Are you meeting all of the legal requirements for safe, certified disposal of your sensitive records and documents? Do you know which laws affect your business?
Is the sensitive information that your business or office handles protected?
Laws that, in combination, affect virtually every entity that holds records or information of clients, patients, customers or residents of Massachusetts:
Massachusetts General Laws Chapter 93H and 93I
Who it affects: Those who hold social security numbers, financial information, driver’s license information, or any information that could lead to the identity theft of any Massachusetts resident.
93H requires all businesses in Massachusetts to take serious measures to prevent identity theft. Any business holding the name of a Massachusetts resident and their Social Security Number, Driver’s License Number, or financial account number (including credit or debit card numbers) is subject to this new Massachusetts data protection law.
What are you required to do?
- Have controls on employees’ access of sensitive information, including physical security safeguards, computer user access levels and user authentication protocols.
- Detail security measures on computer information systems, including data encryption, anti-virus and anti-spyware software, and firewalls.
- Periodic review of audit trails and monitoring of systems for unauthorized access.
- Proper disposal (shredding, pulverizing) of sensitive information
93I requires a written policy regarding the disposal of sensitive information. By downloading the compliance packet at the top of this page, you will be able to see an example of a written policy (written information security policy) by viewing Safeguard Records Management’s WISP.
What are the penalties for non-compliance?
- A violation of 93H levies fines of up to $5000 per record compromised.
- A violation of 93I levies fines of up to $100 per record compromised with a maximum of $50,000.
- This does not take into consideration the loss of your company’s hard-earned reputation and the potential loss of credit.
Your Partner in 93H & 93I compliance
Safeguard Records Management can partner with your firm, business, or office to help ensure your compliance with Massachusetts General Laws 93H & 93I by providing secure, documented and certified shredding of sensitive Massachusetts resident information as well as aiding in the formulation of your own Written information Security Policy. By filling out the form to the right, you are one step closer to reaching compliance with 93H & I.
MASS GENERAL LAWS – CHAPTER 93H
MASS GENERAL LAWS – CHAPTER 93I
Federal FACTA Disposal Rule
Who it affects: Any person who maintains or possesses any consumer information for a business purpose.
FACTA or the Fair and Accurate Credit Transaction Act is a newer law that has been implemented in order to protect consumers against fraud and identity theft. In order to protect consumers, the FACTA Disposal Rule requires the proper disposal of consumer information.
According to the FTC, the FACTA Disposal Rule applies to “any person who maintains or otherwise possesses consumer information for a business purpose”. If your entity maintains or possesses consumer information, then you MUST properly destroy the consumer information when the time comes to discard it.
The FTC futher defines proper disposal as “taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal”.
One of the reasonable measures of proper disposal, as defined by the FTC, is “entering into a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule”.
In contrast, a reasonable measure does NOT include placing the information in a dumpster or trash receptical.
What are the penalties for non-compliance?
Both states and the federal government enforce the FACTA Disposal Rule and can bring separate sanctions upon those who are not compliant with FACTA. Class action law suit may also be brought upon the non-compliant party if a large enough number of consumers are affected.
The federal government can fine up to $2,500 per record compromised and the state can recover up to $1,000 for each instance of FACTA non-compliance. If multiple consumer records are involved in the data breach, the fines can add up very quickly! So how do you ensure that you will not incur these hefty fines? Read below…
Your partner in FACTA compliance
By partnering with Safeguard Records Management, you will be complying with the FACTA Disposal Rule by taking reasonable measures (i.e. using Safeguard to securely shred the consumer information held by your entity) to properly destroy consumer information.
Read more about FACTA
Who it affects: Any entity that holds Protected Health Information.
Gramm-Leach-Bliley Act (GLBA)
Who it affects: Any business who provides financial services or who is in the financial services industry.