While doing some research on Lifeline a Scripps Howard News reported discovered a massive hole in their record security. Lifeline is a federally funded program that provides discounted telephone service to low income people. A simple Google search into the program revealed a database of 170,000 users across 26 states.
The information on the users not only included names and addresses but also social security numbers and financial records. The records were not secured by any password and available to any internet user for download.
The reporter notified the companies of the problem so the threat if identity theft could be eliminated. You might think that the company would thank him. No, they responded with a letter by a lawyer threatening a law suit. They called the reporters “Scripps hackers.” The good news is that they did correct the problem.
The Indiana Attorney General is investigating the data breach. If found guilty of violating FACTA protections the company could be fined $1.5 million.
It is foolish to fight with a reporter over your error. They have a very big microphone to tell everyone what is happening. I hope it doesn’t end up like Andrew Auernheimer who was sentenced to 41 months in prison for exposing a data breach at AT&T.
Commercial document shredding is a wise investment for every business, whether dropping off a few sensitive documents to an authorized collections center or scheduling regular pickups over time.
Why not simply purchase a commercial paper shredder for office use? Because this may not be sufficient to guarantee that sensitive information will remain secure until it is rendered completely undecipherable, as required by laws such as FACTA, HIPAA and GLBA. Is it really a good use of time and money to pay an employee to stand at the shredder and monitor the destruction of every single shredded document? As well, employees, unlike machines, grow tired and distracted. In frustration and with a lack of understanding for the importance of the task, employees may discard sensitive information in the trash.
Why risk it when professional shredding trucks can shred thousands of documents in an hour? Commercial document shredding services offer quick, painless processing and the highest security, complete with a Certificate of Destruction confirming your confidential information was properly destroyed prior to recycling.
For Small Businesses with Low Volume
As the Internet has grown bigger, “small business” has gotten smaller. According to research firm IDC, the number of United States home-based businesses will stand at more than 20 million by 2013. Just imagine all the documents 20 million home businesses will generate, not to mention millions of commercial small businesses.
Regardless of size, the value of secure document shredding remains the same. If your business produces low volume, a commercial shredding service like Shred Nations will direct you to an authorized collection center, where you can drop off your documents for shredding and remain in compliance with state and federal laws.
For slightly higher volume businesses, Shred Nations will provide locking storage bins for total security of your documents prior to shredding. At a designated time, the bins are collected and transported to a warehouse where shredding takes place as you monitor the process on closed circuit TV.
For high or ongoing volume, Shred Nations will send a specially equipped truck to shred your documents on-site while you monitor the process.
In each scenario, you will receive a Certificate of Destruction detailing date and time of your document destruction.
Don’t play games with document security. Get secure document shredding for your business.
Would you be shocked to come upon a strange person rifling through the dumpster at your place of business?
So-called “dumpster diving” is no crime, and identity thieves are only too willing to dodge banana peels and baby diapers to find the good stuff: credit card numbers, social security numbers, confidential business communications and other items they can use for personal gain.
The real crime here is a company’s neglect to shred important documents. Trash is cash to identity thieves. Hundreds of hours and dollars go into resolving cases of identity theft, such a serious issue that federal and state laws have been enacted for our protection. Shredding documents is the only way to render these documents unreadable and prevent the theft of vital information, both personally and professionally.
Your Corporate Responsibility to Shred Documents
Although the words vary by state, each company’s responsibility to shred documents is as follows:
The company must take reasonable steps to destroy, or arrange for the destruction of, no-longer-needed customer records by (1) shredding, (2) erasing, or (3) otherwise modifying the personal information in those records so as to render the documents unreadable or undecipherable through any means.
Additionally, these laws may apply to your organization:
Gramm-Leach-Bliley Act
This act protects consumers’ financial information and applies to financial institutions, realtors, mortgage and escrow companies, banks, securities firms, accountants and more.
There has been a change in organizations with authority to enforce the Fair and Accurate Credit Transaction Act (FACTA). The change was done as part of enforcing the Dodd-Frank Wall Street reform law of 2010.
The SEC and Commodity Futures Trading Commission (CFTC) is now responsible for enforcing FACTA for securities firms and exchanges. These firms are currently under the supervision of the SEC. These includes brokerages and financial advisers.
The Federal Trade Commission (FTC) will continue to enforce FACTA for other firms that do not need to comply with FTC rules. This includes any business that provides credit to customers or uses information derived from a credit report.
People who go to a gym may have heard about shredding workouts. The goal is to cut weight and improve muscle tone. I can’t speak to its effectiveness but I do know about another kind of shredding that every gym needs to do.
Many gyms like to sign up members to long contracts. This involves a credit application. As with all credit applications there is a large amount of personal information collected. Many people never consider how that information is handled. People who went to Cruz Fitness in Lincolnton, North Carolina now have to wonder about their information security.
The company went out of business and left boxes with personal information in the dumpster. It was discovered by someone looking for used gym equipment. He called the local news about his find. They came out and investigated the dumpster. The police arrived and took possession of the documents.
FACTA requires the shredding of all documents that contain information derived from a credit report. That would include any documents a gym uses to extend credit to their patrons. The problem is who is responsible when a company goes out of business. Many times the land lord just tosses everything into the dumpster. The solution is for the bankruptcy court to take precautions to make sure a shredding service is brought in eliminate the risk to past customers and employees. An alternate solution is to hold owners and manager personally liable for exposed personal information.
Various companies namely banks, financial institutions and hospitals are prime sources of confidential information. As such, the responsibility of disposing confidential documents remains a top priority for most companies as breach of intellectual property and identity theft are more prominent than ever. Therefore, when confidential information needs to be disposed of, the most secure method is to ensure the total destruction of the document.
Document shredding is a common business practice that is used to destroy paper documents with the use of a paper shredder. Here are eight top reasons why it is important to shred your documents:
It is stated in the law. Confidential waste such as medical records and salary information need to be disposed of correctly under FACT and HIPAA. This is a legal measure to ensure that people’s data remain confidential.
It prevents the occurrence of identity theft. Identity theft is a fast-growing crime that occurs when personal information is stolen and used without your knowledge and consent to commit fraud and other crimes.
It ensures consumer trust. Customers need to be assured that their confidential information are safeguarded and treated with respect. As such, shredding documents is a tangible proof of protecting this trust.
It ensures business data will remain confidential. Shredding corporate documents is important to ensure that confidential business information such as new product launches, weekly sales data and competitive reports are only used and consumed by the people rightfully involved.
It is helpful in avoiding corporate espionage. Companies invest billions of dollars on research to develop new products or services in their pipeline. As such, it is important that all documents are shredded immediately to ensure that competitors do not get hold of these.
It is a corporate social responsibility effort. Since most companies have now committed to going green, shredding documents makes recycling much easier as a recycling company can easily collect shredded paper.
Disposing stacks of paper is helpful in saving storage space. Stacks of papers that no longer need to be revisited should be shredded immediately so that space can be freed up.
Stacks of paper can potentially create a fire hazard. Having papers stacked around the office can create the perfect fuel to start and spread a fire. Shredding documents can ensure that companies prevent the occurrence of fire in the office.
The Fair and Accurate Credit Transaction Act of 2003 is one of the biggest laws that require businesses to ensure the proper destruction of personal information. It covers all information that is used as part of a credit report.
Many people talk about the law but it seems as if very few people have actually read it. I wanted to use this post today to give you the exact law so you won’t be bamboozled with marketing materials that claim something is required that isn’t. So here is exactly what the law says:
§ 682.3 Proper disposal of consumer information.
(b) Examples. Reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal include the following examples. These examples are illustrative only and are not exclusive or exhaustive methods for complying with this rule.
(a) Standard. Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measure to protect against unauthorized access to or use of the information on connection with its disposal.
(1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of paper containing consumer information so that the information cannot practicably be read or reconstructed.
(2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed.
(3) After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule. In this context, due diligence could include reviewing an independent audit of the disposal company’s operations and/or its compliance with this rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company’s information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company.
(4) For persons or entities who maintain or otherwise possess consumer information through their provision of services directly to a person subject to this part, implementing and monitoring compliance with policies and procedures that protect against unauthorized or unintentional disposal of consumer information, and disposing of such information in accordance with examples (1) and (2) above.
So there is a strong component of setting up the policies and procedures that deal with the destruction of materials. Make sure every employee is aware of how to handle, store, and shred confidential information. This should be done not just once but on a regular schedule.
Then there is the issue of the actual shredding. It can be done in house or by using a shredding contractor. The requirement when using a contractor is that they follow good security procedures. There are many ways to verify this but the most straight forward is to visit the company. If they are doing mobile shredding then someone can watch the process. If you are working with an off site service then visit the shredding plant. You can verify they have the security necessary for handling sensitive documents. Never hire anyone who won’t show you their plant.
Comments Off
Filed under: FACTA — Tags: FACTA — admin @ 11:05 am
The Federal Trade Commission (FTC) has announced an agreement with PLS Financial Services, Inc., and The Payday Loan Store of Illinois, Inc over disposal rule violations. As part of the agreement the companies have agreed to pay a fine of $101,500. In addition to the fine the companies must have independent audits of their privacy practices for the next 20 years. The agreement was approved by a unanimous decision of the commission.
These companies run over 300 payday loan and check cashing stores through various operating entities. As part of their business they run credit checks on their clients. To do this work they handle sensitive information including social security numbers. The complaint by the FTC said they “failed to take reasonable measures to protect consumer information.” Specifically the violated the FACTA Disposal Rule when the stores left personal information in the trash behind the stores.
The Fair and Accurate Credit Transactions Act (FACTA) of 2003 requires any company that handles credit reports or information derived from them to dispose of the information in a safe and secure manner. That leaves shredding and burning. Since most companies like the less expensive option they opt for the shredding.
So by failing to have a convenient shredding option for their stores Payday Loan Store of Illinois paid a fine of $101,500. It is obvious that the cost of not shredding far outweighed the cost of shredding. Every business would like to reduce the bottom line but personal information is like the toxic waste of the office. It is a by-product of daily work and requires great care when stored and disposed. It also has a very long lifespan and doesn’t lose is potential to harm. The good news is that unlike toxic waste it is cheap to dispose of and can be recycled.
A large number of locations have a unique set of problems but nothing insurmountable. By using a national shredding service you can have one source for every location. This provides with aggregated billing and more importantly aggregated record keeping. The compliance officer for the company will know what locations are following good document disposal practices and who is not based on their shredding volumes. It also makes it convenient for the stores so they are more likely to stay in compliance with company guidelines.
If you work at a college or university then you are familiar with the Family Educational Rights and Privacy Act (FERPA). This is a law that protects the privacy of student records. It applies to any educational institution that receives funds from the Department of Education. The law is for parents of children under 18 and then reverts to the student at that point.
The basic tenants of the law include:
Students can review their students records that are held at the school. However, the school is not required to provide the student with copies unless students are unable to get to the school. If copies are created then the school is allowed to charge a fee.
There must be a process for students to correct records that are incorrect. This should have a hearing process in the case of disputes.
Schools are not allowed to disclose all the students information without written permission. But this is a very weak section because it does not include “directory” information. The department of education defines that as name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. Upon request the school must not disclose this information.
Schools must notify students annually of their rights to privacy under FERPA. This can be done via almost any means from bulletin board posts to special letters.
FERPA is enforced the Department of Education. Failure to comply could result in the institution losing its funding from the department. This is a penalty that would significantly cripple most higher education institutions.
So where does document shredding fit into the picture. Putting un-shredded documents is a violation of FERPA disclosure rules. It may also be a violation of FACTA rules if there is any financial data on the student records.
To protect the information of their students and to comply with FERPA; every school should have a document destruction policy for student records. They should be kept secure by locking up paper records and securing and computer networks that contain the information. When documents are retired they should be destroyed to prevent unwanted disclosure. This can be done internally or with a a shredding service. The key is to make sure that it is convenient for employees so they don’t try to hide it in the dumpster.
In 1974 Congress passed the Privacy Act. This is the grandfather of all the current privacy laws. It put into law that “the privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information.” It covered how companies and organizations needed to protect personal information. This kick started the shredding industry as information needed to be properly destroyed.
But Senator Daniel Akaka of Hawaii is wondering if the Privacy Act itself needs an update. The advance of technology has made much of the act out of date and irrelevant. Digital records allow for a whole different set of threats to individuals privacy. Just one example are the data breaches that affect millions of people with just one mistake or hacker.
There is also a giant loophole in the Privacy Act for “routine” information. This can be disclosed without the user intent. So as governments continue to use more private databases it is sharing more information without the disclosure that most financial institutions like to hide in the fine print of their privacy policies.
Senator Akaka is submitted and amendment to cybersecurity legislation that is making its way through the Senate. It will be interesting to see if it can get any traction this year.
