Shredding is more than just a document disposal method. It’s a way to protect sensitive information, maintain customer and employee privacy, and prevent identity theft. It’s also the law—federal regulations like FACTA dictate how organizations should execute document destruction. Failing to follow these rules can result in massive fines, legal troubles, and damages to your brand’s reputation.
In this article, we’ll explain the major shredding laws, spotlight regulations in a couple of specific states, and recommend how your organization can stay in compliance.
What is FACTA?
FACTA stands for the Fair and Accurate Credit Transactions Act. It was passed in 2003 as an amendment to FCRA, the Fair Credit Reporting Act. FACTA was primarily established to allow individuals access to their credit report for free. It was also added to protect consumers from identity theft. FACTA describes the requirements for information privacy, accuracy, disposal, and sharing consumer information.
FACTA’s Requirements Regarding Shredding
FACTA applies to consumer records containing personally identifiable information or financial information. According to the FTC, the requirements for the proper disposal of consumer information are:
“Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”
FACTA’s ‘reasonable measures of disposal’ include implementing and monitoring policies and procedures that require burning, pulverizing, or shredding papers containing consumer information so that the information can’t be read or reconstructed. This also applies to destroying or erasing electronic media with consumer information.
The government also has the right to perform due diligence on third-party shredding companies. This could involve everything from an independent audit of the disposal company’s operations to requiring certifications from a recognized trade association.
The penalties for FACTA violations can be fines of up to $1000 per violation at the state level, and $2500 per violation at the federal level. As an example, say your business went through a disposal-related security breach that affected 1,000 customers. If the fines are $1000 per customer, it could result in class action lawsuits with damages that cost $1,000,000 or more. Therefore, it’s imperative that your business is compliant with FACTA requirements.
FACTA in Alabama
However, consumers should exercise caution when claiming FACTA violations. In 2018, Alabama state courts famously dismissed a FACTA violations lawsuit because the plaintiff failed to successfully prove non-compliance.
One section of FACTA prohibits merchants from prohibiting “more than the last 5 digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.”
In Taylor vs. Fred’s, Tiffany Taylor accused Fred’s of a truncation violation by printing more than the last five digits of her credit card number and its expiration date. The court found that the digits the defendant printed (the first six digits of the card number) only indicated which entity issued the card.
The court also said Congress recognized that including an expiration date on a receipt doesn’t materially increase the risk of identity theft as long as the receipt otherwise complies with FACTA. The presence of the first digits on the plaintiff’s card on some receipts and the expiration date on others did not materially increase the plaintiff’s risk of identity theft. Therefore, the court dismissed the lawsuit.
FACTA in Tennessee
Many states have their own specific data privacy laws, and some states issue more protection than others. For example, Massachusetts has passed more data security laws than Tennessee, which has stayed closer to the federal laws alone.
It’s also interesting to note that Tennessee is one state that has taken a proactive, government-sponsored and community-driven approach to document destruction. For example, in November 2019, the state’s Division of Consumer Affairs organized an event in Nashville to offer free document shredding. It was a way for consumers to dispose of sensitive paper documents like old bank statements, tax information, and medical records quickly and securely. It’s one instance of how consumers and businesses can dispose of confidential information with governmental approval.
Additional Disposal Laws
HIPPA stands for the Health Insurance Portability and Accountability Act. Established in 1995, it is typically known for protecting patient confidentiality. Regarding document disposal, it refers to covered entities, which include health plans, healthcare clearinghouses, and healthcare providers. The law requires that healthcare industry professionals responsibly shred discarded patient information. It also requires that covered entities must ensure that workforce members receive training on the entity’s disposal policies and procedures. GLBA stands for the Gramm-Leach-Bliley Act. It was established in 1999 and requires that banking and financial institutions protect the privacy of consumer data. Financial institutions must communicate to their customers how they share their customers’ sensitive data, inform customers of their right to opt-out if they prefer that their personal data not be shared with third parties, and apply specific protections to customers’ private data in accordance with a written information security plan created by the institution.
How to be Compliant
To ensure compliance with FACTA and other shredding laws, you can take the following actions:
- Make sure document disposal is covered in your organization’s employee handbook.
- Implement document disposal training and insist that attendance is mandatory, particularly for employees who work with confidential information, or supervise employees who do.
- Create periodic checks to make sure you’re following compliance rules. Designate staff who will monitor these efforts.
- Partner with a shredding service. An outside partner can help you ensure that your documents are destroyed efficiently and securely.
- Make sure your shredding service provides a certificate of destruction. This detailed information ensures proper guidelines were followed and further decreases risk of exposure.
Without established document destruction methods, your organization is at great risk for consumer identity theft and legal penalties for non-compliance. Working with a third-party shredding service will go a long way in protecting your business and consumer information in ways that are safe, secure, and in lockstep with the law.