Laws and Regulations
The state of Georgia is one of the nation’s toughest states on laws that prevent identity theft. In fact, Georgia introduced its first legislation on the subject in 1998 when it made identity theft a felony. The 98 legislation was updated in 2002 through Senate Bill 475. Organizations that are affected by the bill include nearly every business in the state of Georgia. Companies are required by the bill to dispose of consumer information in a secure manner. Section 10-15-2 lays out the process of discarding sensitive information. “A business may not discard a record containing personal information unless it: (1) Shreds the customer’s record before discarding the record; (2) Erases the personal information contained in the customer’s record before discarding the record; (3) Modifies the customer’s record to make the personal information unreadable before discarding the record; or (4) Takes actions that it reasonably believes will ensure that no unauthorized person will have access to the personal information contained in the customer’s record for the period between the record’s disposal and the record’s destruction.” (Georgia Senate Bill 475 § 10-15-2). Of these options, the Georgia Stop Identity Theft Network recommends document shredding for destruction purposes. Organizations that are found to have violated the above stated code could be fined up to $10,000 (Georgia Senate Bill 475).
The Gramm Leach Bliley Act also known as the Financial Modernization Act of 1999 focuses on protecting consumer information held by financial institutions. Through this act, financial organizations are required to provide consumers with a copy of their information sharing practices. Consumers are also given the right to limit the amount of information that is shared with third party organizations. Those who are affected by this act include any organization that provides financial services or products to consumers. Under the act, financial institutions are required to have a protection plan that safeguards consumer information. Within the plan there must be information concerning the organizations retention and document destruction policies. The Federal Trade Commission enforces the GLB act. Institutions that have failed to cooperate with a FTC enforcement order may face up to $11,000 in civil penalties (Gramm Leach Bliley Act of 1999).
The Health Insurance Portability & Accountability Act was created in 1996 to protect information of patients in the health care industry. According to the act, organizations are required to safeguard what is considered protected health information (PHI). PHI includes any records that would personally identify a patient and possibly link them to a particular medical issue. Medical files, patient logs, insurance forms and pharmacy records are all considered PHI. Organizations that are affected by HIPAA include health care providers, health insurance providers, pharmacies, and health care clearinghouses. The Privacy Rule of the HIPAA is pertinent in the discussion of document destruction. Health care organizations are required by the Privacy rule to “protect the use, transmission and storage of individually identifiable health information including names, contact information, license numbers, account numbers, dates of birth and other information” (Health Insurance Portability & Accountability Act of 1996). Among other things, organizations must implement policies and procedures to ensure that information is not improperly disclosed. One way in which they are required to safeguard information is through implementing business associate agreements that meet HIPAA requirements when utilizing any outside party for services. Criminal penalties that are stated in full under 1177 of the act include but are not limited to $50,000 fines and prison sentences for up to one year. In order to remain compliant, organizations are recommended by the privacy rule to shred prior to disposal of sensitive information. This act is deemed appropriate when trying to avoid intentional or unintentional disclosure of protected health information (Health Insurance Portability & Accountability Act of 1996).
The Fair & Accurate Credit Transactions Act, enacted in 2003 is an amendment to the pre-existing Fair Credit Reporting Act. The addition was set in place to provide organizations, regulators, and consumers with the means necessary to expand consumer access to credit. Also the act focused upon limiting identity theft and increasing the accuracy of consumer financial information. FACTA applies to any organization or individual that possesses consumer information obtained form a consumer report with the intentions of doing business. A few examples of industries that the FACTA legislation applies to are the automobile industry, government agencies, mortgage brokers, and waste disposal companies. Unlike some of the legislation listed above, FACTA gives a specific rule when dealing with information disposal. The rule reads as follows: “Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” (Fair & Accurate Credit Transactions Act of 2003 § 682.3) Various penalties are outlined in the act for those who are noncompliant. Implementing a proper document retention and destruction plan is beneficial to organizations who wish to remain FACTA compliant (Fair & Accurate Credit Transactions Act of 2003).