Considering all the other challenges your business has to deal with on a daily basis, being penalized for noncompliance with data destruction regulations is the absolute last thing you need. Nor do you want to spend time scrambling for data disposal records if you’re ever audited by a government agency or need to prove that a customer’s data was properly destroyed.
Your company might be subject to multiple data destruction regulations on the federal and state levels. The nice thing about complying with a variety of regulations is that it’s pretty simple because they all tend to say the same thing. Basically, any records you have that contain private data about people and other businesses have to be safeguarded at all times up until they’re destroyed, which must be done in a way that renders them completely unreadable. Shredding, burning and pulverizing are examples of methods that may be compliant with data destruction laws.
Federal and State Data Destruction Laws
There aren’t really any overarching federal regulations creating data destruction requirements that apply to every company in the U.S. But, certain federal data disposal laws do apply to businesses that do certain kinds of work. These are just three data destruction laws enforced at the federal level, which may affect your company:
- The HIPAA Privacy Rule applies to entities that have access to health care records. To avoid HIPAA violations, covered entities are essentially required to safeguard protected health information (PHI) up until it’s destroyed. The Rule only says that paper records containing PHI must be destroyed in a way that renders them “unreadable,” and that these records may not be disposed of in ways that leave them accessible to the public. The HIPAA Security Rule also creates requirements for completely destroying electronic PHI data and/or the hardware on which it’s stored.
- The Fair and Accurate Credit Transactions Act (FACTA) applies to any business that uses consumer reports. Certain background checks and credit reports that companies might use when hiring are examples of consumer reports under FACTA. These reports must be safeguarded and destroyed in compliance with FACTA’s Disposal Rule.
- The FTC’s Safeguards Rule applies to financial institutions. Under the FTC’s definition, this group includes mortgage brokers, tax preparation firms, financial advisors, collection agencies and other businesses that have access to “nonpublic personal information” about customers. Covered entities are required to securely dispose of that nonpublic data, and must dispose of any relevant records after they have been unused for two years.
On the state level, companies are subject to additional data disposal laws. At least 35 states have enacted laws that are designed to protect the private information of their residents. Here in Massachusetts, Mass. Gen. Laws Ch. 93I, § 2 applies to any business that keeps records containing personal information of Commonwealth residents. (“Personal information” is defined as the person’s first name and last name or initial, in combination with their SSN, driver’s license number, financial account information or biometric indicators.)
If your company has records that contain personal information about employees and/or customers from other states, you may also be obligated to comply with the data destruction laws in those states too.
Checklist for Maintaining Data Destruction Compliance
- Get clear about what (if any) data destruction requirements your company is obligated to meet. Industry associations could be a good source of information about any federal requirements that apply to businesses in your specific line of work.
- Choose a point person to oversee data destruction compliance, and have a backup system for them in place. Maintaining data destruction compliance is one of those minor-yet-important tasks in a busy company that will slip through the cracks unless it’s specifically assigned to someone responsible. Maybe it’s an office administrator, an IT person or even you. Whoever the point person is, their job is to coordinate pickups with your data destruction company, create records and address any security gaps in your data disposal processes. The point person should have a written record of any relevant instructions so a substitute can jump in to oversee data destruction when they’re absent.
- Maintain an up-to-date data destruction policy. Your data destruction policy might be a section of your employee handbook, part of your data protection policy or its own separate document. List the types of documents, digital files and other materials that need to be securely destroyed (as opposed to recycled or thrown away). Include a chart or list of types of sensitive documents and the length of time they should be kept before being destroyed. State the data destruction methods that should be used for physical and digital files; shredding is the standard method for paper documents, hard drives/other media that stores data, and other proprietary materials. Make sure to address policies applying to data destruction for remote workers, if applicable.
- Train and retrain all employees on the data destruction policy at routine intervals. Include an overview of the trash, recycling and shredding containers and how they should each be used as part of orientation for each new employee. Review your written data policies at the beginning of each year and share updated copies with everyone in the company.
- Track and save records of all data destruction activities. Good record-keeping is essential for compliance. Create logs documenting each pickup by your data destruction service and request Certificates of Destruction after every shredding session. Keep both physical and digital copies of data destruction records, just in case.
- Run your own unannounced audits occasionally. Check open recycling bins for documents that should be shredded instead. Verify that employees know about the company’s data security policies. Ask for records documenting the last time the company had some obsolete hard drives shredded. These informal checks will give you an idea of how well-prepared the business would be if you were ever asked to demonstrate compliance to a government agency.
Northeast Data Destruction makes it quick and painless for businesses to comply with data destruction regulations. From delivering locked bins for collecting your materials, to providing Certificates of Destruction when those materials are destroyed, we help you safeguard your sensitive data at every step. Does your data disposal system have some holes that need fixing? Contact me today.