A History of Document Destruction Laws
Early Protections of Privacy:
The concept of protecting the privacy or ordinary citizens did not gain prominence in the United States until the beginning of the information age. The problem came from the rise of identity theft. Leadership in privacy issues came from the U.S. Congress in the form of the following acts:
Social Security Act of 1934
Makes it illegal to disclose an individual's social security number and personally identifiable information which is obtained by means of a social security number
Privacy Act of 1974
In establishing this act Congress found:
A proliferation of states laws followed the lead presented by these acts and specific professions have developed a Code of Ethics in the fields of banking, medicine, legal and accounting. These Ethics restrict how information is used and they are based on the principles described by law. These laws provided penalties that included actual damages, punitive damages, and even jail time, but investigation and enforcement of these laws was lacking. This lack of enforcement led to a situation where privacy rights were given only casual attention by just about all stakeholders.
A Defining Case in 1988 – The Peril of Discarding Information as Trash
The United States Supreme Court in California v. Greenwood was presented a case that helped define Privacy Rights as it relates to material discarded as trash. Greenwood had thrown out information in his trash that incriminated him in a crime and the information was used to gain a conviction. Greenwood claimed that he was the victim of an unlawful search and that his privacy rights had been violated.
In it's ruling the Supreme Court stated that there could be no expectation of privacy in trash left accessible to the public. They further stated it is common knowledge that garbage is readily accessible to animals, children, scavengers, snoops, and other members of the public.
At least seven types of people are known to go through your trash:
Bringing this up-to-date, people now also know that some trash is sorted by waste management companies for recyclables and that identity theft often results from “dumpster diving.” In fact, at a recent privacy convention held in New York City, it was noted that the cannon fodder for the class action suits of the future would come from confidential information found in the trash of well-heeled organizations. The legal exposure someone who claims that confidential materials were inadvertently discarded as trash is great – especially in the absence of an established document destruction program.
The Modern Era of Privacy Protection Legislation
Privacy protection is experiencing a rebirth in legislative activity. The runaway crime of “identity theft” is largely responsible in causing a groundswell of interest in the electorate and hence in our state and federal politicians. “Identity theft” also has a connection to national security issues and controlling it may literally become “a matter of life and death.” Here are a few of the major initiatives.Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Covers health plans, health care clearing houses, health care providers. It established national standards for the protection of health information and a timetable for implementation. Enforcement includes civil and criminal penalties. The Department of Health and Human Services is responsible for enforcement.
Economic Espionage Act of 1996
Gramm-Leach-Bliley Act of 1999
Fair Credit Reporting Act of 2001
Sarbanes-Oxley Act of 2002
Fair and Accurate Credit Transactions Act of 2003 (FACTA)
Just about every state has/is also passing laws to protect privacy and even at the federal level additional new laws are being considered such as the “Comprehensive Identity Theft Protection Act” sponsored by Schumer and Nelson in the U.S. Senate. Some states like California and Georgia are being particularly aggressive and new laws even require “self-reporting” of any security incident.
The message should be crystal clear that private and confidential information should no longer disposed of be in the trash. It must be destroyed using a reliable process as fast as the law allows.
A New Era in Enforcement
If the past is a guide to the future, we could expect a non-aggressive investigatory and enforcement effort. Those that are betting on this as a reason to postpone action will be mistaken at their peril. Enforcement is a certainty.
Civil Penalties under FACTA may be $1,000 per consumer impacted
Class action lawsuits are being encouraged Federal Enforcement may bring actions with penalties up to $2,500 per violation States may recover up to $1,000 per violation
The FTC is clearly serious about enforcement in protecting consumers' privacy: In November 2004 the FTC filed its first charges under the GLB Safe Guards Rule: The FTC charged Nationwide Mortgage and its president John D. Eubanks for violating GLB Safeguards rule by not having reasonable protections at a mortgage broker located in Virginia. The broker failed in protecting customer names, SS#'s, credit histories, bank account numbers, income tax returns and other sensitive financial information.
In another action Sunbelt Lending Services was also charged. This action was a part of an organized effort to target mortgage companies and auto dealers.
In another separate action, In June 2005 BJ's Wholesale Club agreed to settle charges based on its failure to take appropriate security measures to protect the information of thousands of customers. Among the practices cited, BJ's “created unnecessary risks by storing information up to 30 days, in violation of bank security laws, even when it no longer needed the information. In addition to being under FTC supervision for 20 years and subject to third party verification of its procedures, BJ's expects to pay $16,000,000 in claims for reimbursement due to fraudulent credit card purchases.
The Department of Health and Human Services has civil and criminal penalties to aid in enforcement. They state that enforcement is currently “complaint based.”