Laws Effecting Destruction
“DISPOSAL OF PERSONAL IDENTIFYING INFORMATION.–A person that owns or maintains records containing personal identifying information of a New
Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes. As used in this section, “proper disposal” means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the
personal identifying information unreadable or undecipherable.”
It denies legal protection if an organization does not take reasonable steps to protect their proprietary information.
Formally called Privacy of Consumer Financial Information, it modifies the Securities Exchange Act of 1934. It became effective in 2000 and is enforced by the Security and Exchange Commission. It was created to codify the Financial Services Modernization Act.
It applies to Investment Firms, Stock Brokers, and Stock Exchanges. It was Modified to include a disposal rule in 2003 and requires written policies and procedures specifically for information disposal. FACTA was used as the basis for including destruction provisions.
The Safeguards Rule within GLB requires policies and procedures for protecting personal financial information. It applies to the protection of electronic and paper information. It requires covered entities to have written information destruction policies and procedures.
The act provides guidelines for corporations in reporting their financial reports to give investors an accurate view of the corporation. It holds corporate executives accountable and provides strict civil and criminal punishment for fraud.
In regards to information management, it provides timetables for the destruction of paper work used in audits on corporations, also giving timetables for retention of records. It will require corporations to develop a comprehensive information management policy to support their financial reports.
It applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
Has a Final Disposal Rule, which was the first national information destruction requirement. The Final Disposal Rule requires consumer report information to be destroyed by incineration, shredding, or erasure as prescribed destruction methods. Materials must be “practicably” unreadable and unreconstructable.
Also has a Red Flags Rule that applies to companies who receive and collect information to verify credit. Requires the protection of discarded information that could foreseeably result in identity theft. Defines a consumer account as any account “for which the organization holds information for which there is foreseeable risk of identity theft”. Requires an Identity Theft Prevention Program for the purpose of: Prevention, Mitigation, Detection.
Was modified by the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH toughens HIPAA law and passes down compliance requirements to Business Associates. HIPAA/HITECH only preempts state laws that are less restrictive.