Privacy Laws Affecting Destruction

Statue of justice isolated on white background

New Mexico Data Breach Notification Act

Enacted in 2017 and enforced by the State’s Attorney General. Specifically requires the destruction of personally identifying information.

“DISPOSAL OF PERSONAL IDENTIFYING INFORMATION.–A person that owns or maintains records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes. As used in this section, “proper disposal” means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable.”

Economic Espionage Act (EEA)

The Economic Espionage Act was enacted in 1996 and is enforced by Deptment of Justice. It was created to protect the economic interests of the United States. It denies legal protection if an organization does not take reasonable steps to protect their proprietary information.

Regulation S-P

Formally called Privacy of Consumer Financial Information, it modifies the Securities Exchange Act of 1934. It became effective in 2000 and is enforced by the Security and Exchange Commission. It was created to codify the Financial Services Modernization Act.

It applies to Investment Firms, Stock Brokers, and Stock Exchanges. It was Modified to include a disposal rule in 2003 and requires written policies and procedures specifically for information disposal. FACTA was used as the basis for including destruction provisions.

Gramm-Leach Bliley Act (GLB)

Officially called the Financial Services Modernization Act. It was enacted in 1999, and covers Credit Unions, Insurance Companies, Mortgage Brokers, State Chartered Banks. The US Departments/Agencies responsible for enforcing are the US Dept of Treasury, Comptroller of Currency, and Federal Trade Commission.

The Safeguards Rule within GLB requires policies and procedures for protecting personal financial information. It applies to the protection of electronic and paper information. It requires covered entities to have written information destruction policies and procedures.

Sarbanes-Oxley Act (SOX)

Enacted in 2002 in response to the financial scandals such as Enron and WorldCom. The law establishes new, stricter standards for all US publicly traded companies. It does not apply to privately companies. It is administered by the Securities and Exchange Commission (SEC)

The act provides guidelines for corporations in reporting their financial reports to give investors an accurate view of the corporation. It holds corporate executives accountable and provides strict civil and criminal punishment for fraud.

In regards to information management, it provides timetables for the destruction of paper work used in audits on corporations, also giving timetables for retention of records. It will require corporations to develop a comprehensive information management policy to support their financial reports.

Payment Card Industry Standard (PCI DSS)

PCI DSS is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

It applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.

Family Educational Rights and Privacy Act (FERPA)

Also referred to as the Buckley Amendment. It was enacted 1974. It protects the privacy of student education records, and applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

Fair and Accurate Credit Transaction Act (FACTA)

Was enacted in 2003 to amend the Fair Credit Reporting Act (FCRA). The FTC oversees and enforces FACTA.

Has a Final Disposal Rule, which was the first national information destruction requirement. The Final Disposal Rule requires consumer report information to be destroyed by incineration, shredding, or erasure as prescribed destruction methods. Materials must be “practicably” unreadable and unreconstructable.

Also has a Red Flags Rule that applies to companies who receive and collect information to verify credit. Requires the protection of discarded information that could foreseeably result in identity theft. Defines a consumer account as any account “for which the organization holds information for which there is foreseeable risk of identity theft”. Requires an Identity Theft Prevention Program for the purpose of: Prevention, Mitigation, Detection.

Health Insurance Portability and Accountability Act (HIPAA)

Enacted in 1996. Health and Human Service is responsible for rulemaking. It is enforced by Office for Civil Rights within HHS and each states’ Attorney General. It provides data privacy and security provisions for safeguarding medical information.

Was modified by the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH toughens HIPAA law and passes down compliance requirements to Business Associates. HIPAA/HITECH only preempts state laws that are less restrictive.

There are multiple privacy laws that affect information protection and the requirement for proper destruction before disposal.