| Protect your own information. |
*
* |
Protect your clients' privacy. |
*
* |
Protect your employees' privacy. |
Legal Requirements
 Not
only is it a good idea to shred sensitive documents -
for most businesses, it is the law. All of the laws below
describe a business’ responsibility to safeguard
sensitive documents.
Not only does the law dictate that sensitive materials
must be disposed of properly, but businesses must also
take care to pick a reputable shredding company. We
would like to be your Indiana document destruction company.
Please take a moment to check out our credentials, and
then e-mail us for a prompt,
free quote.
Below you will find some basic information about the
laws that pertain to how a business MUST protect sensitive
documents. Please use this as a guideline and allow us
to work with you to come up with a document management
plan.
Health Insurance Portability and
Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act
(HIPAA) of 1996 ensures healthcare organizations in the
United States will be responsible for the secure handling
and storage of “protected health information”.
The HIPAA legislation has three objectives:
- Reduce healthcare fraud and abuse
- Guarantee security and privacy of health information
- Enforce standards for health information
HIPAA Penalties:
HIPAA Non-compliance can have devastating consequences
to non-conforming healthcare organizations. HIPAA applies
criminal penalties to anyone violating the law –
not just the company. Employees, business associates,
and others who handle “protected health information”
are all potentially liable for mishandling confidential
information. A non-conforming organization, or individual,
can be subject to severe fines and penalties, litigation
and negative publicity. Non-compliance can result in the
following penalties:
- Civil fines up to $25,000 / year
- Criminal penalties up to $250,000 as well as, up to
10 years in prison (Information Management Journal 2003)
Examples of Items to Shred due to HIPAA:
- Patient Medical Records
- Billing Records
- Insurance Records
- X-Rays
- Prescriptions
- Personal Health Information
- Computer Disks and Hard Drives
Further information can be found at http://www.cms.hhs.gov/HIPAAGenInfo/
DISCLAIMER: This is only a brief summary of the law.
Please consult a legal professional for more information
on how the specifics of this law may apply to your business.
The Fair & Accurate Credit Transactions
Act (FACTA)
Irresponsible handling of confidential and sensitive
consumer data has long been cited as a contributing factor
to identity theft. Confidential and sensitive data discarded
by a business or institution provides a prime opportunity
for a thief to access personal data. A well-known practice
known as "dumpster diving" is often claimed
by thieves themselves as the source of the data that allowed
them to commit the identity theft. Just ask any private
detective what their standard charge is for “dumpster
diving”.
This law applies to virtually every person and business
in the United States. It requires the destruction of all
consumer information before it is discarded and has potentially
severe penalties against violators. The Act states “any
person who maintains or otherwise possesses consumer information
for a business purpose” must “properly dispose
of such information by taking reasonable measures to protect
against unauthorized access to or use of the information
in connection with its disposal”.
Reasonable measures are defined by the Act as “burning,
pulverizing, or SHREDDING OF PAPERS containing
consumer information”. Another alternative is for
a company to enter into an agreement “with another
party engaged in the business of record destruction to
dispose of material, specifically identified as consumer
information, in a manner consistent with this rule”.
Both the Federal government and State government are
authorized to bring enforcement actions against violators
of FACTA. There are also civil liability issues and class
action lawsuits that can provide potentially severe financial
penalties for violators.
Further information can be obtained online at http://www.ftc.gov/os/statutes/031224fcra.pdf
DISCLAIMER: This is only a brief summary of the law.
Please consult a legal professional for more information
on how the specifics of this law may apply to your business.
The Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA) of 1999 requires all
financial and banking institutions in the United States
to describe how they will protect the security and confidentiality
of consumer information in their possession.
Violations of GLBA:
If your organization is found non-compliant to GLBA,
your organization could be subjected to severe fines and
class-action lawsuits.
GLBA Penalties:
- Fined up to $100,000 for each violation
- The officers and directors of the financial institution
could be subject to, and personally liable for, a civil
penalty of up to $10,000
- Possible imprisonment for up to five years
The Gramm-Leach-Bliley Act applies to the following types
of organizations:
- Banks
- Companies that operate travel agencies in connection
with financial services
- Credit Unions
- Securities Brokers
- Real Estate Appraisers
- Retailers that issue their own credit cards directly
to consumers
- Insurance Companies
- Other entities involved in financial activities
- Automobile Leasing Companies
Further information can be found online at http://www.ftc.gov/privacy/privacyinitiatives/glbact.html
DISCLAIMER: This is only a brief summary of the law.
Please consult a legal professional for more information
on how the specifics of this law may apply to your business.
The Identity Theft and Assumption
Deterrence Act of 1998
The Identity Theft and Assumption Deterrence Act of 1998
looks at identity theft in two important ways.
- The Act strengthens the criminal laws governing identity
theft. Specifically, the Act makes it a federal crime
to knowingly transfer or use, without lawful authority,
a means of identification of another person with the
intent to commit, or to aid or abet, any unlawful activity
that constitutes a violation of Federal law, or that
constitutes a felony under any applicable State or local
law.
- The Act provides for a centralized complaint and consumer
education service for victims of identity theft.
The Act makes identity theft a Federal crime with penalties
up to 15 years imprisonment and a maximum fine of $250,000.
It allows for the identity theft victim to seek restitution
if there is a conviction.
Further information can be obtained online at http://www.ftc.gov/os/2000/09/idthefttest.htm
DISCLAIMER: This is only a brief summary of the law.
Please consult a legal professional for more information
on how the specifics of this law may apply to your business.
The Privacy Act of 1974
This Act protects certain federal government records
pertaining to individuals. In particular, the Act covers
systems of records that an agency maintains and retrieves
by an individual's name or other personal identifier (e.g.,
social security number, phone numbers, etc.).
In general, the Privacy Act of 1974 prohibits unauthorized
disclosures of the confidential records the Act protects.
The Privacy Act of 1974 does not protect the privacy of
your records that are not maintained by the federal government
(e.g., credit report, bank account and medical records).
If their confidential records are disclosed to outside
parties, even by accident, it could be grounds for a lawsuit.
Further information can be found at http://www.ftc.gov/foia/privacy_act.htm
DISCLAIMER: This is only a brief summary of the law.
Please consult a legal professional for more information
on how the specifics of this law may apply to your business.
The Sarbanes-Oxley Act (Public
Company Accounting Reform and Investors Protection Act)
The Sarbanes-Oxley Act was signed into law on July 30,
2002 and introduced highly significant legislative changes
to financial practice and corporate governance regulation.
The act followed a series of very high profile scandals,
such as Enron. It is also intended to "deter and
punish corporate and accounting fraud and corruption,
ensure justice for wrongdoers, and protect the interests
of workers and shareholders" (Quote: President Bush).
The primary intent of the Sarbanes-Oxley Act is to force
publicly held companies to promptly make available and
maintain all meaningful business related information in
order to protect the investing public. While Sarbanes-Oxley
requires the development and maintenance of detailed corporate
financial information, cleansing computer systems of unnecessary
files is an essential task.
During the course of a lawsuit, when a plaintiff comes
and says "Give me all your data", you've got
to give them all your data – both paper and electronic.
The plaintiffs use these discovery processes to try and
find out as much information as possible. According to
Douglas Young, a lawyer at Farella Braun & Martel
in San Francisco, "If records are destroyed in the
normal course of business, it is very difficult to prove
that anyone is trying to obstruct justice".
Properly documented disposal of paper and electronic
records is absolutely essential in today's litigious society.
Shredding Unlimited can provide
you with a free consultation on how you can establish
a regularly scheduled document and media destruction program.
Further information can be obtained at http://www.sec.gov/rules/final/33-8183.htm
DISCLAIMER: This is only a brief summary of the law.
Please consult a legal professional for more information
on how the specifics of this law may apply to your business.
|
