A History of Document Destruction Laws

by David Powelson

Early Protections of Privacy:

The concept of protecting the privacy or ordinary citizens did not gain prominence in the United States until the beginning of the information age. Americans, it seems, basically distrust business and government over the potential misuse of personal information. Leadership in privacy issues came from the U.S. Congress in the form of the following acts:

Social Security Act of 1934
Makes it illegal to disclose an individual's social security number and personally identifiable information which is obtained by means of a social security number

Privacy Act of 1974
In establishing this act Congress found:

“The privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information.” The increasing use of computers and sophisticated information technology has greatly magnified the potential for harm to the individual
The opportunities for an individual to secure employment, insurance, and credit are endangered by the misuse of certain information systems.
The right to privacy is a personal and fundamental right protected by the Constitution of the United States
Protections were extended to any records containing individually identifiable information including but not limited to:
- Education
- Financial Transactions
- Medical History
- Criminal History
- Employment History
- Photographs
- Fingerprints
- Voiceprints

Right to Financial Privacy Act of 1978 . - This act, under the auspices of the FDIC, targeted industrial loan companies, trust companies, saving associations, building and loan companies, credit unions and consumer finance institutions. It's focus – financial transactions. The significance is that it is focused within a single industry and this “industry-specific” model will be used again in the modern era.

A proliferation of states laws followed the lead presented by these acts and specific professions have developed a Code of Ethics in the fields of banking, medicine, legal and accounting. These Ethics restrict how information is used and they are based on the principles described by law. These laws provided penalties that included actual damages, punitive damages, and even jail time, but investigation and enforcement of these laws was lacking. This lack of enforcement led to a situation where privacy rights were given only casual attention by just about all stakeholders.

A Defining Case in 1988 – The Peril of Discarding Information as Trash

The United States Supreme Court in California v. Greenwood was presented a case that helped define Privacy Rights as it relates to material discarded as trash. Greenwood had thrown out information in his trash that incriminated him in a crime and the information was used to gain a conviction. Greenwood claimed that he was the victim of an unlawful search and that his privacy rights had been violated.

In it's ruling the Supreme Court stated that there could be no expectation of privacy in trash left accessible to the public. They further stated it is common knowledge that garbage is readily accessible to animals, children, scavengers, snoops, and other members of the public.

At least seven types of people are known to go through your trash:

Criminals
Investigators
Journalists
Scavengers
Competitors and their agents
Trash hauling companies
Law Enforcement

Bringing this up-to-date, people now also know that some trash is sorted by waste management companies for recyclables and that identity theft often results from “dumpster diving.” In fact, at a recent privacy convention held in New York City, it was noted that the cannon fodder for the class action suits of the future would come from confidential information found in the trash of well-heeled organizations. The legal exposure someone who claims that confidential materials were inadvertently discarded as trash is great – especially in the absence of an established document destruction program.

The Modern Era of Privacy Protection Legislation

Privacy protection is experiencing a rebirth in legislative activity. The runaway crime of “identity theft” is largely responsible in causing a groundswell of interest in the electorate and hence in our state and federal politicians. “Identity theft” also has a connection to national security issues and controlling it may literally become “a matter of life and death.” Here are a few of the major initiatives.

Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Covers health plans, health care clearing houses, health care providers. It established national standards for the protection of health information and a timetable for implementation. Enforcement includes civil and criminal penalties. The Department of Health and Human Services is responsible for enforcement.

Economic Espionage Act of 1996.
This act helps companies recover damages from loss of trade secrets as a result of industrial espionage from interstate or foreign competitors. . The Attorney General or organization can initiate action. One requirement of the act is that trade secrets must be the subject of adequate safeguards. This implies that trade secret information cannot be thrown in the trash for a prosecution to be effective.

Gramm-Leach-Bliley Act of 1999.
Rules concerning financial information and privacy notices. Under the GLB Safeguards rule there are requirements for adequate administrative, technical, and physical safeguarding of personal information. The FTC is responsible for enforcement.

Fair Credit Reporting Act of 2001.
Promotes accuracy in consumer reports and is meant to ensure the privacy of the information in them.

Sarbanes-Oxley Act of 2002.
The law raises the stakes for disposing of records to avoid prosecution and therefore more pressure on data privacy and on having formal rules for what information must be securely retained and what information can be destroyed. The law also raises the bar for oversight and the need to publicly report known problems.

Fair and Accurate Credit Transactions Act of 2003 (FACTA) .
This act expanded several FCRA provisions and provides protection for victims of identity theft and includes one free credit report per year. The FTC is responsible for enforcement. The Disposal Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to:

burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;
destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include:
reviewing an independent audit of a disposal company's operations and/or its compliance with the Rule;
obtaining information about the disposal company from several references;
requiring that the disposal company be certified by a recognized trade association;
reviewing and evaluating the disposal company's information security policies or procedures.

Just about every state has/is also passing laws to protect privacy and even at the federal level additional new laws are being considered such as the “Comprehensive Identity Theft Protection Act” sponsored by Schumer and Nelson in the U.S. Senate. Some states like California and Georgia are being particularly aggressive and new laws even require “self-reporting” of any security incident.

The message should be crystal clear that private and confidential information should no longer disposed of be in the trash. It must be destroyed using a reliable process as fast as the law allows.

A New Era in Enforcement

If the past is a guide to the future, we could expect a non-aggressive investigatory and enforcement effort. Those that are betting on this as a reason to postpone action will be mistaken at their peril. Enforcement is a certainty.

Civil Penalties under FACTA may be $1,000 per consumer impacted

Class action lawsuits are being encouraged Federal Enforcement may bring actions with penalties up to $2,500 per violation States may recover up to $1,000 per violation

The FTC is clearly serious about enforcement in protecting consumers' privacy: In November 2004 the FTC filed its first charges under the GLB Safe Guards Rule: The FTC charged Nationwide Mortgage and its president John D. Eubanks for violating GLB Safeguards rule by not having reasonable protections at a mortgage broker located in Virginia. The broker failed in protecting customer names, SS#'s, credit histories, bank account numbers, income tax returns and other sensitive financial information.

In another action Sunbelt Lending Services was also charged. This action was a part of an organized effort to target mortgage companies and auto dealers.

In another separate action, In June 2005 BJ's Wholesale Club agreed to settle charges based on its failure to take appropriate security measures to protect the information of thousands of customers. Among the practices cited, BJ's “created unnecessary risks by storing information up to 30 days, in violation of bank security laws, even when it no longer needed the information. In addition to being under FTC supervision for 20 years and subject to third party verification of its procedures, BJ's expects to pay $16,000,000 in claims for reimbursement due to fraudulent credit card purchases.

The Department of Health and Human Services has civil and criminal penalties to aid in enforcement. They state that enforcement is currently “complaint based.”