Depending on the industry or business, companies have to comply with information security legislation at both federal and state levels. Some are industry specific such as HIPAA, HITECH, FACTA and GLBA, but can have wider implications for business in general. In addition, New Jersey has the Identity Theft Act of 2004. Information is considered securely destroyed if it is burned, pulverized or shredded. Simone Bryerman, president of PROSHRED Southern New Jersey explains the need for compliance:
1.) HIPAA and HITECH affect the medical industry and all who do business with these institutions. These two acts, although HITECH is more of an amendment, affect how information is handled, shared and destroyed. Companies that do business with any medical entity have to sign a Business Associates Agreement that binds them to the same confidentiality of information sharing and security as the original entity. HIPAA compliant industries can be audited and must have an information security and destruction policy in place.
2.) The Fair and Accurate Credit Transaction Act of 2003 (FACTA) covers almost every business in the United Stated. It was revised in 2005 with Sec. 682.3–Proper Disposal of Consumer Information. Any person who maintains or otherwise possesses consumer information, or any compilation of consumer information for a business purpose must properly dispose of such information to protect against unauthorized access to or use of the information in connection with its disposal.
3.) The Gramm-Leach Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is a federal law that controls the ways financial institutions deal with the private information of individuals. It regulates the collection and disclosure of private financial information and includes the Safeguards Rule stipulating that these institutions must implement security programs to protect this information.
4.) All information breaches–paper, internet or technology based–whether suspected or actual, have to be reported. These regulations, depending on the nature, can require documentation be submitted to federal, state or financial institutions such as credit card entities. 5.) Penalties can be imposed in the form of fines, both at the federal and state level. In addition, the biggest penalty is to the bottom line of a company, whether in the form of fines or negative publicity. No company wants to end up as a segment on the local or national news. Often, companies are required to inform all of the possible victims, which adds the cost of mailing and providing credit monitoring. And if that company is public, watch their stock price tumble. Forethought in how information is stored, accessed and destroyed is an important preventative measure. While it may cost a little now will, it cost nothing compared to what it could cost later.
Simone Bryerman is president of PROSHRED Southern New Jersey.