Executive Summary

Every company in America is required to have a written information destruction policy along with procedures to implement this policy.

Companies face an ever growing mountain of federal identity theft prevention and privacy protection legislation such as Gramm‐Leach‐Bliley, FACTA Disposal Rule, and the HIPAA Act along with a multitude of laws and regulations at the state level.

Haphazard or nonexistent information destruction policies and procedures can result in costly litigation, government fines, unfavorable publicity, and lost sales. In this executive briefing, we’ll look at:

  • How these privacy protection laws came into being.
  • Problems facing companies today from improper information destruction practices.
  • How to achieve compliance with state and federal privacy protection laws.

 


 

Federal Requirements

The federal government’s response to identity theft has been included as a part of three major pieces of legislation: HIPAA, Gramm‐Leach‐Bliley, and FACTA.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. The Administration Simplification [under Title II] rules deal with the “security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange in the US health care system.”

Under the Gramm‐Leach‐Bliley Safeguards Rule, Financial institutions are required to “develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information.” The Safeguards Rule is “intended to do what most businesses should already be doing: protect their clients. The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes.”

Under the Fair and Accurate Credit Transactions Act of 2003 (FACTA), the Federal Trade Commission
(FTC) announced the FACTA Disposal Rule on June 1, 2005. Every business in America must properly
dispose of sensitive consumer records.

The Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to: burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed; destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed; or conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include: reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule; obtaining information about the disposal company from several references; requiring that the disposal company be certified by a recognized trade association; or reviewing and evaluating the disposal company’s information security policies or procedures.

FACTA’s “Identity Theft Red Flags” compliance deadlines were recently postponed for six months. On
1/13/2009, Identity Theft Daily reported the following:

November 1, 2008, marked the deadline for compliance with the Red Flag provisions of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) by financial institutions and other creditors. These provisions require organizations to be able to “identify patterns, practices and specific forms of activity that indicate the possible existence of identity theft,” and to develop and deploy effective prevention programs. Recently the Federal Trade Commission (FTC) announced that it will not enforce compliance with the Red Flags rules until May 1, 2009, for entities under its jurisdiction. This provides a reprieve for some organizations, specifically state‐chartered credit unions and non‐financial institutions such as mortgage brokers, mortgage lenders, auto dealers, hospitals, utility companies, and municipalities.

While the FTC’s decision provides an additional six months for those particular organizations to comply with the Red Flag provisions, it does not afford them a get‐out‐of‐jail‐free card. Legally, the FTC cannot push back the previous November 1 deadline for any organization; what the FTC is essentially doing is saying they will not prosecute for non‐compliance for another six months. As a result, any entity that does not comply by November 1 [2008] is still considered non‐compliant and is exposed to potential lawsuits from plaintiff attorneys.

Unfortunately any misconceptions that these rules are relatively insignificant or easily complied with, they are exactly that, misconceptions. The Red Flag provisions cast a wide net, encompassing many types of entities within various industries, such as banks, insurance companies, collections agencies, etc. Moreover, many of the definitions within the new rules could greatly expand the scope of compliance. In addition, organizations need to understand if they offer a covered account—defined in this legislation as any consumer account involving multiple payments or transactions ‐ they are subject to these regulations as well.

In order to be compliant, any “financial institution and creditor that holds any customer account, or other account, for which there is a reasonable foreseeable risk of identity theft” must develop an identity theft prevention program. The rules have four principle components:

  • Identification of activity that may signal possible identity theft;
  • Ongoing detection of red flags that have been identified;
  • Ability to respond effectively to red flags to prevent and mitigate theft; and
  • Periodic review and updating of red flags and procedures to keep pace with emerging threats.

These “Red Flag Provisions” have already affected certain hospitals and doctors’ offices as reported by The Daily Sentinel on January 5, 2009:

New federal regulations aimed at detecting potential health identity theft are changing some procedures at Grand Valley businesses.
Patients checking in at local hospitals or physicians’ offices can now expect to show photo identification at every visit. That wasn’t always the case, local hospital officials said.

In November, a new regulation from the Federal Trade Commission required all financial institutions and creditors to develop an identity theft prevention program. Health care providers fit into the category of creditor because they can extend credit to patients and report people to collection agencies.”

It appears that these new “Identity Theft Red Flag” provisions may apply to any business which extends
credit to its customers and reports people to collection agencies.

Future Legislation

In addition, Congress has signaled its intention to pass identity theft‐related legislation as this crime affects more and more individuals and businesses. For example, “The Identity Theft Enforcement and Restitution Act” passed the U.S. Senate in both 2007 and 2008 yet failed to be voted on in the House of Representatives.


State Requirements

The State of Georgia began a torrent of state privacy protection laws when it passed a bill in 2002. Other states such as California, Texas, Oregon and Washington followed and the risks of noncompliance rise continually.

California

In 2003, California passed legislation (SB1360) requiring “entities or individuals who do business in California to notify California residents whenever their unencrypted personal information is reasonably believed to have been compromised.”

This former cybercrime prosecutor with DOJ also reported that the “novel notification required by the new law must occur ‘in the most expedient time possible and without unreasonable delay.’ Customers injured by violations of the statute are authorized to bring private lawsuits for damages. Because most corporations do not routinely segregate data related to California residents from other customer or
employee data, this legislation may have a significant effect on how companies across the United States handle information security issues.”

Case Study: ChoicePoint

California’s SB1360 had a national impact in 2005 when ChoicePoint, a major compiler and seller of personal information, had a major breach of information security.

Posing as businesses seeking credit information on customers, an identity theft ring obtained sensitive confidential information including names, social security numbers and credit histories on over 100,000 American consumers. ChoicePoint chose to notify its 35,000 California customers under the requirements of SB1360.

The company’s notification obligations soon expanded despite the lack of similar laws in other states. “Under significant pressure from 19 state attorneys general and an array of consumer activists, personal and financial data vendor ChoicePoint has agreed to notify 145,000 consumers whose information may have been obtained from the company by identity thieves in an elaborate fraud scheme.”

Beyond the terrible publicity for this company, the security breach cost the company millions of dollars:
“The company reported charges of US$11.4 million related to the incident in the first six months of 2005, including US$2 million to notify victims of the incident and US$9.4 million in legal and professional fees. Changes to business practices to avoid further breaches were expected to cost the company between $15 million and $20 million in sales during 2005 and to reduce earnings per share by 10 cents to 12 cents.

“In January 2006 ChoicePoint was fined US$15 million by the Federal Trade Commission: US$10 million in civil penalties and US$5 million to compensate victims of the security breach. In addition, ChoicePoint was required to take steps to better secure personal information.

“The announcements of frauds and the fines have been accompanied by substantial falls in the value of the company’s traded shares.”

Since the ChoicePoint breach, a total of 45 states have passed security breach notification legislation.

Oregon Identity Theft Protection Act

Signed in to law in 2007, the Oregon Identity Theft Protection Act prohibits “individuals, government agencies, organizations, or businesses from printing Social Security numbers on any material that is mailed, unless the recipient has requested it. This does not apply to records or documents required by state or federal law such as W2s, 1099s, or similar documents. The law also prohibits printing a Social Security number on a card used to access products or services, or publicly posting or displaying a Social Security number, such as on a Web site.”

In addition, the Oregon Identity Theft Protection Act requires companies to “develop, implement, and maintain reasonable safeguards to ensure the security, confidentiality, and integrity of the information. Safeguarding also means properly disposing of information.

Should your company have a security breach that affected Oregon employees or customers, you would be
required to send a letter similar to this: cbs.state.or.us/dfcs/identity_theft/SampleLetter‐Breach.pdf to
your affected customers and employees.

Selected States: Notice of Security Breach State Laws

California

Civil Code Sec. 1798.80‐1798.82, effective July 1, 2003. Requires notice to consumers of breach in the security, confidentiality, or integrity of unencrypted, computerized personal information held by a business or a government agency. If the person or business has own notification procedures consistent with timing requirements and provides notice in accordance with its policies or if the person or business abides by state or federal law provides greater protection and disclosure, then it is deemed in compliance.

Oregon

O.R.S. 646A.604, effective October 1, 2007. Requires notice when unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person. Notice not required if after an appropriate investigation or after consultation with federal, state or local agencies responsible for law enforcement, the person determines no reasonable likelihood of harm to consumers whose personal info has been acquired has resulted or will result from the breach. Determination must be in writing and kept for 5 years. Exempted are those with own notification procedures under state or federal law providing at least greater protection to personal information and at least as thorough disclosure requirements pursuant to the rules, regulations, procedures, guidance or guidelines established by primary regulator, or state or federal laws, and financial institutions which are in compliance with federal guidance.

Washington

RCW 42.17 et seq., effective July 24, 2005. Requires notice of a breach of the security, confidentiality, or integrity of unencrypted, computerized, personal information by persons, businesses and government agencies. Notice is not required when there is a technical breach of the security of the system which does not seem reasonably likely to subject customers to a risk of criminal activity. Notice under this section not required if entity maintains own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements of this section.

Other states available upon request.