The branch that you searched for does not have a page in your preferred language. Would you like to visit the branch page on the #CODE# site?
As the world leader in paper shredding, we ensure your documents are securely destroyed.
Hard drives could cost you millions in a data breach. Physically destroy your electronic data.
Stay ahead of legal or regulatory risks with our easy, online compliance training.
Get a Quote
Back To Information Security Resources
Regulatory and legal compliance is an aspect of information security that is increasingly important, but still often overlooked, particularly by smaller organizations.
Most business decision-makers are aware of the negative consequences of information security breaches – from lost money to lost clients, damaged reputation and costly court cases. However, what some business leaders still do not realize is, that organizations may have to deal with the law not only when the breach has already occurred. It is also their legal responsibility to eliminate the very conditions that may lead to a potential breach, and put plans in place to respond to any breach should one occur. In the United States and internationally, governments and regulators are now demanding that organizations, large and small, take responsibility for the security of the sensitive data in their custody. Read further to find out what US laws require, and what steps your company should take to keep itself compliant.
Download PDF Version
It is no secret that, for organizational growth and survival in today's economic environment, all modern organizations depend on abundant, quality information. After all, we live in what is known as the "information age." Collecting massive data from clients, partners, employees and other stakeholders is the reality of organizational life. We process payrolls, analyze cash flow, keep track of suppliers, research client profiles, data-mine for trends and collect competitive intelligence. These are just some of the tasks most organizations perform to succeed in today's business. However, the same pools of data can also be accessed by individuals with very different goals.
"Unfortunately, individuals not bound by ethical constraints are capable of using easily-available information for illegitimate purposes," says Vincent R. De Palma, President and CEO at Shred-it. "Information theft, including identity theft, is a substantial and growing business these days. Criminals operating in the United States and abroad extract handsome profits by exploiting organizations' security vulnerabilities."
Armed with a few key pieces of information, such as a name, birth date, social insurance number and address, identity thieves can reconstruct and steal the information of your clients, employees, owners, partners and even your company. They may then use this information for potential criminal gain through false loan applications, credit card fraud, bank account "skimming," false medical insurance claims and more.
It is for this reason that information security laws and regulations have been put in place in the United States and abroad for organizations both large and small.
The US lawmakers have established a legal and regulatory framework to try to ensure that organizations protect sensitive information from misuse.
In our country, the Personal Information Protection and Electronic Documents Act (PIPEDA) protects personal information in the hands of private sector organizations and provides guidelines for the collection, use and disclosure of that information in the course of commercial activity.
The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed in February of 2009 as part of the federal economic stimulus package. The Act creates a federal requirement for the protection of personal health information and provides incentives to physicians for putting into "meaningful use" an Electronic Health Record system.
The Fair and Accurate Credit Transactions Act (FACTA) was signed into law on December 4, 2003. The FACTA provisions consumer reporting agencies and any business that uses a consumer report must adopt procedures for proper document disposal.
In addition, the Gramm-Leach-Bliley (GLB) Act of 1999 "Safeguards Rule" was designed to compel financial institutions to protect and secure customer's personal information. The rule requires disposal practices be "reasonable and appropriate," such as shredding papers containing consumer report information, so that the information cannot be read or reconstructed.
Finally, beginning June 1of this year, the Federal Trade Commission (FTC) will implement the "Red Flags Rule." The term "Red Flag" refers to a pattern, practice or specific activity that indicates the possible existence of identity theft. The Rule requires US financial institutions and creditors with covered accounts to have a standardized program that detects, prevents and mitigates identity theft. Organizations covered by the Rule must have policies in place to comply with the new standards to avoid costly fines and regulatory enforcement actions. The fines for non-compliance range from $3,500-$11,000 per occurrence, which could lead to fines in the millions of dollars and jail time. To see if your company is expected to comply, visit http://www.ftc.gov/redflagsrule.
As you can see, US laws and regulations clearly state that businesses must destroy, erase or make anonymous personal data that is no longer needed. However, many organizations are still caught off guard by the news that not only should they be adopting best practices to ensure the safety of confidential information in their custody, but they are required by law to do so.
According to Shred-it client research, only 57 percent of US companies use document destruction services as a direct result of government regulation. Of those companies, only 71 percent of organizations have official guidelines for document destruction.
"Part of our job as an information security company is to consult with organizations on what best practices and security strategies they should be implementing to become compliant," says Mr. De Palma. "Typically, there are several key strategy components we recommend to each client. One of them is that they should always opt for document destruction methods that meet or exceed all national compliance standards. Another recommendation is to have an organization-wide policy in place that stipulates how company employees should dispose of their paper waste."
It is important to remember that, when it comes to information security, legal compliance is only a minimum necessary requirement, and an organization's efforts to protect itself, its clients, employees and other stakeholders shouldn't stop there. The ultimate goal is to create a culture of total security, with zero tolerance not only for security breaches but also for the existence of the very conditions that make them possible.
Ensure full compliance with national privacy and identity theft legislation.
List all information security risks specific to your organization, targeting both paper-based and electronic information sources, consider every stage of the information cycle, from data generation and storage to the transfer of data from location to location and the document destruction process.
Train your employees in best practices in secure document management and destruction.
Outsource document destruction to high-quality professional providers, who ensuer the total security of the doucment disposal process
Look for a professional provider that offers:
Stay informed with the latest in information security news and promotions.
Fill out the form or call 888.750.6450 to start protecting your business today!