Do Shred Laws Apply to You?
Government regulations relating to privacy and information security affect nearly every business in America – do they apply to yours? You may be surprised by the answer.
One of the laws below likely applies to your business – and violations of their provisions can be expensive!
- HIPAA: the Health Insurance Portability and Accountability Act requires healthcare organizations and businesses with group health plans to protect the confidentiality and security of healthcare information. This includes Protected Health Information (PHI) and Personally Identifiable Information (PII). Punishment for violations fall under three main categories: criminal penalties, civil monetary penalties, and sanctions. Penalties range from $1,000 per violation to a maximum of $50,000 per violation with an annual max of $1.5 million.
- HITECH: Health Information Technology for Economic and Clinical Health Act promotes the adoption of health information technology, and includes a strong privacy and security element that strengthens the civil and criminal enforcement of HIPAA rules. ONE MAJOR CHANGE is to remove a ban on penalties if the covered entity did not know of or exercise reasonable diligence to have known of their violations of HIPAA privacy requirements – i.e., not knowing that you’ve violated HIPAA isn’t a defense against penalties. HITECH penalties range from $100 per violation to $50,000 per violation.
- FERPA: Family Educational Rights and Privacy Act is a Federal privacy law that gives parents certain protections with regard to their children’s education records, such as report cards, transcripts, disciplinary records, contact and family information, and class schedules. Potential penalties potentially can be the loss of Federal funding.
- GLB: Gramm-Leach-Bliley Act requires protection of consumers’ personal financial information held by financial institutions. When no longer in use, this information must be safely destroyed. Failure to comply penalties up to $11,000 per violation. What businesses does GLB apply to? Banks, credit unions, insurance companies, real estate appraisers, tax preparers, ATM operators, financial advisors, credit collectors, among others.
- FACTA: Fair and Accurate Credit Transaction Act protects consumers’ personal and financial records, and requires businesses to properly dispose of information in consumer reports and protect against unauthorized access of this information. Penalties start at $1,000 per violation and includes actual and punitive damages. Proper disposal methods are to burn, pulverize, or shred covered records. FACTA covers lenders, insurers, automotive dealers, attorneys, and employers, among others.
- FTC Disposal Rule: The Federal Trade Commission’s Disposal Rule requires businesses which receive consumer report information – mostly from background checks – to securely dispose of this sensitive information. Originally created to implement the Fair and Accurate Credit Transactions Act of 2003 (FACTA), the Disposal Rule is currently open for public review as the FTC prepares to expand the scope of the Rule to include “aggregate information or information that can be reasonably linked to an individual”.