Do You Know the Data Disposal Laws Affecting Your Business?
If your business creates, stores and uses personal data of any kind, you are required to comply with multiple federal and state laws that specify how you must handle and dispose of that data. Here are a few of the essential federal laws that will affect how your business handles personal data.
With the intention of protecting the privacy of consumer information and reduce the risks associated with identity theft and fraud, the Fair and Accurate Credit Transactions Act (FACTA) requires businesses to take appropriate measures when disposing of sensitive information from consumer reports. Consumer reports include credit reports, employment backgrounds, check-writing histories, credit scores, insurance claims, medical histories, and residential records.
Businesses that must comply with FACTA include:
- Consumer reporting companies
- Government agencies
- Mortgage brokers
- Automobile dealers
- Private investigators
- Debt collectors
- Those who obtain credit reports on nannies, contractors or tenants
- Third-party entities maintaining information in consumer reports servicing other organizations
“Proper disposal” means taking reasonable and appropriate measures to prevent unauthorized access to, or use of, personal information. These measures include:
- Hiring a reputable and compliant shredding contractor
- Destroying electronic files or media
- Burning, pulverizing, or shredding papers*
In 2022, the Sarbanes-Oxley Act (SOX) was enacted, establishing financial regulations and auditing for publicly-traded companies. The purpose was to protect shareholders, employees, and the public from accounting errors and fraudulent financial practices. The law requires publicly-traded companies to establish financial reporting standards that include:
- Safeguarding data
- Tracking attempted breaches
- Logging electronic records for auditing
- Ensuring compliance
The 1996 Health Insurance Portability and Accountability Act (HIPAA) is a federal law that set national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The three key rules of HIPAA are:
- The Privacy Rule which restricts the extent to which medical records can be shared without explicit consent. It allows patients and authorized representatives to access their medical records.
- The Security Rule sets out the minimum standards for protecting electronic health information (ePHI).
- The Breach Notification Rule must be followed in the event of a breach. The Department of Health and Human Services’ Office for Civil Rights (OCR) must be informed within 60 days of the discovery of a data breach. If the breach affects in excess of 500 patients, the media must be informed as well.
Examples of common violations of HIPAA are:
- Getting hacked or phished
- Unauthorized access
- Lack of encryption
- Loss or theft of devices
- Sharing information
- Accessing PHI from unsecured location
- Disposal of PHI that is not properly destroyed
*Don’t Do Data Disposal Alone
We certainly do not recommend burning documents or in-house shredding in general. Here are two articles that explain why:
You have so much to focus on in your business that knowing and complying with state and federal disposal laws may feel overwhelming. Partnering with a local, NAID AAA Certified shredding company will help you:
- Get and stay compliant with data privacy laws
- Prove that you are serious about protecting private information
- Dispose of paper documents and electronic data securely
- Prove your compliance with a Certificate of Destruction after each shredding service
ShredPro Secure is proud to be NAID AAA Certified, meeting the highest security requirements in the shredding industry. We serve businesses and residents in East Tennessee and southwest Virginia We also provide drop-off shredding for your convenience. For more information or to book services, call us at 865-986-5444 or complete the form on this page. Our friendly shredding experts are standing by to help!