July 07, 2017

Do You Know Which Privacy Legislation Affects Your Business?

In North America, there are federal, state/provincial and local privacy legislation that businesses must comply with – or risk fines and other damages.  

The average cost to companies for each lost or stolen confidential record is $148 according to the 2017 Ponemon Cost of Data Breach Study. The average size of each breach is now 24,000 records. 

Here is a guide to some of the most important data privacy legislation in different industry sectors.

FINANCIAL SECTOR: The breachlevelindex.com showed that the number of breaches in the financial sector declined 22.5% from 276 in 2015 to 214 in 2016. But the number of records lost or stolen increased from 1.1 million in 2015 to 13.3 million in 2016.

  • The Sarbanes-Oxley Act protects investors and the public by regulating corporate disclosures. 
  • The Gramm-Leach-Bliley Act (GLB) Act protects the privacy of consumer information held by financial institutions and service providers.

MEDICAL SECTOR: Healthcare has been the hardest hit sector for several years. In 2016, it accounted for more than one quarter of all breaches.

  • The Health Insurance Portability and Accountability Act (HIPAA) provides privacy standards for protected health information or PHI. 
  • The Health Information Technology for Economic and Clinical Health (HITECH) Act further protects the privacy of paper and electronic protected health information.  

HOTEL/HOSPITALITY SECTOR: The number of breaches in the hospitality industry rose from just one breach in 2015 to 26 in 2016. 

  • The General Data Protection Regulations (GDPR) coming into effect in 2018 strengthens data protection for individuals in the European Union. But it affects all companies, anywhere in the world including hotels and the wider hospitality sector. 

RETAIL SECTOR: Breachlevelindex.com showed 215 data breaches in the retail sector in 2016, down 10% from 239 the year before. But that still amounted to 32.5 million lost or stolen records.

  • The Fair and Accurate Credit Transactions Act (FACTA) regulates businesses that possess consumer information.
  • The Federal Trade Commission Act is a consumer protection law that applies to offline and online privacy and data security policies.
  • In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private sector organizations handle private information used during commercial activities.  

HR SECTOR: HR plays a huge role in safeguarding confidential information.

  • In Canada, the Privacy Act applies to employee information in federal government institutions. PIPEDA also has some application to employment.
  • HIPAA and FACTA govern privacy of consumer information by employers and others.  


Every business is obliged to research and understand their obligations.

  • Understand your legal obligations.
  • Conduct comprehensive risk assessments.
  • Establish a security plan.
  • Establish a detailed document management process to protect printed and digital information from creation (collection, use/access, retention, storage, processing) to disposal/destruction.
  • Designate a Chief Information Security Officer (CISO) to oversee security.
  • Provide on-going employee education.
  • Embed secure work processes; for example, have a Clean Desk Policy.
  • Monitor partners’ document security protocols.
  • Implement a Shred-it All Policy.

Start Protecting Your Business 

To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and security risk assessment.