What You Need to Know About Privacy Laws
With workplaces across North America experiencing an alarming – and ever-increasing – number of data breach incidents, complying with privacy laws to safeguard private information should now be an integral part of every business strategy.
And it is – to a degree.
The Shred-it 2013 Information Security Tracker shows that just one percent of large American businesses are unaware of legal requirements for storing or disposing of confidential data. 23% of small American businesses indicate they are either ‘not at all’ or ‘not very’ aware.
But 40% of small businesses have no protocols for information security, and only 16% of large businesses train employees on data security protocol – and just twice a year. Also, 53% of small businesses and 22% of large businesses do not secure their confidential material before destroying it.
Confidential material includes names, addresses, birth dates, social security numbers, and other personally identifiable information. Identity theft criminals use this information for false loan applications and medical insurance claims, credit card fraud, bank account skimming, etc.
While many states, counties and municipalities have their own privacy laws and legislation, there are specific laws by industry segment too. Violations are punishable with fines ranging from $50,000 to millions of dollars and/or imprisonment.
The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) cover patient privacy and medical record security. Listen to a webinar about HIPAA & HITECH.
The Gramm-Leach-Bliley Act protects information collected by financial institutions.
The Sarbanes-Oxley Act sets accounting and privacy standards.
The Fair and Accurate Credit Transactions Act (FACTA) protects consumers from fraud and identity theft. There’s also a Red Flags Rule that requires a standardized program to detect, prevent and mitigate identity theft.
If and when a breach occurs a company may have to deal with these laws. But it’s important to know that it’s also their legal responsibility to eliminate the conditions that may lead to a potential breach. For example, businesses must destroy personal data that is no longer needed. Shredding prior to disposal is an approved safeguard.
Here are regulatory compliance strategies:
Understand security legislation as it pertains to your industry, and implement best practices and security strategies that are compliant.
Create a culture of total security starting from the top down. Appoint a CISO (Chief Information Security Officer) as well as a data security committee.
Train employees in best practices in secure document management and destruction.
Schedule regular security audits to identify security gaps as part of document management.
Use document destruction methods that meet or exceed compliance standards. Partner with a reliable third-party shredding company with a secure process from start to finish. Cross cut shredding is most effective, and the company should provide a Document of Destruction after every shred.
Learn more about the privacy legislation that affects your business to ensure you're aware and compliant.