By Luis Salazar, Elise Berkower, and Greg Dean
It seems that you cannot swing a credit report these days without hitting a local news crew covering a story about records carelessly thrown out in a local dumpster. In fact, a by-product of the sub-prime meltdown has been mortgage companies going out of business and leaving loan applications containing personal financial information in the trash. These stories are enjoying media attention because they rightfully concern consumers, who have an expectation that their private data are being safeguarded and not tossed in the garbage for anyone to grab.
But it must also be troubling to business and privacy professionals, too, at least judging from the nearly 65 participants at preconference session entitled "Data, Data, Everywhere: Transferring, Selling, Trashing, or Destroying Data" at the IAPP's annual Privacy Summit in March. The session covered the problem of disposing of data, both in the ordinary course and in the more complex situation presented by troubled companies and companies in mergers and acquisitions. Here, in a vastly more concise form, are some of the highlights and best practices offered during that session.
From a legal perspective, there are various federal and state laws and regulations that require records containing sensitive consumer information to be properly cared for and disposed of. More specific laws on the disposal of sensitive data apply, too. To start, many laws require financial institutions and other businesses to provide adequate security, such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), as well as the security-related regulations issued in connection with them. The obligations imposed by these and similar laws do not end at the dumpster's edge. On the contrary, information must be safeguarded at all times.
In addition, there are other laws and regulations that focus on the disposal of sensitive information. For example, the Fair and Accurate Credit Transactions Act, or FACTA, directed the Federal Trade Commission (FTC) to enact rules and regulations governing the disposal of credit reports. In 2004, the FTC promulgated what has become known as the "Disposal Rule." The Disposal Rule requires businesses to take "reasonable measures" to protect against unauthorized access to, or use of, customer information in connection with its disposal, as well as other documents containing information derived from consumer reports.
As covered by the rule, "disposal" is a broad concept, which encompasses abandoning, selling, donating, or transferring, any document or media containing consumer information. Thus, computer equipment, PDAs, and discs, are included. "Reasonable measures"include conducting due diligence on a disposal company, ensuring that papers containing customer information are burned, pulverized, or shredded, and that electronic files or media containing customer information are properly destroyed or erased. Reasonable measures include implementing policies and monitoring compliance to ensure the rule is followed.
States have also jumped into this area with different approaches. For example, the state of Texas requires businesses to "destroy or arrange for the destruction of customer records containing sensitive personal information." "Destroy" is further explained to be shredding, erasing, or otherwise modifying a document to make it unreadable. Other states, such as New York, have taken a more precise approach, requiring the destruction of documents that contain specific customer information, such as Social Security numbers, driver's license numbers, mothers' maiden names and account numbers.
Penalties for non-compliance can be significant, including injunctive relief barring further violations, post-violation auditing requirements, fines and, in some cases, criminal sanctions.
Regulators at all levels are strictly enforcing these laws. In December 2007, the FTC brought an enforcement action against American United Mortgage Company for failure to abide by the disposal rule, resulting in a fine of $50,000, an obligatory initial and subsequent biennial assessment reports from a third-party auditor, and other compliance monitoring.
Likewise, the state of Texas has brought five separate enforcement actions under its own state law, mostly as a result of documents improperly disposed of in dumpsters.
Strategies for Compliance
Many garbage disposal companies began offering document destruction services as these disposal rules and regulations began to drive greater business demand. But garbage disposal companies are not in the security business, and they may fail to take measures necessary to meet the Disposal Rule or other legal requirements. Therefore, businesses must be certain to take careful steps to choose the right service provider and comply effectively.
To start, businesses should conduct due diligence before entering an agreement with the disposal company, and make sure to:
- Check References. Ask a potential service provider for references from reputable companies that use its services and make sure to check and document your contacts with those references.
- Check Certifications. The National Association of Information Destruction (NAID) has a Certification Program for Information Destruction Companies to ensure the quality of their disposal programs. Although not a guarantee, a NAID or similar certification is a strong sign that a company takes its responsibilities seriously. Additionally, in October 2008, New York Business Law 899-bbb will become effective. This law requires disposal companies to undergo criminal and other background checks as part of the process to obtain licenses authorizing them to conduct a disposal business.
- Conduct a Site Check. Consider visiting the disposal company's site. Is there security to prevent entering into the disposal area? Are logs kept? Are there security cameras? Is the unloading of documents—shredded or yet to be shredded—taking place out in the open, where the wind can blow them around the disposal yard? Much can be learned from a site visit during the due-diligence period.â€¢ Ask for Written Policies. Ask your prospective disposer to provide copies of its internal policies regarding handling of documents to be shredded and their subsequent disposal.
- Read the Contract. Be sure to read the proposed service contract and understand what obligations the disposal company agrees to undertake, including the security level of shredding, subsequent recycling or disposing of the shredded material, indemnification and other provisions.
- Bonding/Insurance. Disposal companies should have adequate bonding and insurance in the event something goes wrong. Be sure to ask for the declaration page, demonstrating the validity of any insurance.
Once you have chosen a disposal dealer, there are still a number of internal steps businesses must take to ensure that the process works. Consider the following:
- Make Containers Convenient. Make sure to give your employees every reason to use the shredding disposal bin by making it as convenient as possible.
- Make it Enforceable. Proper disposal of sensitive documents is a vital part of your business. Make sure that compliance is mandatory and is clearly spelled out in your internal employee policies. Your policies should spell out levels of discipline, up to and including termination, for non-compliance. And of course, be certain to consistently enforce that policy.
- Establish the Chain of Custody. Businesses should specify individuals responsible for documents throughout the disposal chain of custody. That is, once documents are placed in the shredding bin, it should be clear whose responsibility it is to make certain that the documents are properly and securely transported to the next step in the process.
- Determine the Shred Size. Decide the level of security you wish to achieve in the shredding process. Low security, or simple strip-shredding, may not be suitable for many businesses. Instead, cross-cut, particle-cut, or "granulization"—each providing greater level for disintegration—may be more appropriate. In Europe, there are specific "DIN" standards that apply.Obtain Certificate of Destruction. Be certain to obtain a certificate of destruction from the disposal company confirming it disposed of the documents. That certificate is not a free pass, but obtaining it is evidence that the business is being diligent about its destruction process.
- Random/Regular Site Visits. Even after a disposal system is up and running and a business is regularly using a disposal service, it still makes sense to schedule random but regular site visits to your disposer. Once agan, look for the same tell-tale signs that the job is being properly conducted—adequate security, backup papers strewn about the yard, and the like.
A similar due diligence and policy scheme should be enacted with electronic devices and media as well. Whether you are hiring a service for such disposal, or simply acquiring hardware and software to conduct the disposal internally, be sure to conduct adequate due diligence, establish policies to enforce disposal mechanisms, and audit your disposal efforts to ensure effective compliance.
An effective disposal program is an indispensable part of a business' data privacy efforts; not only will effective compliance ensure that applicable legal requirements are met, but it will prevent the potential damage from having shoddy disposal efforts broadcast on the evening news.
Luis Salazar, CIPP, is a shareholder with the law firm of Greenberg Traurig, and is a member of the firm's Data Privacy and Security Law Taskforce. Reach him at email@example.com.
Elise Berkower, CIPP, is Executive Vice President of Privacy Strategy at Chapell & Associates and can be reached at firstname.lastname@example.org.
Greg Dean, CIPP, is Information Security Director Associate at Freddie Mac and can be reached at email@example.com. Luis, Elise, and Greg were panelists for the "Data, Data, Everywhere" pre-conference session at the IAPP Privacy Summit, along with Deborah Marshall, a member of the board of ARMA International.
If you want to comment on this post, you need to login.