Test Your Knowledge of… Federal Document Destruction Regulations

Topics: Govern Information | Secure Shredding

Though you may be tempted to keep every scrap of your firm’s paper and e-docs, you know that’s not a sound records-management strategy from a compliance standpoint. So how should you destroy what you don’t need? Test your regulatory smarts with this quick quiz:  

Information privacy and data-integrity protections are essential to the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX). But did you know that both regulations are among a handful of Federal acts with records-destruction guidelines?

A working knowledge of the government’s guidelines for records privacy and destruction can help you better maintain your business. So why not test your document-management wits with these ten pertinent questions?

1. The Fair and Accurate Credit Transactions Act of 2003 (FACTA) applies to the practices of…

  • a. banks, insurance companies, financial services companies and investment firms
  • b. public companies, their boards and accounting firms
  • c. lenders and credit card companies
  • d. all U.S. businesses that deal with sensitive information

2. The Sarbanes-Oxley Act calls for audit files to be retained…

  • a. 10 years
  • b. 7 years
  • c. 3 years
  • d. permanently

3. Which regulation recommends storing certain sensitive information in opaque bags in a secure area until it can be properly destroyed?

  • a. HIPAA
  • b. SOX
  • c. GLB
  • d. FACTA

4. Which of the following types of file contents should your company retain permanently?

  • a. mortgage notes
  • b. annual financial statements
  • c. insurance records
  • d. all of the above

5. Sarbanes-Oxley requires firms to destroy data by which of the following ways or face an 18-month jail term?

  • a. shredding
  • b. pulverization
  • c. degaussing
  • d. none of the above

6. Degaussing refers to which of these processes?

  • a. overwriting an e-file with neutral information
  • b. liquefying paper records
  • c. exposing electronic information to a strong magnetic field
  • d. applying a combination of non-toxic gasses

7. True or False: Healthcare providers are allowed to re-use or repurpose computers that once held sensitive information.

  • a. true
  • b. false

8. The civil penalty under FACTA is which of the following?

  • a. six-month probation period
  • b. $500 per consumer impacted
  • c. $1,000 per consumer impacted
  • d. a formal apology

9. Most regulations call for disposal plans that are:

  • a. reasonable and appropriate
  • b. foolproof
  • c. in line with government standards
  • d. varied, based on company size

10. Which of the following types of records is NOT required by Federal law to be retained in perpetuity?

  • a. corporate by-laws
  • b. stock certificates
  • c. board of directors meeting agendas
  • d. articles of incorporation

Iron Mountain Suggests:

Building Your Road to Retention
Purging your company’s extraneous information will save employees and other users countless hours searching for the right files.

Consider these guidelines as you develop an effective, format-agnostic retention policy:

Understand the rules. Learn the federal and state regulations that apply to your industry and your company’s records.

Know when to hold ‘em—and fold ‘em. Retention regulations vary by record type. The Sarbanes-Oxley Act puts a seven-year hold on audit materials. Similarly, employment and OSHA records are subject to a six-year hold. On the far end of the spectrum, you’ll need to retain fundamental records such as annual financial statements and general ledgers in perpetuity. Conversely, a well-scheduled disposition plan ensures proper record maintenance and protection.

Develop a policy that clearly articulates a set of records-destruction rules and takes these nuances into consideration:

  • Though shredding paper records is the most common means of their destruction, you can also incinerate, disintegrate or pulverize them.
  • Confirm the tech specs of your shredding method; regulations guard against the reconstruction of shredded materials.
  • You can destroy sensitive data on electronic media by overwriting it with non-sensitive information.
  • Degaussing, or exposing media to a strong magnetic field, adequately destroys electronic information, as does disintegrating, pulverizing, melting, shredding or incinerating it.

Educate and train employees. Make sure they know what’s expected of them. Establish a clear set of consequences—in writing—for violating records-protection policies.

Monitor compliance. Don’t just set a policy in motion; audit the process every step of the way.

Do you have more questions or concerns about your firm’s compliance with Federal records regulations? Read additional Knowledge Center stories on this subject, or Contact Iron Mountain’s consulting services team. You’ll be connected with a knowledgeable product and services specialist who can address your information management challenges.

Answers: 1-c, 2-b, 3-a, 4-d, 5-d, 6-c, 7-a, 8-c, 9-a