Know Your Records Disposal Responsibilities

How does your company dispose of sensitive information?

Are records containing personally identifiable information (such as medical records, financial or background check reports, and employment applications) thrown in the trash? Where do records go from there? Is the trash securely shredded or thrown into an unsecured dumpster? What about sensitive electronic information?

In an effort to protect the privacy of consumer information and reduce the risk of fraud and identity theft, the Fair and Accurate Credit Transactions Act, enacted in 2003, directed several federal agencies to adopt rules regarding the disposal of sensitive information.

The Federal Trade Commission’s (FTC) Disposal Rule became effective in 2005.

“The way in which your company disposes of sensitive information can have significant consequences on your business,” said Al Saikali, an attorney and co-chair of Shook Hardy & Bacon’s Data Security and Data Privacy Practice Group, based in Miami.

“Companies that fail to educate themselves and comply with these laws governing the secure disposal of sensitive information face significant risks of regulatory investigations, fines, potential civil lawsuits, bad publicity and brand damage,” he told SHRM Online. “Also, it simply makes good business sense that a company would want to ensure the security of [its] proprietary, consumer, employee and other sensitive information.”

Two companies learned this the hard way recently when they discarded personally identifiable information in unsecured dumpsters and were fined more than $100,000 by the FTC.

In October 2012, the FTC charged that PLS Financial Services Inc. and The Payday Loan Store of Illinois Inc. failed to take reasonable measures to protect consumer information, resulting in the disposal of documents containing sensitive personal identifying information—including Social Security numbers, employment information, loan applications, bank account information, and credit reports—in unsecured dumpsters.

According to the complaint filed by the FTC, the companies violated the agency’s Disposal Rule and the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop and use safeguards to protect consumer information.

The companies settled with the FTC after agreeing to pay a $101,500 fine and to establish what will likely be an expensive and comprehensive information security program, said Saikali. The program will include having regular independent, third-party audits every other year for 20 years and adopting a number of recordkeeping and compliance monitoring requirements, he said.

According to the FTC, the standard for the proper disposal of information derived from a consumer report is flexible and allows the organizations and individuals covered by the rule to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology.

Although the Disposal Rule specifically applies to consumer reports and the information derived from consumer reports, the FTC encourages those who dispose of any records containing a consumer’s personal or financial information to take similar protective measures.

It should be noted that the rule does not specify for employers the length of time such records must be maintained or whether they must be destroyed at all.

FTC-recommended disposal practices include:

• Destroying or erasing electronic files so that consumer information cannot be read or be reconstructed.
• Shredding, burning or otherwise destroying paper documents so that consumer information cannot be read or reconstructed.
• Hiring a certified contractor specialized in document destruction after performing due diligence of the company’s operations and security policies.

Some experts recommend making a site visit to verify that a shredding plant has the security necessary for handling sensitive documents, but a visit can be cost- and time-prohibitive.

Saikali suggested that the hiring company at least build a provision into the service agreement giving it the right to audit the vendor’s security safeguards.

Employer Takeaways

First, you need to assess how your company disposes of sensitive information, Saikali said.

Next, you should identify the policies and procedures your company has adopted to ensure that sensitive information is disposed of securely. The law contains a subpart specifically focused on the implementation and monitoring of policies and procedures that deal with the destruction of materials. Make sure every employee is aware of how to handle, store and shred confidential information.

“Do your employees comply with existing policies and what ‘checks’ are in place to maximize compliance and minimize risk?” Saikali asked. “When was the last time you trained and reminded employees about the proper way to securely dispose of sensitive information? Do you know how your vendors and business associates, with whom you share sensitive information, are disposing of that information?”

If you are not sure whether your company’s safeguards meet the legal requirements for secure disposal, he said, it might be wise to retain counsel.

Roy Maurer is an online editor/manager for SHRM.

Follow him on Twitter @SHRMRoy.​