San Diego
Home Customer Service Representatives Operations Administration Sales Services Consoles News Jobs Awards and Honors Contact Us
 
  It’s the Law! A Synopsis of The FACT Act
 
 

A Recap Of Current Rules and Regulations Regarding the Protection and Destruction of Confidential and Sensitive Documents, by Shred-it San Diego

FACTA contains extensive amendments to the Fair Credit Reporting Act and is designed to improve the accuracy and transparency of the national credit reporting system and the prevention of identity theft while assisting victims of identity theft. The Act contains provisions enhancing consumer rights in situations involving alleged identity theft, credit scoring, and claims of inaccurate nformation. It requires users of consumer reports to provide certain information to consumers who are offered credit on terms that are materially less favorable than the offers the creditor makes to a substantial portion of its consumers. Companies that share consumer information among affiliated companies must provide consumers notice an opt-out provision for sharing of information if this information is to be used for marketing purposes.

This brief recap covers the latest information regarding legal and regulatory mandates and violations resulting from the failure to comply with current laws and regulations in pertaining to the protection and destruction of sensitive and confidential information.

  1. “The Financial Modernization Act of 1999”, also known as Gramm-Leach-Bliley (GLB Act) applies to every business with 100 or more annual transactions, and gives authority to eight (8) federal agencies and each state, to administer and enforce the Financial Privacy Rule, Disposal Rule and the Safeguards Rule contained in the FACT Act.
  2. The FTC is the enforcement arm of the FACT Act - - Fair (and) Accurate Credit Transactions Act. This act effects virtually every business, even educational, medical and financial trusts; basically, this law says that “any record about an individual, whether in paper, electronic, or other form that is a consumer report (also known as a credit report) or is derived from a consumer report must be properly and prudently handled.”

It requires any person or company that possesses or maintains such information to take ”reasonable measures to protect against unauthorized access to, or use of the information in connection with its disposal.’’

This means that the following materials such as: confidential and sensitive consumer information, nonpublic information (NPI): customer names, addresses, Social Security numbers, personal phone and work numbers, lease applications, credit reports, credit information and related consumer data must be protected and destroyed at the appropriate time.

The FTC is actively enforcing this Act in the following business segments:

  1. Financial institutions - lenders and traditional financial institutions, insurance companies, banks, securities firms are the primary targets of enforcement. Also receiving scrutiny are: auto dealers (leasing and financing departments, service and rental divisions), of particular interest to the enforcers are auto rental agreements, drivers license copies – used for test drives; mortgage brokers, real estate settlement companies, and those retailers who issue credit cards, gift cards or related items.
  2. Service institutions -payday lenders, check-cashing services, professional tax preparers, accountants, and electronic funds transfer networks, as well as credit counselors, independent psychologists, and related service firms are also targets.

Note: The Federal Trade Commission (FTC) has launched - - their wording -- a nationwide compliance effort to enforce GLB. This has resulted in charges against two mortgage companies for violating the Safeguards Rule, by not having reasonable protections in place for customers’ sensitive personal and financial information.

What is The Safeguards Rule?

The Safeguards Rule is a part of the FTC FACT Act, and requires any organization that deals in financial information to have reasonable policies and procedures in place to ensure the security and confidentiality of customers’ information. (Every person has the reasonable expectation that his or her information will be protected and disposed of properly- - this is the ‘prudent man’ rule). Nonpublic Information (NPI) is the starting point of this enforcement.

Shredding Policy

The Safeguards Rule further requires the gathering firm to have a written statement in place on how they handle confidential and sensitive material, (shred it in-house, recycle it using an outside service, or shred it on-site or off-site, using a professional service).

NOTE: In the case of in-house shredding, the rule states that a criss-cross cut shredder must be used. In addition, a calendar showing shredding or recycling dates must be in the Shredding Policy.

A careful reading of this law implies that in the case of off-site shredding and recycling, a meaningful Document of Destruction can only be obtained if the off-site shredding and recycling process is observed by the firm’s designated person. To comply with this portion of the law, every firm with more than one hundred (100) annual transactions must assign an executive to monitor all recycling and off-site shredding jobs.  

The GLB Act is divided into several parts, called rules:

The Safeguards Rule

Again, this is the implementation arm of the act, and assures the security requirements of the GBL Act will be met; all financial institutions are required to design, implement and maintain safeguards to protect customer information.

This rule applies not only to financial institutions that collect information from their own customers, but also to those institutions – such as credit reporting agencies – that receive data from other sources. Intended to be flexible so as to accommodate the wide range of entities covered by GLB, it requires financial institutions to specifically:

  1. Design and implement a written statement regarding their information security program appropriate to the company’s size and complexity, the nature and scope of its activities and the degree of sensitivity of the customer information it handles.
  2. Each financial institution must also:
    • Assign one or more employees to oversee the security aspects of their program;
    • Conduct a risk assessment of their data;
    • Establish safeguards to control the risks identified in the assessment and regularly test and monitor these safeguards;
    • Require service providers, by written contract, to protect customers’ personal information; and
    • Periodically update the security aspects of this program

The Disposal Rule

This rule covers what documents and materials to dispose of, and how this material is to be disposed of.

The new rule requires businesses to come into compliance by June 1st, 2005 by both adopting and implementing their own document destruction policies. Penalties for violating the rule include actual damages and statutory damages up to $1,000.00 per violation, (with no cap on class action damages). In addition, attorney fees, and civil penalties up to $2,500 may be assessed. Other examples of compliance with the new requirements, include:

  1. Implementing and monitoring compliance with policies and procedures that require shredding or other forms of destruction of documents and electronic media containing consumer information: and
  2. Contracting with a third party to properly dispose of consumer information and monitoring their performance.

For more information about the rule and business compliance requirements, visit www.ftc.gov
Proper procedures call for all off-site shredding or recycled material to be monitored and visibly checked to assure proper disposal. Proof of disposal cannot be by video, but must be by direct observation of material shredded off-site or recycled.

The Financial Privacy Rule

This rule covers what documents must be protected and how privacy is to be assured; the ‘prudent man’ rule as we have seen is, applies in all cases of the privacy rule. “Chain of Custody” in the destruction of documents is also an important consideration of this law.

The Intellectual Property Protection Rule

This rule pertains to the protection and care of Intellectual Property (as the name implies), but also to trade secrets and sacrosanct information. It is vague in its requirements, but states that all schematics, illustrations, blue prints, drawings, photographs, written descriptions or oral representations of old products that are sold as new or improved, must be destroyed at the appropriate time.

The Complaint Process

The complaint process for ‘articulating’ a procedure or violation investigation, which can result in a fine being levied, or other punishment, is somewhat nebulous. It starts with a complaint, often generated by an FTC Inspector; a person or persons (or parties) may also institute a proceeding if he or she has reason to feel they have been ‘injured’ in some way.

Notification of the complaint is by letter, or by ‘pre-determined delivery’ (perhaps the famous pink slip we’ve heard about at automobile dealerships?); the complaint states the Commission has “reason to believe” that the law has been, or is being, violated and the Commission is proceeding in the public interest to pursue a remedy.

The complaint is not a finding or ruling that the respondents have actually violated the law, it only marks the beginning of a proceeding where the charges are ‘articulated’ and the allegations ruled upon after a formal hearing.

Enforcement actions for violations are still pending in many recent cases. Fines have ranged in the $2,500-plus area: auditing of Human Resources transactions for four years (in the case of the two mortgage firms found guilty of violating the Rule) is a frequent outcome of this law. This auditing can be for 10 years or indefinitely if I read the provision correctly. Fines that were assessed on big name violators such as Providian Credit Processing, Algonquin Lending, Saturn, A Division of General Motors, are on appeal by the firms involved.

In more drastic violations, punishment may mean curtailment of all business transactions and fines of up to $11,000 a day. This law is being enforced now, and further expansion of such enforcement is guaranteed.

Health Insurance Portability and Accountability Act of 1996, (HIPPA)

This law primarily applies to the medical and related industry, and is wide-ranging in scope. The Center for Medicare & Medicaid Services (CMS), is responsible for implementing various unrelated provisions of HIPAA, therefore HIPAA and HIPAA compliance may mean different things to health worker in different disciplines.

Title I of Health Insurance Portability and Accountability Act of 1996, (HIPPA) protects health insurance coverage for workers and their families when they change or lose their jobs, but does not replace COBRA.

HIPAA Administrative Simplication

The Administrative Simplication provisions of HIPAA, Title II, require the Department of Health and Human Services (DHHS) to establish national standards for electronic health care transactions and ‘national identifiers’ and providers of care health plans and employers. It also addresses the security and privacy of health data. The purpose in adopting these standards was to improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange.

HIPPA Title I

In this paper, we are primarily interested in HIPPA Title I, although in referring to this legislation, Title I is seldom used, thus HIPAA has become the common usage term. This legislation requires the Department of Health and Human Services to establish national standards for the protection of ‘hard copy’ documents covering all health care transactions and national identifiers - - providers, health care plans and medical and medical-related employees, and primarily states that data regarding patients (or potential patients) must be protected, and destroyed appropriately by a professional document destruction firm.

Or, if done in house, it must be in accordance with an approved shredding policy; off-site shredding or recycling does not have to be monitored, but the firm doing the off-site shredding and recycling must be well-established and reliable.

The material to be protected and destroyed includes, but is not limited to the following:

Account data, cancelled checks, names, addresses, Social Security numbers, prescriptions, employee information, insurance records, including beneficiaries; diagnoses, drug treatment, therapies, old contracts, patient billing particulars, sales information, shipping data, visitor logs, family members, medical histories and related information. Also, “Chain of Custody” must be maintained.

This law pertains to the following medical and health-related firms:

Health providers, Ambulatory surgical centers, ambulance services, Clinical Labs, durable medical equipment, end stage renal disease, Federal Qualified Health Centers, Health plans, health clinics, physicians, medical carriers, potential contact centers, pre-employment drug screening programs, skilled nursing centers, Health care suppliers, hospice, hospitals, Home Health Care facilities and Information technology suppliers. 

California Privacy Act

This California law, is much the strictest of the state laws pertaining to individual privacy. It primarily covers nonpublic information (NPI) such as: account data, banking records and information, Social Security numbers, cancelled checks, copies of checks, copies of driver’s licenses; customer’s addresses, names, phone numbers, (land lines and cells); contracts, educational records, employee records, insurance information, lease and loan specifics, medical records, obsolete or out-dated personnel records, billing information, payroll records and information, Purchase Orders and shipping data.

While no mention is made of shredding, it does state that documents must be properly handled and destroyed at the appropriate time frame.

This law recently has come under continuous fire because of its vagueness on issues about what information is required by banks and financial institutions in order to cash checks and accept deposits on foreign and out of state banks or to finalize money transfers. Because of this, some law enforcement agencies and financial oversight committees say it encourages real or potential money laundering scenarios.

Economic Espionage Act - (EEA)

Computer Crime and Intellectual Property Section (CCIPS) – This act is an outgrowth of the Homeland Security Act, and is intended to discourage (or identify) terrorism and espionage by those entities and individuals ‘un-friendly’ to the United States. This law too, is wide-ranging and definitions are often lacking. For example, what is the definition of an ‘un-friendly’ act? Is an e-mail, fax or phone call describing the U.S. as ‘The Great Satan’ sufficient evidence that the person who originated the communications ‘un-friendly’ toward the U.S.? Would a conversation about bombs and how to make them between college professors of Middle Eastern origin be considered ‘un-friendly’?)

This act specifically states that the firm gathering the information must protect it, and the material disposed of in normally proper ways. This law states that the following material must be destroyed appropriately:

Account data, Social Security numbers, cancelled checks, copies of checks, banking addresses, including passwords or identifying numbers, customer’s names, addresses, financial contracts (including drafts), educational records (including courses taken and grades obtained), employee and personnel information, types of insurance and insurance policies (including dependents), business and personal loan info, medical records, obsolete Records, billing info, payroll info, Purchase Orders, shipping data.

Trade Secrets

This act actually gave birth (served as a model) to the Homeland Security Act. The term ‘trade secret’ means all forms and types of financial, business, scientific, technical, economic or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes- tangible or intangible – compiled, memorialized physically, electronically, graphically or photographically, stored or not, or in written form.

This Act is wide-ranging as to legislative intend, areas covered (all business firms with as few as 100 business transactions per year, as in the FACT Act), and information categorized. Materials to be protected and destroyed include, but are not limited, to the following:

Computer hard drives, improved prototypes, line drawings, superceded formulas, financial projections, Business Plans, Sales Plans, Commission or Compensation schedules, tax records, Critical Path Assembly methods or other methods of assembly, drawings, architectural rendings, prototype drawings, product verbal descriptions, meeting notes and related documents. In addition, all account data, banking records and documents of transactions; cancelled checks, copies of checks, addresses of all payees, customer’s names and contracts; Social Security numbers, employee and personnel records, insurance information (including amounts covered and dependents named) personnel information, medical records, obsolete, inactive or delayed records, account billing information, payroll specifics, Purchase Orders and shipping data are included. “Chain of Custody” is a very important part of the enforcement of this law.

Sarbannes – Oxley - (SOX as we big rollers call it!)

What oh what, does a law primarily designed to protect investors have to do with shredding of documents? Its called ‘mission creep.’

While this law is keyed toward the publicly traded company and is intended to fight such investor fraud excesses as those that occurred at Enron, Tyco, HEALTHSOUTH and other firms, many privately funded, financial, religious and medical trusts, such as Kaiser-Permanente and the Southern Baptist Convention have voluntarily agreed to be governed by Sarbannes-Oxley Rules.

As far as document destruction is concerned, (the actual term document destruction and shredding are not used in the verbiage of the act, but ‘destroyed’ is, as in: ”all destroyed documents must conform in intent and purpose with this act.”)

The ‘prudent man’ rule is specifically mentioned: “The ‘prudent man’ rule is expanded by this act.” Chain of Custody is an un-erringly guideline.  

What does all this mean? After carefully reading these laws, and remember, I am not an attorney, nor even a recovering attorney, my advice is, when in doubt, shred confidential and sensitive materials on site, with a third party firm that places security and confidentiality first, and which carefully observes Chain of Custody guidelines. That is it, pure and simple. I hope this information is useful in your daily contacts.

Return to Top

THIS PAPER IS NOT INTENDED TO SERVE AS A LEGAL DOCUMENT. WE ARE NOT ATTORNEYS, NOR IS THE INFORMATION IN THIS WHITE PAPER PRESENTED AS A LEGAL OPINION IN ANY WAY. INSTEAD, IT IS OUR VIEWPOINT ON CERTAIN NEW LAWS AND REGULATIONS AS THEY APPLY TO THE DOCUMENT DESTRUCTION INDUSTRY. NO LEGAL STANDING IS TO BE GIVEN OR WAS INTENDED IN COMPLING THIS DOCUMENT. IF YOU WISH A LEGAL OPINION, PLEASE FEEL FREE TO CONTACT YOU OWN ATTORNEY.

Shred-it San Diego is the oldest on-site shredding franchise operation in the United States. We service 4,000-plus firms on a monthly basis from Highway 55 in Orange County south to the Mexican border in Chula Vista.

We operate a fleet of sixteen (16) high-speed shredding trucks, with 20 drivers and 35 employees. We own our baling and recycling facility, and are one of the largest recyclers in San Diego County.