Information Destruction and Regulatory Compliance
Amidst a complex regulatory landscape, keeping your business compliant can be a challenge. In this blog, we highlight several state and federal laws that may affect your business:
California Civil Code 1798.81
California 1798.81 requires businesses to “take all reasonable steps to dispose, or arrange for the disposal, of customer records” that contain “personal information when those records are not needed any longer by, among other means, shredding.” Organizations that conduct business in California must notify California residents if the person or business suffers a security breach involving “personal information.”
The California Consumer Privacy Act (CCPA)
The CCPA requires companies to be transparent about their consumer data collection and use practices. Under the law, California residents have a right to request that California businesses:
- Disclose the specifics of personal information they collect
- Disclose the business or commercial purpose for collecting or selling personal information
- Disclose the sources from which personal information is collected
- Not sell their personal information
- Delete any collected personal information
Companies that do not comply with the law can face civil penalties of $2,500 for each violation or $7,500 for each intentional violation.
The Fair and Accurate Credit Transaction Act (FACTA)
FACTA requires lenders, credit card companies, and other financial service organizations to dispose of information to protect against “unauthorized access to or use of the information.” The law states that “any employer whose action or inaction results in the loss of employee information can be fined by federal and state government.”
The Gramm-Leach-Bliley Act (GLBA)
GLBA regulates the collection and disclosure of consumer information. Under the law’s Safeguards Rule, financial institutions must develop a written information security plan for protecting their clients’ personal information. The plan must include:
- Designation of at least one employee to manage safeguards
- Risk analysis plans for each department handling personal information
- Develop, test, and monitor an information security program
- Change safeguards as needed
Organizations that do not comply with the Safeguards Rule may face fines up to $100,000.
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a federal regulation that applies to health care providers and organizations that handle and transmit protected health information (PHI). Compliance is monitored and enforced by the Department of Health and Human Services’ Office of Civil Rights (OCR). Under the law’s Privacy Rule, covered entities and business associates must implement physical, administrative, and technical safeguards for PHI. Non-compliance with the Privacy Rule can result in hefty fines.
Partnering with a qualified and trusted shredding and destruction company helps your business comply with state and federal regulations.
For more information about our shredding and destruction services, please call us at 800-685-9034 or complete the form on this page.