Standards and Compliance

Since the 1934 Social Security Act there have been laws stipulating that a person’s social security number as well as other personal information be kept private and should anyone knowingly violate the law be subject to fines and/or jail time. Subsequently throughout the years there have been a growing number of Acts regulating companies and how they handle and destroy the personal and confidential information of their clients. The rise in identity theft has only magnified the need for information security and destruction. For your edification, below you will find brief overviews of the major Acts regulating companies in their respective industry. Should you require any further information, please feel free to contact us. Our feeling is that an educated consumer is the best consumer.

• Fair and Accurate Credit Transactions Act (FACTA)
• Sarbanes-Oxley (SOX)
• Health Insurance Portability & Accountability Act (HIPAA)
• Gramm-Leach-Bliley Act (1999) Financial Services Modernization Act

Fair and Accurate Credit Transactions Act (FACTA)

The Fair and Accurate Credit Transaction Act (FACTA), affecting virtually every person and business in the United States, is designed to reduce the risk of consumer fraud and identity theft. The law is expansive in scope, covering 19 issues, most of which focus on ensuring proper credit reporting.

One provision in particular, however, is devoted solely to the proper disposal of consumer information. Irresponsible information disposal has been cited in numerous fraud cases. Identity thieves frequently collect a wealth of personal data by rooting through the trash - an activity commonly referred to as 'dumpster diving.'

When FACTA became law in December of 2003, Congress mandated that the Federal Trade Commission (FTC) develop a disposal rule. The FTC codified its final rule in November of 2004. It defines consumer information as "a variety of personal identifiers beyond simply a person's name..., including, but not limited to a social security number, driver's license number, phone number, physical address, and e-mail address."

Taking effect on June 1, 2005, the FTC's FACTA disposal rule mandates that "any person who maintains or otherwise possesses consumer information for a business purpose" must properly destroy the discarded information. An organization must "dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal".

Destroy All Papers Containing Consumer Information

Reasonable measures as defined by FACTA are "burning, pulverizing, or shredding of papers containing consumer information" or entering into "a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule".

Failure to comply with the FACTA law can result in substantial civil liability. Victims are entitled to recover their actual damages sustained as a result of a disposal rule violation and may also seek statutory damages of up to $1000 per violation - class action lawsuits could be in the millions of dollars in statutory damages. Furthermore, federal and state authorities may bring legal enforcement actions for each violation of the rule.

You might be required to follow the Fair and Accurate Credit Transactions Act of 2003

Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule, a part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which calls for the proper disposal of information in consumer reports and records to protect against "unauthorized access to or use of the information."

The Rule applies to people and both large and small organizations that use consumer reports, including: consumer reporting companies; lenders; insurers; employers; landlords; government agencies; mortgage brokers, car dealers; attorneys; private investigators; debt collectors; individuals who pull consumer reports on prospective home employees, such as nannies or contractors; and entities that maintain information in consumer reports as part of their role as a service provider to other organizations covered by the Rule.

The Certain Documents You MUST Shred

The Disposal Rule applies to consumer reports or information derived from consumer reports. The Fair Credit Reporting Act defines the term consumer report to include information obtained from a consumer reporting company that is used - or expected to be used - in establishing a consumer's eligibility for credit, employment, or insurance, among other purposes.

Examples of consumer reports include:

• Credit reports
• Credit scores
• Reports businesses or individuals receive with information relating to: employment background, check writing history, insurance claims, residential or tenant history, or medical history.

The Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to - or use of - information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to: burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed; destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed; or conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include: reviewing an independent audit of a disposal company's operations and/or its compliance with the Rule; obtaining information about the disposal company from several references; requiring that the disposal company be certified by a recognized trade association; or reviewing and evaluating the disposal company's information security policies or procedures.

Sarbanes-Oxley (SOX)

The Sarbanes-Oxley (SOX) Act of 2002. The Sarbanes-Oxley Act was signed into law on 30th July 2002, and introduced highly significant legislative changes to financial practice and corporate governance regulation. It introduced stringent new rules with the stated objective: "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws". It also introduced a number of deadlines, the prime ones being:

• Most public companies must meet the financial reporting and certification mandates for any end of year financial statements filed after November 15th 2004 (amended from June 15th).
• Smaller companies and foreign companies must meet these mandates for any statements filed after 15th July 2005 (amended from April 15th).

The act is actually named after its main architects, Senator Paul Sarbanes and Representative Michael Oxley, and of course followed a series of very high profile scandals, such as Enron. It is also intended to "deter and punish corporate and accounting fraud and corruption, ensure justice for wrongdoers, and protect the interests of workers and shareholders"

The Sarbanes-Oxley Act itself is organized into eleven titles, although sections 302, 404, 401, 409, 802 and 906 are the most significant with respect to compliance and internal control. In addition, the Act also created a public company accounting board.

Health Insurance Portability & Accountability Act (HIPAA)

Congress passed the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to improve the efficiency and effectiveness of the nation's Healthcare system.

HIPAA's Administrative Simplification provisions require the Department of Health and Human Services to promulgate standards for the electronic exchange of certain administrative and financial transactions and for the security and privacy of health information. The Administrative Simplification provisions are implemented through a package of regulations, all of which apply to three distinct covered entities: health plans, Healthcare clearinghouses, and Healthcare providers who transmit health information electronically in connection with standardized transactions.

The Standards for Electronic Transactions regulation adopts standards for eight electronic transactions and for national code sets to be used in those transactions. The adoption of national code sets results in the elimination of local procedure codes. Proposed standards for additional transactions are expected in the future.

The Standards for Privacy of Individually Identifiable Health Information regulation establishes standards for the use and disclosure of protected health information. It also establishes some patient rights, including individuals' access to records.

Gramm-Leach-Bliley Act (1999) Financial Services Modernization Act

The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB Act, includes provisions to protect consumers' personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.

The GLB Act gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to "financial institutions," which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities. Such non-traditional "financial institutions" are regulated by the FTC.

The Financial Privacy Rule governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information.

The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions "such as credit reporting agencies" that receive customer information from other financial institutions.

Organizations are demanding that their records management systems provide cost efficiency, improve the accessibility of documents and at the same time meet increasingly challenging compliance and regulatory requirements.