Laws Mandate Disk Destruction
The various laws mandating protection of confidential information make no distinction if the data is stored electronically on hard disk drives or on paper. Often times, stealing the data from a hard disk drive is a simple as buying a used computer. Often times, when the data is stolen from a computer, it is the confidential records of thousands or millions of individuals. This theft of information has caused the enactment of various laws described below. Even though the federal government was the first to enact laws, the states seem to be imposing larger penalties and fines for the careless handling and disposal of confidential information. One careless way the data is handled is the donation or sale of computers (copiers, fax machines and scanners) which had intact disk drives containing confidential data. The essence of these laws is to protect the individual from the crime of IDENTITY THEFT by protecting private personal information . One of the first and most well known of the federal laws is HIPAA, which was enacted to protect the privacy of patient information.
NOTE: Any copier, fax or scanner may contain a hard disk drive. As the documents are scanned by the copier, fax or scanner, the image is stored on the internal disk drive. As with computers, make sure you remove disk drives from these devices before disposing of them in any manner at all, such as gifting to charity or disposing by recycling.
Health Insurance Portability and Accountability Act (HIPAA), was enacted in 1996 and includes provisions intended to safeguard the privacy of patient health records. For a full text of the SUMMARY OF THE HIPAA PRIVACY RULE from the Department of Human Services, available online go to: http://www.hhs.gov/ocr/privacysummary.rtf. See page 14 of this document in regards to shredding information.
GLB (Gramm Leach Bliley)
Gramm Leach Bliley (GLB) is another federal law with a much broader scope than HIPAA. This law was designed to compel financial institutions to "respect the privacy of its customers and to protect the security and confidentiality of those customers' non-public personal information." This language suggests that hard disk drives containing social security numbers, credit card data, etc should be protected when in use and safely destroyed when no longer current and usable.
Facta (Fair and Accurate Credit Transactions Act)
The Fair and Accurate Credit Transactions Act of 2003 also known as the FACT Act was signed into law on December 4, 2003. The Act amends the Fair Credit Reporting Act (``FCRA''). The Act contains a number of provisions intended to combat IDENTITY THEFT and consumer fraud and related crimes. Specifically the act requires the protection and destruction of ELECTRONIC RECORDS CONTAINING CONSUMER INFORMATION. Virtually every business or organization that is bound by this law.
The DISPOSAL RULE
Sec. 682.3 Proper disposal of consumer information.
(a) Standard. Any person who maintains or otherwise possesses consumer information, or any compilation of consumer information, for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal (that means you shouldn't sell or donate disk drives with confidential informational.
(b) Examples. Reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal would include:
(1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.