Strict Regulations Compliance
Because document security is our business, we take the responsibility of enforcing data protection laws extremely seriously. By better monitoring our destruction and shredding processes, we ensure compliance to regulatory laws. This is in the best interest of both our company and our clients, since penalties for infringement can be severe and may include: fines, criminal charges and jail sentences, private rights of action, implementation of required security programs, and annual audits up to 20 years (consent decrees).
Why do we need to comply with all the State Legisltative Rulings and Federal Regulations? Because It's the law!
Everyone must comply with mandatory California State and Federal Privacy Regulations regarding document destruction and secured personal and financial data, as well as health, and medical records.
Our Compliance Team constantly reviews communications from the following Government entities and agencies, including:
- Federal Trade Commission (FTC)
- Department of Justice (DOJ)
- Office of Civil Rights
- State Attorney General
- Consumer Financial Protection Board
What Is FACTA?
Signed into law on December 4, 2003, the Fair and Accurate Credit Transactions Act (FACTA) is federal legislation aimed at the prevention and penalization of consumer fraud and identity theft. Administered by the Federal Trade Commission (FTC), the FACTA Disposal Rule (2005) defines consumer information as personal identifying materials which extend beyond just a person’s name, including:
- a social security number
- a driver’s license number
- a phone number or e-mail address
- a physical address
To comply with the FACTA Disposal Rule, businesses and individuals must take “reasonable measures” to ensure such information does not fall into the wrong hands. Reasonable measures include the “burning, pulverizing, or shredding” of paper documents, such as the contracting of a third-party engaged in the document destruction business to dispose of confidential information in a manner consistent with the Act.
Following guidance of the Gramm-Leach-Bliley Act (GLBA), enacted to protect private consumer information, the CA State Legislature passed Assembly Bill 2246 in January of 2001 with the following mandate:
"A business shall take all reasonable steps to destroy or arrange for the destruction of a customer's records within its custody or control containing personal information which is no longer to be retained by the business by (1) shredding (2) erasing, or (3)..."
HIPAA, the federal Health Insurance Portability and Accountability Act identifies protected health information and sets rules for the security and privacy of this information. This 1996 law and the accompanying 2002 regulation known as the Privacy Rule restrict how health care providers may handle and disclose patient health information. In general, health care entities must ensure that only approved personnel handle protected health information and then only for purposes specified in the law and regulation.
The Red Flags Rule
The Red Flags Rule helps fight identity theft. The Federal Trade Commission (FTC), the federal bank regulatory agencies, and the National Credit Union Administration (NCUA) have issued regulations (the Red Flags Rule) requiring financial institutions and creditors to develop and implement written identity theft prevention programs, as part of the Fair and Accurate Credit Transactions Act (FACTA) of 2003. As of May 1, 2009, companies must provide for the identification, detection and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.
Fight Identity Theft
Under the Red Flags Rule, financial institutions and creditors must develop a written program that identifies and detects the relevant warning signs of identity theft. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. Financial institutions and creditors must design and implement a program that is appropriate to their size and complexity, as well as the nature of their operations. As federal and state legislation tighten and affect not only financial and credit businesses across America, it is imperative that all organizations conduct due diligence and take appropriate measures to ensure end-of-lifecycle documentation is properly destroyed and recycled.
Proof of Destruction
State and Federal privacy laws require that a majority of our clients across different industries must produce a Certificate of Destruction to confirm that the shredding of their specific documents has been completed. Whether a medical facility, financial institution, attorneys office, educational organization, home residence, or a small/medium business, requesting a Certificate of Destruction ensures that the shredding process for your full compliancy with privacy laws like HIPAA, HITECH, FACTA and GLBA is completed.