State House Rules

Recognizing the limitations of federal laws like FACTA and HIPAA, some states have proposed legislation to safeguard personal information.

 

In light of security breaches at companies like ChoicePoint, LexisNexis, Time Warner and Bank of America, among others, the specter of identity theft continues to make news. Such stories of misplaced or fraudulently obtained data and the identity theft that could occur as a result have helped to garner attention at the state level, leading lawmakers to draft legislation that helps residents protect their personal information by stipulating how such data should be disposed of or calling for consumer notification in the case of a security breach.

North Carolina, Texas, Arizona and New Jersey are among the states that are debating legislation that would call for the secure destruction of documents and electronic files that contain personal data. Similar laws are already in place in California, Georgia and Wisconsin.

While the proposed laws appear to be working their way through state legislatures with little resistance, the overall impact they will have on reducing identity theft remains to be seen, as does their possible effects on secure destruction companies operating in these states.

Representatives from the secure destruction industry are generally optimistic about data protection laws being proposed at the state level and most see a need for them, as the federal laws HIPAA (Health Insurance Portability and Accountability Act) and FACTA (Fair Credit Reporting Act) currently apply only to medical and credit reporting information.

"Speaking to FACTA in specific, the FTC (Federal Trade Commission) could only craft the rule as Congress allowed," John E. Bauknight IV, president of Shred First LLC and Total Records & Information Management LLC, based in Spartanburg, S.C., says. "They were specifically directed to deal with consumer credit reports and the information derived therein."

He says that Ellen Finn, a staff attorney with the FTC’s Division of Financial Practices, has said that the FTC would like to have had the opportunity to broaden FACTA to include all personal information, not just consumer credit report data.

Bauknight says that he would like to see FACTA used as a model for other data protection legislation. "It sets forth the policies that a company should follow in proper disposal of documents or electronics."

He adds that federal and state laws that specify shredding are preferable to those that simply suggest "reasonable measures."

"The biggest advantage is that it preaches responsibility and maintaining confidentiality," Bauknight says.

MODEL LEGISLATION

The Public Interest Research Group (PIRG) in combination with the Consumers Union, headquartered in Washington, D.C., has crafted model legislation, which was published in the fall of 2004, to protect against identity theft.

"The Clean Credit and Identity Theft Protection Act: Model State Laws" proposes safeguards for personal information that is not covered by FACTA. The model legislation is organized into nine related laws that can be enacted as separate pieces of legislation or as a package.

A portion of the model legislation titled "Adequate Destruction of Personal Records" defines reasonable disposal measures as "the burning, pulverizing or shredding of papers containing personal information" and "the destruction or erasure of electronic media and other non-paper media containing personal information." Additionally, PIRG’s sample legislation (available online at www.pirg.org/consumer/credit/model.htm) states that contracting with a company engaged in the record destruction business "to dispose of personal information in a manner consistent with this statute" is acceptable provided due diligence is used in selecting the secure destruction company.

If picked up by state legislatures, such language could certainly bode well for the secure destruction industry.

"As you’ll see from the bill, we support legislation that (I) would require businesses to take reasonable measures to protect against unauthorized access to or use of records containing personal information when disposing of them and that (II) would extend this requirement to any third-party vendors engaged in disposal of such records," says Kerry Smith, the Philadelphia-based senior consumer attorney with the state PIRGs.

Smith adds that Massachusetts, New Jersey and North Carolina have picked up the "Adequate Destruction of Personal Records" portion of PIRG’s model legislation and that California, Georgia and Wisconsin have already passed similar measures.

"We believe that our model law is an important supplement to existing law, including FACTA. Section 216 of [FACTA] requires the Federal Trade Commission and other federal agencies to issue regulations regarding the proper disposal or consumer information that is derived from credit reports," Smith says. "While these regulations can be an important tool in combating identity theft, they apply only to information from credit reports. Our model state law has broader applicablity."

Georgia’s Senate Bill 475, the Information Privacy Act of 2002, like PIRG’s model legislation, calls for the burning, pulverizing or shredding of documents that contain personal data.

According to Jack Gerblick of Peachtree Secure Shredding, Atlanta, such specifications facilitate compliance.

GEORGIA LAW

"I think the more information you provide businesses, the easier it is for them to comply," Gerblick says. "There is no gray area."

 To help its members comply with HIPAA, FACTA and the Georgia Information Privacy Act, the Georgia Dental Association (GDA) has endorsed Peachtree Secure Shredding as a preferred document destruction vendor, Gerblick says. "They highly recommend a third-party service and they endorse us."

Gerblick says Peachtree Secure Shredding received the GDA endorsement because the company barcodes all of its containers and collects a date and time stamp during bin servicing and an electronic signature from the document destruction witness, providing an audit trail and chain of custody for documents containing sensitive personal information.

According to www.stopidentitytheft.org, a Web site providing information on the Georgia Information Privacy Act to consumers, businesses and law enforcement agencies in the state, businesses should use "shredding as the best and preferred destruction practice of paper-based documents."

On the Docket

A number of states have proposed legislation regarding disposal practices for records containing sensitive personal information.

Arizona Senate Bill 1114—Would require entities disposing of records to take reasonable steps to ensure the destruction of personal financial and health information as well as personal identification numbers issued by government entities. Would also call for entities discovering security breaches to notify the individuals affected and to provide information on the steps being taken to protect against unauthorized use of such information.

Maryland House Bill 1588/Senate Bill 1002—Would require a business to destroy or arrange for the destruction of customers’ records that contain specified personal information in a specified manner. In the case of security breaches, it would require notification.

Montana House Bill 732—Would require destruction of business records and security breach notification. Would also require consumer reporting agencies to block information resulting from identity theft from reports.

New Jersey Assembly Bill 2048/SB 2440— Would require a business to destroy consumer records by shredding, erasing or otherwise modifying personal information to make it unreadable or indecipherable. Would also require security breach notification within 15 days to any customer who is a resident of New Jersey whose unencrypted personal information is believed to have been acquired by an unauthorized person. Violators would be liable to a penalty of no more than $10,000 for the first offense and no more than $20,000 for the second and each subsequent offense.

New Jersey Assembly Bill 1982—Would establish guidelines businesses should use to discard or dispose of business documents containing personal information, such as shredding the record or rendering it unreadable or irretrievable before discarding the device containing the record; erasing the personal information; or modifying the record to make the personal information unreadable. Violators would be fined $100 for the first offense and no less than $100 and no more than $500 for any subsequent offense.

North Carolina Senate Bill 1048—Would require the destruction of records containing personal information using either burning, shredding or pulverizing of paper documents and the destruction or erasure of electronic media. Specifies that businesses may enter into a written contract with a record destruction company. Also would call for Social Security number protection, security freezes on credit reports and notification in the case of a security breach.

Despite the Georgia law giving a nod to shredding, Gerblick says his company still does a good deal of "evangelizing and educating." He says, "People just don’t realize that a service such as ours is available. They think their only option is to go out and buy a shredder."

Under Georgia’s law, which called for compliance by July 2003, violators can be fined $500 to $10,000. In addition to the fines, the Georgia law does not limit a violator’s civil liability. "I think that is scary for a lot of businesses from a civil liabilities standpoint," Gerblick says.

However, he says he is not aware of any incidences that have resulted in fines. (Secure Destruction Business’s attempts at contacting Georgia’s Assistant Attorney General R. Javoyne Hicks to learn about the fines resulting from violations have gone unanswered.) While Gerblick says that legislators did a "great job of writing and passing" the law, education and enforcement has been somewhat lacking.

"There are some teeth to the law, but there hasn’t been an incident that has been well published," he says. "The only way you are going to get businesses serious about this is with a well-publicized incident where the company was not compliant—it was not their first offense, but they refused to get into compliance for whatever reason—and there was a substantial fine."

Gerblick says that 30 percent to 40 percent of the companies he deals with are aware of Georgia’s Information Privacy Act and that many companies have asked him for help in writing their policies and procedures regarding document disposal. He views this positively. "As an industry, I think we are viewed more as consultants, which is exactly where we want to be," Gerblick says. "We are the domain experts."

While secure destruction companies and Georgia’s Attorney General’s office work on educating consumers and businesses in the state about the protections and responsibilities outlined in its Information Privacy Act, other states are considering similar legislation to ensure the privacy of personal data.

Texas is one such state. Legislators there are considering three bills related to identity theft and safeguarding of personal information, but secure destruction firms in the state are watching House Bill 698, regarding the retention and disposal of business records, most closely.

PROPOSED TEXAS LEGISLATION

House Bill 698 has passed the Texas House and was on the Senate floor as of early May.

This bill calls for business records containing personal information—names, addresses, phone numbers, Social Security numbers, passwords and mothers’ maiden names—to be modified by "shredding, erasing or other means…to make it unreadable or [indecipherable]."

Steve Guin of the Information Protection Solutions of America (IPSA) Dallas office says the laws are an improvement over earlier laws because they specify shredding. "The big thing about these laws is that so many in the past just said that ‘reasonable care’ must be taken to dispose of the information." The problem with such vague language, Guin says, is that it is open to interpretation.

House Bill 698 also stipulates that violators are "liable for a civil penalty of up to $500 for each record." The state’s attorney general could also ask violators to "recover costs and reasonable attorney’s fees incurred in bringing the action." If passed, the legislation would go into effect Sept. 1.

Guin says he expects House Bill 698, once passed, to benefit the secure shredding industry in the state. "Those of us in the shredding industry can now say that there is a law that specifically says ‘shredding,’ whereas, in the past, we have always had to sell them on what is ‘reasonable care,’" he says.

Secure destruction professionals in other states (see sidebar at right) may find themselves preparing for similar circumstances if comparable legislation becomes law.

Bauknight stresses that now may be the best time to propose legislation regarding personal data in light of all the publicity the issue of identity theft is receiving.

"Consumer awareness is always most important, and [identity theft] may never again have the spotlight that it does now," Bauknight says, adding that secure destruction industry growth is projected to be as high as 25 percent yearly for the foreseeable future. "The electronic side will grow in proportion to paper as ID thieves are moving on to bigger and better ways of accessing more information."

The author is managing editor of Secure Destruction Business magazine and can be reached at dtoto@gie.net.

Get curated news on YOUR industry.

Enter your email to receive our newsletters.

June 2005
Explore the June 2005 Issue

Check out more from this issue and find your next story to read.