties for noncompliance.
Gramm-Leach-Bliley Act of 1999 (GLB). The act lets financial institutions—banks, insurance companies, financial services companies and investment firms—consolidate their banking and investment offerings. It requires those companies to safeguard customer records. Penalties for noncompliance can reach up to $100,000 per violation.
The State of Local Regulations
Laws addressing proper information handling, records destruction and data breaches vary from state to state—each one has its own take on the topic. However, sometimes even knowing the details of your own state’s laws might not be enough. You must know the regulations for every state in which your company conducts business. Here’s a sampling of notable state laws:
- Massachusetts 93I requires that paper records set for destruction be “either redacted, burned, pulverized or shredded.”
- Georgia’s Senate Bill 475 levies fines ranging from $500 to $10,000 for failing to dispose of records containing sensitive information by shredding, erasing or rendering them otherwise unreadable.
- California 1798.81, a general shredding law, instructs businesses to “take all reasonable steps to dispose, or arrange for the disposal, of customer records” that contain “personal information when those records aren’t needed any longer by, among other means, shredding.
- California Senate Bill 1386 was the first to shine the spotlight on businesses’ security breaches in the disposal process. Banks, credit card companies, insurance agencies and any other firms handling sensitive customer information must report any security compromises. Now, 45 other states have followed suit with bills of their own.
What does your state require? State government websites are a first stop for the lowdown on “data destruction regulations.” You can also ask your in-house counsel, if applicable, or search the official website of your state’s bar association for “regulatory guidelines and updates.”
The Benefits of Partnership
Clearly, there’s much to know about keeping your business on the right side of compliance laws—perhaps too much to manage comfortably. When you feel that compliance might be forcing your to take your eye off of core business operations, bringing in a third party to help might make sense.
A trusted partner can bring mobile shredding units to your facilities and destroy documents with your oversight. Or that same partner can pick up files headed for the trash bin, then ferry them offsite to a secure location where they will be shredded and disposed of safely and sent off for recycling. Such teamwork not only ensures compliance with changing regulations, but also delivers additional benefits.
A well-designed shredding plan will effectively reduce the cost of storing excess records. What’s more, you can leverage your disposal plan into a companywide campaign to organize and index the information you’re keeping—an unexpected return on an already winning idea.
Iron Mountain Suggests:
When state regulators come calling, send in the shredders. Consider the following steps and safeguards when choosing a vendor.
- Know the lay of the land. Learn the federal and state regulations that apply to your industry and your company’s records.
- Don’t be shy: Interview your partner. You need to gauge the company’s knowledge of (and track record with) regulatory compliance guidelines.
- Who’s behind its safer shredding? Your partner should show proof that its employees have background checks and security clearance. Look for a “triple-A” certification by the National Association for Information Destruction.
- Tell them about it. Develop and distribute your records-destruction rules and regulations.
- Leverage, leverage, leverage. A well-constructed shredding plan can spur even those departments not directly affected by compliance laws to consider eliminating unneeded records—and to better organize what they want/need to keep.
Do you have questions about secure shredding? Read additional Knowledge Center stories on this subject, or contact Iron Mountain’s consulting services team. You’ll be connected with a knowledgeable product and services specialist who can address your specific challenges.
Related Content
50 States, 50 Rules: Shredding Across America
What Every Law Firm Needs to Know About Shredding (*But May Not Think to Ask)
Choosing a Shredding Partner: It’s a Matter of Trust