Shred-it San Diego Customer Resources

A Recap Of Current Rules and Regulations Regarding the Protection and Destruction of Confidential and Sensitive Documents, by Shred-it San Diego:

FACTA contains extensive amendments to the Fair Credit Reporting Act and is designed to improve the accuracy and transparency of the national credit reporting system and the prevention of identity theft while assisting victims of identity theft. The Act contains provisions enhancing consumer rights in situations involving alleged identity theft, credit scoring, and claims of inaccurate information. It requires users of consumer reports to provide certain information to consumers who are offered credit on terms that are materially less favorable than the offers the creditor makes to a substantial portion of its consumers. Companies that share consumer information among affiliated companies must provide consumers notice an opt-out provision for sharing of information if this information is to be used for marketing purposes.

This brief recap covers the latest information regarding legal and regulatory mandates and violations resulting from the failure to comply with current laws and regulations in pertaining to the protection and destruction of sensitive and confidential information. "The Financial Modernization Act of 1999", also known as Gramm-Leach-Bliley (GLB Act) applies to every business with 100 or more annual transactions, and gives authority to eight (8) federal agencies and each state, to administer and enforce the Financial Privacy Rule, Disposal Rule and the Safeguards Rule contained in the FACT Act.

The FTC is the enforcement arm of the FACT Act - - Fair (and) Accurate Credit Transactions Act. This act effects virtually every business, even educational, medical and financial trusts; basically, this law says that "any record about an individual, whether in paper, electronic, or other form that is a consumer report (also known as a credit report) or is derived from a consumer report must be properly and prudently handled."

It requires any person or company that possesses or maintains such information to take "reasonable measures to protect against unauthorized access to, or use of the information in connection with its disposal.''

This means that the following materials such as: confidential and sensitive consumer information, non-public information (NPI): customer names, addresses, Social Security numbers, personal phone and work numbers, lease applications, credit reports, credit information and related consumer data must be protected and destroyed at the appropriate time.

The FTC is actively enforcing this Act in the following business segments: Financial institutions - lenders and traditional financial institutions, insurance companies, banks, securities firms are the primary targets of enforcement. Also receiving scrutiny are: auto dealers (leasing and financing departments, service and rental divisions), of particular interest to the enforcers are auto rental agreements, drivers license copies - used for test drives; mortgage brokers, real estate settlement companies, and those retailers who issue credit cards, gift cards or related items.

Service institutions -payday lenders, check-cashing services, professional tax preparers, accountants, and electronic funds transfer networks, as well as credit counselors, independent psychologists, and related service firms are also targets.

Note: The Federal Trade Commission (FTC) has launched a nationwide compliance effort to enforce GLB. This has resulted in charges against two mortgage companies for violating the Safeguards Rule, by not having reasonable protections in place for customers' sensitive personal and financial information.

What is The Safeguards Rule?

The Safeguards Rule is a part of the FTC FACT Act, and requires any organization that deals in financial information to have reasonable policies and procedures in place to ensure the security and confidentiality of customers' information. (Every person has the reasonable expectation that his or her information will be protected and disposed of properly- - this is the 'prudent man' rule). Nonpublic Information (NPI) is the starting point of this enforcement.

Shredding Policy

The Safeguards Rule further requires the gathering firm to have a written statement in place on how they handle confidential and sensitive material, (shred it in-house, recycle it using an outside service, or shred it on-site or off-site, using a professional service).

Note: In the case of in-house shredding, the rule states that a cross cut shredder must be used. In addition, a calendar showing shredding or recycling dates must be in the Shredding Policy.

A careful reading of this law implies that in the case of off-site shredding and recycling, a legal Document of Destruction can only be obtained if the off-site shredding and recycling process is observed by the firm's designated person. To comply with this portion of the law, every firm with more than one hundred (100) annual transactions must assign an executive to monitor all recycling and off-site shredding jobs.

The GLB Act is divided into several parts, called rules:

The Safeguards Rule

Again, this is the implementation arm of the act, and assures the security requirements of the GBL Act will be met; all financial institutions are required to design, implement and maintain safeguards to protect customer information.

This rule applies not only to financial institutions that collect information from their own customers, but also to those institutions - such as credit reporting agencies - that receive data from other sources. Intended to be flexible so as to accommodate the wide range of entities covered by GLB, it requires financial institutions to specifically: Design and implement a written statement regarding their information security program appropriate to the company's size and complexity, the nature and scope of its activities and the degree of sensitivity of the customer information it handles.

Each financial institution must also:

Assign one or more employees to oversee the security aspects of their program
Conduct a risk assessment of their data
Establish safeguards to control the risks identified in the assessment and regularly test and monitor these safeguards
Require service providers, by written contract, to protect customers' personal information
Periodically update the security aspects of this program

The Disposal Rule

This rule covers what documents and materials to dispose of, and how this material is to be disposed of.

The new rule requires businesses to come into compliance by June 1st, 2005 by both adopting and implementing their own document destruction policies. Penalties for violating the rule include actual damages and statutory damages up to $1,000.00 per violation, (with no cap on class action damages). In addition, attorney fees, and civil penalties up to $2,500 may be assessed. Other examples of compliance with the new requirements, include: Implementing and monitoring compliance with policies and procedures that require shredding or other forms of destruction of documents and electronic media containing consumer information Contracting with a third party to properly dispose of consumer information and monitoring their performance.

For more information about the rule and business compliance requirements, visit www.ftc.gov Proper procedures call for all off-site shredding or recycled material to be monitored and visibly checked to assure proper disposal. Proof of disposal cannot be by video, but must be by direct observation of material shredded off-site or recycled.

The Financial Privacy Rule

This rule covers what documents must be protected and how privacy is to be assured; the 'prudent man' rule as we have seen, applies in all cases of the privacy rule. "Chain of Custody" in the destruction of documents is also an important consideration of this law.

The Intellectual Property Protection Rule

This rule pertains to the protection and care of Intellectual Property, but also to trade secrets and sacrosanct information. It is vague in its requirements, but states that all schematics, illustrations, blue prints, drawings, photographs, written descriptions or oral representations of old products that are sold as new or improved, must be destroyed at the appropriate time.

The Complaint Process

The complaint process for 'articulating' a procedure or violation investigation, which can result in a fine being levied, or other punishment, is somewhat nebulous. It starts with a complaint, often generated by an FTC Inspector; a person or persons (or parties) may also institute a proceeding if he or she has reason to feel they have been 'injured' in some way.

Notification of the complaint is by letter, or by 'pre-determined delivery' (perhaps the famous pink slip we've heard about at automobile dealerships?); the complaint states the Commission has "reason to believe" that the law has been, or is being, violated and the Commission is proceeding in the public interest to pursue a remedy.

The complaint is not a finding or ruling that the respondents have actually violated the law, it only marks the beginning of a proceeding where the charges are 'articulated' and the allegations ruled upon after a formal hearing.

Enforcement actions for violations are still pending in many recent cases. Fines have ranged in the $2,500-plus area; auditing of Human Resources transactions for four years (in the case of the two mortgage firms found guilty of violating the Rule) is a frequent outcome of this law. This auditing can be for 10 years or indefinitely if I read the provision correctly. Fines that were assessed on big name violators such as Providian Credit Processing, Algonquin Lending, Saturn, A Division of General Motors, are on appeal by the firms involved.

In more drastic violations, punishment may mean curtailment of all business transactions and fines of up to $11,000 a day. This law is being enforced now, and further expansion of such enforcement is guaranteed.

Health Insurance Portability and Accountability Act of 1996, (HIPPA)

This law primarily applies to the medical and related industry, and is wide-ranging in scope. The Center for Medicare & Medicaid Services (CMS), is responsible for implementing various unrelated provisions of HIPAA, therefore HIPAA and HIPAA compliance may mean different things to health worker in different disciplines.

Title I of Health Insurance Portability and Accountability Act of 1996, (HIPPA) protects health insurance coverage for workers and their families when they change or lose their jobs, but does not replace COBRA.

HIPAA Administrative Simplification

The Administrative Simplification provisions of HIPAA, Title II, require the Department of Health and Human Services (DHHS) to establish national standards for electronic health care transactions and 'national identifiers' and providers of care health plans and employers. It also addresses the security and privacy of health data. The purpose in adopting these standards was to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange.

HIPPA Title I

In this paper, we are primarily interested in HIPPA Title I, although in referring to this legislation, Title I is seldom used, thus HIPAA has become the common usage term. This legislation requires the Department of Health and Human Services to establish national standards for the protection of 'hard copy' documents covering all health care transactions and national identifiers - - providers, health care plans and medical and medical-related employees, and primarily states that data regarding patients (or potential patients) must be protected, and destroyed appropriately by a professional document destruction firm.

Or, if done in house, it must be in accordance with an approved shredding policy; off-site shredding or recycling does not have to be monitored, but the firm doing the off-site shredding and recycling must be well-established and reliable.

The material to be protected and destroyed includes, but is not limited to the following:

Account data, cancelled checks, names, addresses, Social Security numbers, prescriptions, employee information, insurance records, including beneficiaries; diagnoses, drug treatment, therapies, old contracts, patient billing particulars, sales information, shipping data, visitor logs, family members, medical histories and related information. Also, "Chain of Custody" must be maintained

This law pertains to the following medical and health-related firms:

Health providers, Ambulatory surgical centers, ambulance services, Clinical Labs, durable medical equipment, end stage renal disease, Federal Qualified Health Centers, Health plans, health clinics, physicians, medical carriers, potential contact centers, pre-employment drug screening programs, skilled nursing centers, Health care suppliers, hospice, hospitals, Home Health Care facilities and Information technology suppliers.

California Privacy Act

This California law is the strictest of the state laws pertaining to individual privacy. It primarily covers nonpublic information (NPI) such as: Account data, banking records and information, Social Security numbers, cancelled checks, copies of checks, copies of driver's licenses; customer's addresses, names, phone numbers, (land lines and cells); contracts, educational records, employee records, insurance information, lease and loan specifics, medical records, obsolete or out-dated personnel records, billing information, payroll records and information, Purchase Orders and shipping data.

While no mention is made of shredding, it does state that documents must be properly handled and destroyed at the appropriate time frame.

This law recently has come under continuous fire because of its vagueness on issues about what information is required by banks and financial institutions in order to cash checks and accept deposits on foreign and out of state banks or to finalize money transfers. Because of this, some law enforcement agencies and financial oversight committees say it encourages real or potential money laundering scenarios.

Economic Espionage Act - (EEA)

Computer Crime and Intellectual Property Section (CCIPS) - This act is an outgrowth of the Homeland Security Act, and is intended to discourage (or identify) terrorism and espionage by those entities and individuals 'un-friendly' to the United States. This law too, is wide-ranging and definitions are often lacking. For example, what is the definition of an 'unfriendly' act? Is an e-mail, fax or phone call describing the U.S. as 'The Great Satan' sufficient evidence that the person who originated the communications 'un-friendly' toward the U.S.? Would a conversation about bombs and how to make them between college professors of Middle Eastern origin be considered 'un-friendly'?)

This act specifically states that the firm gathering the information must protect it, and the material disposed of in normally proper ways. This law states that the following material must be destroyed appropriately: Account data, Social Security numbers, cancelled checks, copies of checks, banking addresses, including passwords or identifying numbers, customer's names, addresses, financial contracts (including drafts), educational records (including courses taken and grades obtained), employee and personnel information, types of insurance and insurance policies (including dependents), business and personal loan info, medical records, obsolete Records, billing info, payroll info, Purchase Orders, shipping data.

Trade Secrets

This act served as a model to the Homeland Security Act. The term 'trade secret' means all forms and types of financial, business, scientific, technical, economic or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes- tangible or intangible - compiled, memorialized physically, electronically, graphically or photographically, stored or not, or in written form.

This Act is wide-ranging as to legislative intend, areas covered (all business firms with as few as 100 business transactions per year, as in the FACT Act), and information categorized. Materials to be protected and destroyed include, but are not limited, to the following: Computer hard drives, improved prototypes, line drawings, superceded formulas, financial projections, Business Plans, Sales Plans, Commission or Compensation schedules, tax records, Critical Path Assembly methods or other methods of assembly, drawings, architectural rendings, prototype drawings, product verbal descriptions, meeting notes and related documents. In addition, all account data, banking records and documents of transactions; cancelled checks, copies of checks, addresses of all payees, customer's names and contracts; Social Security numbers, employee and personnel records, insurance information (including amounts covered and dependents named) personnel information, medical records, obsolete, inactive or delayed records, account billing information, payroll specifics, Purchase Orders and shipping data are included. "Chain of Custody" is a very important part of the enforcement of this law.

Sarbannes - Oxley

While this law is keyed toward the publicly traded company and is intended to fight such investor fraud excesses as those that occurred at Enron, Tyco, HEALTHSOUTH and other firms, many privately funded, financial, religious and medical trusts, such as Kaiser-Permanente and the Southern Baptist Convention have voluntarily agreed to be governed by Sarbannes-Oxley Rules.

As far as document destruction is concerned, (the actual term document destruction and shredding are not used in the verbiage of the act, but 'destroyed' is, as in: "all destroyed documents must conform in intent and purpose with this act.")

The 'prudent man' rule is specifically mentioned: "The 'prudent man' rule is expanded by this act." Chain of Custody is an un-erringly guideline.

THIS PAPER IS NOT INTENDED TO SERVE AS A LEGAL DOCUMENT. WE ARE NOT ATTORNEYS, NOR IS THE INFORMATION IN THIS WHITE PAPER PRESENTED AS A LEGAL OPINION IN ANY WAY. INSTEAD, IT IS OUR VIEWPOINT ON CERTAIN NEW LAWS AND REGULATIONS AS THEY APPLY TO THE DOCUMENT DESTRUCTION INDUSTRY. NO LEGAL STANDING IS TO BE GIVEN OR WAS INTENDED IN COMPLING THIS DOCUMENT. IF YOU WISH A LEGAL OPINION, PLEASE FEEL FREE TO CONTACT YOUR OWN ATTORNEY.

Who is Shred-it?

Shred-it has been setting shredding industry standards for 15-plus years, serving more than 120,000 clients worldwide, with 130 branch offices on five continents. (Many analysts credit Shred-it with starting the on-site shredding industry.) Shred-it San Diego is the first confidential, mobile on-site document destruction franchise in the United States. Locally, we serve an ever-increasing client base of 4,000-plus business firms in San Diego and Orange counties. We operate a fleet of 16 high-speed shredding trucks, with 20 Customer Service Representatives, we are one of the largest paper recyclers in San Diego County. At present we employ 34 sales and support personnel.

Why is on-site shredding better than off-site?

It is not a matter of better or worse, but really a matter of confidentiality and security of information. Most business entities generate information that is of value to their competitors. This sacrosanct information and other nonpublic information (NPI) has names, addresses, Social Security Numbers, credit records and other data that would be harmful to the business (employee or customer) if it fell into the wrong hands. With an off-site shredding or recycling service, once your documents leave your location, you can never be sure of how this material is handled, or who may have access to it (Some off-site recycling firms never shred material, but instead separate it by color, bale and recycle it).

The FTC Safeguards Rule of the GLB Act requires firms that use off-site recyclers to personally monitor this process; documents of destruction issued without this safeguard have no legal value.

With our professionals, your documents are shredded on-site in a caged, secure environment; our CSR's never see the documents as they are turned into confetti-sized pieces of paper, therefore the odds that these documents may be compromised is virtually non-existent.

What is a Shredding Policy?

A shredding policy is a written procedure that highlights how the company will dispose of sensitive and confidential material. The FTC Safeguards Rule of the GLB Act states that the company must: 1. Design and implement a written statement regarding their information security program appropriate to the company's size and complexity, the nature and scope of its activities and the degree of sensitivity of the customer information it handles. 2. Each financial institution must also: Assign one or more employees to oversee the security aspects of their program Conduct a risk assessment of their data Establish safeguards to control the risks identified in the assessment and regularly test and monitor these safeguards Require service providers, by written contract, to protect customers' personal information Periodically update the security aspects of this program

Does Shred-it San Diego conduct background checks on its employees?

Yes. All our employees, including our Customer Service Representatives undergo stringent background checks including Criminal, Drug and Driving Records. All employees are subject to on-going random drug and alcohol testing. Each CSR is bonded and insured.

What type of shredders do you use?

We utilize truck mounted industrial-size crisscross shredders to reduce documents to confetti. The average size of these pieces is 5/8", which provides far greater security than conventional strip-cut shredders. In addition, in the normal process of shredding other jobs, your shredded material becomes mixed in with other shredded material so it is impossible to reconstruct your documents once we have shredded them.

What constitutes confidential or sensitive information?

Confidential and sensitive material is any document that contains nonpublic information (NPI), which could be linked to a particular company, organization or individual. This includes, but is not limited to such information as, Social Security Numbers, account numbers, names, addresses, banking or financial records, meeting notes, product prototypes. Included in this category is any material, which may be of interest to competition. Some examples of this material include:

Customer lists
Sales statistics
Financial records
Pay roll records
Personnel files
Legal documents
Cancelled Checks
Account records
Computer printouts
Medical Records
Advertising misprints
Inventory lists
Memos & correspondence
Tax records
Invoices
Price lists
Inventory lists
Outdated business records
New product drawings
New product proposals
R & D information
Credit card receipts
Competitive information

How is the material we wish to shred stored?

Shred-it San Diego will provide as many locked furniture-quality consoles free of charge as you may need. These consoles are located strategically throughout your business. The material you wish to shred goes into the console through a slot, where it falls into a specially designed bag within the console. On a pre-determined schedule, our CSR unlocks the console, removes the bag, re-locks it and takes the material to the truck where it is shredded. (Our trucks can shred up to 2,000 pounds of material in an hour.) A designated person in your organization has a key to open your consoles should the need arise.

How do I prepare my documents for shredding?

No preparation is necessary. There is no need to waste your valuable time removing paperclips, staples, binder clips or separating paper by color or size.

We store our records so why do we need a shredding service?

Document management represents an increasingly complex challenge to today's business. Document storage fees are rising, as is the cost to retrieve needed documents. An effective document management program takes into consideration the length of time records are useful to the business, as well as the legal requirements of how long documents are to be retained. (See our Document Retention Schedule). Once this period has passed, the only acceptable way of discarding documents is to use a method that ensures their complete destruction. That is exactly the method we use. With the increasing demands for privacy assurance required by the latest laws and regulations (FTC FACT Act, HIPAA, Etc.), every firm should adopt a Shredding Policy. Finally, with our service we provide you with a "Document of Destruction" showing the exact date and method of destruction. Shredding is a wise and prudent course of action that meets all legal requirements.

What size shredding jobs do you accept?

With our professionals, no job is too large or too small. We service accounts from Main Street America to major international firms, to the local industrial park.

We have offices in several locations, can you service all of them?

Yes. Our National Accounts Program offers centralized management of your document destruction needs no matter where your other offices are located.

Do you educate employees on legislative policies and procedures?

Yes. We maintain an in-house training department devoted to keeping our people current on all aspects of our business. In addition, from time-to-time we produce White Papers that treat certain topics in-depth, "How to Avoid Identity Theft: Protecting Your Good Name," is one example; our Identity Theft Slide Chart has proven quite popular with law enforcement personnel and the legal profession. Our health care clients are provided a password protected URL which covers HIPAA and other laws. For non-health care accounts, we provide equally specific information. In addition, we have a variety of videos, training aids and 'In Service' material designed to keep you informed on the latest legislative policies and procedures.

How often do your employees undergo training?

In one sense, the training of our people never stops at Shred-it San Diego. Our CSR's attend a monthly breakfast that features instruction in safety, security and workplace procedures. Representatives of our International Office conduct comprehensive field training with our Management staff; both our General Manager and sales personnel undergo refresher training at corporate locations yearly. Our salespeople attend a product knowledge workshop monthly. All this means that we are training our staff on every aspect of our business on a continual basis.

How do you assure that your shredding process is secure?

We observe "Chain of Custody" document security procedures at all time. All shredding is done on-site in a secure, enclosed environment within our truck. Vehicle doors are locked when the truck is not in service. Console contents are emptied 'sight unseen' directly into the shredder. You may observe this process if you so desire.

What guarantee do I have that my documents are completely destroyed?

At the completion of each shred, our CSR issues you a Certificate of Destruction. This is a legal document issued to every client that provides irrefutable evidence that each document was completely destroyed.

What happens to the paper after it has been shredded?

The destroyed documents, now the size of confetti, is transferred to our recycling facility where it is baled and sold to paper mills. It returns to the market place as household paper products.

How often do you come to shred?

Your individual business needs dictate our shredding schedule. Some firms produce enough sensitive and confidential documents that we perform shredding services three times a week; other customers may require only monthly service. Sometimes, a firm may only need a 'purge' of materials every six months or once a year. Your contact person and our Account Manager will work out the ideal schedule for you. Since there are no long-term contracts to sign, no up front money needed to begin service, and we only charge actual shredding time, the frequency of your service can be modified as service needs dictate.

What happens if our container is full before the regularly scheduled service time?

We are only a phone call (or e-mail) away. Our sole purpose is to serve you. We're glad to schedule an extra pick-up, or provide you with additional consoles, or increase your service frequency. The idea is to maintain the security of your material, while making your life easier.

When do I receive my invoice?

Your invoice is presented to you 'live' immediately after each shred.

We use a recycler for our documents, so why do I need your services?

In today's ever-changing world, recycling of documents is plain dangerous. The FTC Safeguards Rule of the GLB Act requires that recycled materials be monitored for destruction. Recycling services are not designed to provide security. With a recycler, your material is transported in its entirety, so if an accident were to occur, your confidential information is open to everyone. Depending on the amount of material generated, and the degree of sensitivity involved, any Document of Destruction issued by a recycling firm has no legal standing unless your designated person monitors the destruction of your material. Why risk a violation with fines ranging from $2,500 to $11,000 a day? (If environmental concerns are important to you, at year's end with Shred-it San Diego, you receive an Environmental Certificate showing how many trees your organization has saved.)

We have an in-house shredding machine, so why would I want to change to your service?

There are three reasons to change from in-house shredding: 1) Reduced cost 2) More productive workers 3) Improved morale

Research shows that when an employee is asked to abandon productive work for a non-productive chore such as shredding, morale suffers: egos are bruised, fingernails and clothing are frequently damaged; shredding machine breakdowns are common; productivity is compromised.

Note: A minimum wage employee earning $6.75 who spends 3 hours a week shredding, more than pays for our minimum service. Plus,you get the peace of mind that comes with knowing you are meeting all regulations and laws and your documents are secure. (Here's the math: $6.75 a hour x 3 hours, equals $20.25 a week, in lost productivity; $20.25 @ week times 4.2 weeks – the average number of weeks in a month, equals $85.05 a month!)

Call 800-421-7473