What you need to know about legal compliance
Document management and destruction is about more than cost-effectiveness or “going green.” It is about legal compliance and due diligence in selecting a service provider.
Be familiar with the legislation that requires you to protect your business, employees, customers and business partners.
FACTA, The Fair and Accurate Credit Transactions Act of 2003 amends the FCRA and is intended to protect against consumer fraud and includes identity theft. The act requires the destruction of papers containing consumer information.
The FACT Act, The Fair and Accurate Credit Transactions Act of 2003, amends the Fair Credit Reporting Act, also intended to combat consumer fraud and other crimes and includes identity theft. The act requires that papers containing consumer information be destroyed. This law covers almost every business to some degree.
The GLB Act, Gramm-Leach-Bliley Act of 1999, requires that financial institutions must guarantee the security and confidentiality of non-public customer information. Secure storage, disposal, and sharing of confidential information are also covered. Businesses involved in banking, credit issuing, insurance, stocks, bonds investments, and other financial service providers must comply with this act.
The HITECH Act, 2009 addition to HIPAA requires institutions covered by the act to notify individuals in the event of a security breach of unsecured protected health information. Unsecured health information is information that is not secured by technology or methodology to render it unusable, unreadable, or indecipherable to unauthorized viewers.
The Red Flags Rule, enacted in 2008, revised and moved the finish line for compliance to January 1, 2011. This federal law requires that most businesses establish, implement, and maintain identity theft prevention procedures. When a new financial or credit account is established, or when changes to an existing account occur, account authentication is required. The law affects businesses and other organizations that accept payment for goods or services after they are delivered by defining those businesses as a "creditor" or as holding a "covered account." Only businesses that only accept payment prior to delivery or upon delivery (COD) are exempt. Businesses in the healthcare, financial, utility, telecom, mortgage, auto and other dealerships are all affected by this act.
SOX, The Sarbanes-Oxley Act of 2002, is in response to corporate and accounting scandals. SOX sets new and stricter standards for public company boards of directors, public accounting firms, and public management firms. Privately held companies are not covered by SOX. The act covers shredding in terms of record retention and requires retention of financial documents for five years past an adult or requires review prior to destruction.
Texas Shred Law 698, The Texas Information Disposal Act, House Bill 698 (HB 698), amends the Texas Business and Commerce Code. Document retention and disposal requirements that require businesses to shred, erase, or destroy by other means prior to disposal of all business records with "personal identifying information." The act applies to information whether it is from consumers or employees and covers all records created before, on, or after the effective date of the act. This act specifically covers destruction, requiring that any and all information that could be used to commit the crime of identity theft is securely destroyed. This includes the destruction of Social Security numbers, government-issued identification numbers, financial account numbers, birth dates, email addresses, and other information.
EEA, the Economic Espionage Act, makes it a criminal offense to steal or misappropriate trade secrets. U.S. citizens and general businesses handling sensitive data in hardcopy format are covered by the act.