Compliance Overview

Why is secure document destruction something I need to pay attention to?
Anyone dealing with corporate and customer files has to think about more than just storage and access: you also have to take into account increasingly stringent federal and state data privacy regulations. Concerns about privacy, security, and identity theft have led to a dramatic increase in laws related to data breaches and customer confidentiality, and they often call for severe fines or other penalties for noncompliance. It is the responsibility of business owners and managers to know the laws that apply to them, and put in place a document destruction program designed to ensure compliance.
Find out more about compliance.

Can’t I just throw away documents my business no longer needs?
No. Complying with regulations typically calls for document destruction, and simply discarding paper records leaves them — and you — open to the negative impacts of identity theft perpetrated by unscrupulous “dumpster divers.”

What methods are there for secure document destruction?
The Federal Trade Commission lists several examples of how information may be destroyed: businesses can, for instance, “burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed.” Based on these options, in just about all instances paper shredding will be the most convenient, cost effective, and environmentally sensitive alternative.
Find out more about A Shred Ahead’s services.

How can I be certain that all sensitive documents are properly destroyed?
One of the disposal measures the Federal Trade Commission highlights is to “hire a document destruction contractor to dispose of material specifically identified as consumer report information.” The complexity of the regulatory landscape makes this an attractive option for many businesses, since it frees up valuable staff time while offering peace of mind that the documents are being properly destroyed.
Find out more about A Shred Ahead’s services.

Are there other benefits of document shredding for my business?
Yes. In addition to compliance issues, a proactive approach to document destruction can keep valuable, sensitive information away from competitors. It can also be part of a comprehensive sustainability initiative: at A Shred Ahead, shredded material is sent to paper mills for use in recycled-content paper, which saves trees, water, electricity, and gasoline.

What kinds of business documents should I shred?
More than you might imagine. Everything from phone records and photographs to receipts and resumes: any papers and documents that contain sensitive information should be destroyed as soon as they are no longer needed for business reasons. The best way to protect your customers’ data and your organization’s reputation is to have a foolproof system in place for document destruction.
See lists of the kinds of documents and other items that a business should plan to destroy.

Identity Theft

Is identity theft a real problem?
Yes. A report from Javelin Strategy and Research estimated that in 2012, 12 million adults in the United States were victims of identity theft, leading to overall losses of $21 billion.
Find out more about identity theft.

Isn’t identity theft only something I need to worry about when I’m online?
No. According to the Better Business Bureau, despite fears of phishing and other online scams, “most ‘garden variety’ identity theft doesn’t involve cyberspace… most identity thieves still rely on tried-and-true methods to get their hands on your paper records — real documents that can serve as the basis for their dirty work.”
Find out more about identity theft.

What can I do to prevent identity theft?
The Federal Trade Commission provides several publications with advice on dealing with and avoiding identity theft. At the top of the list? Shredding financial documents and paperwork.
Find out more about identity theft.

Federal Information Security Regulations

What is the Fair and Accurate Credit Transaction Act (FACTA)?
FACTA is intended to help consumers and company employees combat fraud and identity theft. It includes extensive guidelines for how companies should deal with the sensitive information contained in credit reports. Noncompliance can result in fines and civil lawsuits.
Find out more about FACTA.

My company does not produce credit reports. Do I need to pay attention to FACTA?
Yes. If your work with customers or employees involves credit checks, FACTA applies to you. It is far reaching, covering everyone who uses “consumer reports” — which can include everything from credit reports to employment background checks to medical histories.
Find out more about FACTA.

What is the Red Flags Rule?
The Red Flags Rule associated with FACTA went into effect in January 2011. It calls for even more effort on the part of businesses, requiring them to put in place a written identity theft prevention plan.
Find out more about FACTA.

How do I know if the Red Flags Rule applies to my business?
That can be complicated. As with FACTA itself, the Red Flags Rule has implications for organizations of all sizes and kinds. Broadly, it covers two categories of businesses: “financial institutions” and “creditors.” Since the rule is relatively recent, there are no hard-and-fast guidelines for which businesses fall under the rule and which do not. It is best to consult an attorney for the most up-to-date information.
Find out more about FACTA.

Are there privacy rules for other types of financial information?
Yes. The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act, requires among many other things that banking and financial institutions throughout the US protect the confidentiality and security of consumer data.
Find out more about the GLBA.

How might the GLBA affect my business?
The GLBA contains a Safeguards Rule, under which financial institutions must develop a written information security plan, covering everything from assessing risks to designing and monitoring a safeguards program.
Find out more about the GLBA.

I don’t run a bank. Do I need to pay attention to the GLBA?
Maybe. The GLBA pertains to all “financial institutions” in the US — and includes a very broad definition of the term financial institution. Data processors and mortgage brokers, for instance, are mentioned specifically, as are “retailers that issue credit cards to consumers.” Other covered groups can include professional tax preparers, courier services, credit reporting agencies, and ATM operators.
Find out more about the GLBA.

Are there any special considerations for health records?
Yes. The Health Insurance Portability and Accountability Act (HIPAA) requires that healthcare organizations take responsibility for the secure electronic transmission of patient information and the secure storage and disposal of that information. These organizations are also responsible for putting in place appropriate safeguards and programs to protect individually identifiable health information.
Find out more about HIPAA.

What kinds of information does HIPAA cover?
The HIPAA Privacy Rule protects all “individually identifiable health information” held in any form or transmitted. This includes past, present, or future physical or mental health conditions and past, present, or future payment information.
Find out more about HIPAA.

So if I’m not a healthcare provider I don’t need to worry about HIPAA?
Not so fast. In addition to covering health plans, healthcare clearinghouses, and health care providers, HIPAA also includes their business associates: “a person or organization… that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.”
Find out more about HIPAA.

State Information Security Regulations

What’s the difference between federal and state regulations?
Quite a bit, depending on where you live. Many states have instituted their own efforts to increase consumer privacy and limit identity theft. This means that in many areas, businesses have an added incentive to make sure their computer disk and paper shredding is being handled promptly and properly.
Find out more about state regulations.

What do state regulations typically apply to?
Most states have laws covering breaches of security involving confidential information stored electronically, and some also refer to printed material. Some also have laws that target the destruction of sensitive documents. Document shredding is mentioned specifically within the statute itself as a means of secure destruction.
Find out more about state regulations.

What types of information are usually covered?
While regulations vary from state to state, they usually refer to personal information: an individual’s name and data such as Social Security number, driver’s license number, account number, credit or debit card number, and security code or password. For specific information regarding laws in your area, contact your state’s attorney general.

What happens if my business has suffered a data breach?
Most state laws make it the responsibility of the business owner or manager to inform state officials about a data breach involving personal information — or in some cases, even the possibility that a breach may have a occurred.
Find out more about the regulations in your state.

Which states currently have data breach or document destruction laws?
Click the links below for details on states with pertinent legislation within A Shred Ahead’s service area.

What’s the best way to make sure I’m aware of the most current regulations?
These laws are always open to amendment or change, and additional states may be considering the adoption of similar legislation. Contact your state’s Attorney General for current information.

FACT SHEETS available for download