For many Balcones Shred customers, shredding is about more than waste management and peace of mind, it is a matter of legal compliance.
Compliance is necessary because Identity theft has reached epidemic proportions as the Federal Trade Commission estimates nine million American have been affected.
In the interest of education and brevity, Balcones Shred has pulled together a list of eight essential laws tied to shredding: The Economic Espionage Act (EEA), FACTA, Gramm Leach Bliley Act, HIPAA HITECH ACT, Red Flags Rule, SOX and Texas Shred Law 698. This is just a snapshot of what is required by law to protect your business, employees, customers and business partners.
Economic Espionage Act (EEA)
EEA makes the theft or misappropriation of trade secrets a criminal offense. Taking papers from dumpsters outside offices is called “dumpster diving” and is a common tactic used by commercial information brokers as well as foreign intelligence services. It involves collecting and going through the trash left out for collection from residences and businesses. Stealing trash is not illegal. The Supreme Court ruled in 1988 that once an item is left for trash pickup, there is no expectation of privacy or continued ownership. Who is affected by EEA: U. S. Citizens and General businesses handling sensitive data in hardcopy format.
Fair and Accurate Credit Transactions Act
The Fair and Accurate Credit Transactions Act of 2003 is also known as the FACT Act, and was signed into law on December 4, 2003. In general, the Act amends the Fair Credit Reporting Act (“FCRA”). The Act contains a number of provisions intended to combat consumer fraud and related crimes, including identity theft. Specifically the act requires the destruction of papers containing consumer information. It is hard to imagine any business or organization that is not bound by this law.
The GLB act of 1999 mandates that financial institutions that obtain nonpublic personal information through the normal course of their business must develop precautions to ensure the security and confidentiality of customer records and information, and to protect against unauthorized access to or use of such records. This includes secure storage, disposal, and sharing of confidential information. Who must comply with the Gramm-Leach-Bliley Act: Banking and credit issuing, insurance, stocks, bonds, and investing, financial service providers.
2009 HITECH Act
A recent addition to HIPAA – the 2009 HITECH Act – requires another layer of business scrutiny. The HITECH Act requires affected institutions to alert compromised individuals and the Secretary of the U.S. Department of Health and Human Services in the event of a breach of unsecured protected health information. The regulation defines unsecured as health information as that which is not secured by use of technology or methodology to render it unusable, unreadable, or undecipherable to unauthorized viewers.
The Red Flags Rule
Although enacted in 2008, the rule has been revised and the compliance finish line has been moved. The current finish line is January 1, 2011. The Red Flags Rule is a U.S. federal law that requires most businesses and organization to develop and implement an identity theft prevention program. Authentication is required when a new financial or credit account is opened or when a change is requested on an existing covered account. The law covers consumer and business accounts. Because of the broad definitions of “covered account” and “creditor,” most businesses and organizations accept payment for products or services after they are delivered is a creditor under the law and must comply. This rule affects businesses within the healthcare, financial, utility, telecom, mortgage, auto dealerships and more. Those that only accept payment prior to or upon delivery are not creditors regardless of how payment is accepted—cash, check or credit card.
The Sarbanes–Oxley Act of 2002 also known as SOX. The bill was enacted as a reaction to a number of major corporate and accounting scandals, which cost investors billions of dollars when the share prices of affected companies collapsed and shook public confidence in the nation’s securities markets. The legislation set new or enhanced standards for all U.S. public company boards, management and public accounting firms. It does not apply to privately held companies. This is related to shredding in terms of records retention and the mandate to retain financial documents for at least five years past an audit or review prior to destruction.
Texas Shred Law 698
The Texas Information Disposal Act, House Bill 698 (HB 698), amends the Texas Business and Commerce Code adding document retention and disposal requirements. Specifically, it requires that business records containing “personal identifying information” must be shredded, erased or destroyed by other means prior to disposal. The Act took effect September 7, 2005. It applies to any and all Texas businesses that collect personal identifying information, whether it is from employees or consumers. The Act applies to all business records created before, on or after the date, which the Act took effect. The Texas Information Disposal Act addresses the final stage of the Records and Information Management (RIM) process…destruction. The Act is to ensure that any and all information that could be used to commit Identity Theft, including Social Security numbers, other government issued identification numbers, financial account numbers (credit card numbers, checking account numbers, etc.), birth-dates and email addresses are securely destroyed.