State legislatures appear to be taking the lead when it comes to addressing these needs, with the federal government having been slow to react to charges that FACTA (Fair and Accurate Credit Transactions Act) offers insufficient protection against ID theft because it is limited to personal information found on credit reports.
ON THE BOOKS
The extent to which shedding or destruction is mandated in state legislation varies, with many of the laws instead focusing on criminalizing identity theft, enabling ID theft victims to restrict access to their credit reports and requiring institutions to inform individuals of data security breaches. However, a few states passed legislation in 2005 that did specify the destruction of personal information upon its disposal. Montana law, for instance, specifies that a business "shall take all reasonable steps to destroy or arrange for the destruction of a customer’s records within its custody or control containing personal information that is no longer necessary to be retained by the business by shredding, erasing or otherwise modifying the personal information in those records to make it unreadable or undecipherable." Similar legislation passed in Texas states, "When a business disposes of a business record that contains personal identifying information of a customer of the business, the business shall modify, by shredding, erasing or other means, the personal identifying information to make it unreadable or undecipherable."
The law New Jersey passed in 2005 also calls for businesses or public entities to "destroy, or arrange for the destruction of, a customer’s records within its custody or control containing personal information, which is no longer to be retained by the business or public entity, by shredding, erasing or otherwise modifying the personal information in those records to make it unreadable, indecipherable or non-reconstructable through generally available means." According to the National Association for Information Destruction (NAID) Web site (www.naidonline.org), the New Jersey law "has all of the definitions and examples of destruction included in FACTA, but, unlike FACTA, it covers the broadest range of personal information we have seen."
| Arizona Gov. Signs ID Theft Bill |
|
Arizona Gov. Janet Napolitano has signed House Bill 2484, which addresses the growing concern over ID theft, into law. The bill, referred to as the Personal Identification Information Records and Disposal Act, goes into effect Oct. 1, 2006. The law states, "An entity must not knowingly discard or dispose of records or documents without redacting the information or destroying the records or documents if the records or documents contain an individual’s first and last name or first initial and last name in combination with any of the following: Social Security number; credit card, charge card or debit number; retirement account number; savings, checking or securities entitlement account number; or driver license number or non-operating identification license number." Under the law, the civil penalty for violations will not exceed $500 for a first violation, $1,000 for a second violation and $5,000 for a third or subsequent violation. The attorney general or the county attorney in the county where the records or documents were wrongly discarded can enforce the law. According to Federal Trade Commission statistics, the Arizona cities of Phoenix, Mesa and Scottsdale had the highest number of identity theft incidents per capita in 2005. |
If the language specifying shredding in these bills sounds similar, it’s no accident. Phoenix-based NAID or its members helped to bring the need for such language to the attention of legislators in these states.
CALL TO ACTION
"We have found almost in every instance where we are able to have an audience with a staffer or legislator at the state or federal level that they are very sensitive to the security of information when it is used by companies, but that they don’t think of the security of the data once it’s discarded," NAID Executive Director Bob Johnson says.
However, once the concern is brought to their attention, Johnson says state legislators are "all too happy to address it."
That is not to say that NAID never meets with resistance. "Where we see any push back at all from legislators is where they resist the idea of further regulating business, even though we don’t think the burden is all that great," he says. Because they fear overregulation, the legislators may not provide a lot of direction when it comes to defining disposal requirements for personal information, Johnson says.
Owners and operators of secure shredding companies have certainly taken note of the vague language used in federal legislation and in some state laws. Jerry Martin, owner of The Shredders in Los Angeles, says that legislation is purposely vague in response to the pressure applied by the businesses the laws attempt to regulate.
While an array of divergent state laws can be confusing for businesses with nationwide operations, Johnson says that it may help to produce action at the federal level. "In the end it may well be that the ultimate benefit of states that have passed laws requiring notification of breaches and mandating destruction of discarded information will be moving large corporations that are lobbying against legislation to our side of the table on federal legislation because they don’t want to see 50 different state laws," he says. "It may force their hand on the federal level."
At the federal level, Johnson says right now the focus is on information in digital form. The Data Accountability and Trust Act (DATA), which was introduced in the House as H.R. 4127 in October of 2005 and was ordered to be amended March 29, 2006, would require "reasonable security policies and procedures to protect computerized data containing personal information and to provide for nationwide notice in the event of a security breach," according to the text of the bill.
| On the Docket |
|
The following is a brief list of the ID theft legislation that includes language specifying the shredding of information that has been introduced or passed at the state level in 2006: Illinois – House Bill 4438 was filed Jan. 9, 2006, by Rep. Harry R. Ramey Jr. As of April 7, it had passed both houses. The bill would make it a Class A misdemeanor to facilitate the crime of ID theft by “knowingly, with the intent of committing identity theft, aggravated identity theft or any violation of the Illinois Financial Crime Law,” disposing “of that written, recorded or computerized information in any receptacle, trash can or other container that the public could gain access to, without shredding that information, destroying the recording or wiping the computer disk so that the information is either unintelligible or destroyed.” The bill would also enable civil action against those convicted of identity theft, aggravated identity theft or facilitating identity theft. Indiana – House Bill 1101 was introduced by Rep. Jackie Walorski Jan. 5, 2006. The law was signed by Gov. Rod R. Blagojevich March 21, 2006, and will go into effect July 1, 2006. It calls for the disclosure of data breaches and stipulates that a person disposing of a customer’s personal information without “shredding, incinerating, mutilating or erasing” the information is committing a Class C infraction, which becomes a Class A infraction if the personal information of more than 100 customers is involved or for a second or subsequent infraction. West Virginia – House Bill 4281 was introduced Jan. 31, 2006, and has not made much progress since. The bill states that businesses conducting business in the state or possessing the personal information of a West Virginia resident “must take all reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal.” The bill defines these measures as including, though not being limited to, implementing and monitoring compliance with polices and procedures requiring the burning, pulverizing or shredding of papers containing personal information so that the information cannot be reconstructed and the destruction or erasure of electronic media and other nonpaper media containing so that the information cannot be reconstructed. It also states that companies can enter into and monitor compliance with a third party that provides record destruction to dispose of personal information in a method that confirms with the statute. |
According to Johnson, the act is direct in its requirements to destroy electronic data, though it does not specify the need to destroy printed documents containing personal information. Johnson says that the House committee has commissioned a study that will look into the need to destroy hard copy documents, however.
When it comes to crafting effective legislation, whether at the state or federal level, Johnson and Martin have some suggestions.
WELL-CRAFTED LEGISLATION
Martin would like to see one federal law that covers all personal data, rather than more industry-specific legislation such as FACTA and the Heath Insurance Portability and Accountability Act. Martin would also like to see new legislation use language that specifies the shredding of discarded documents because it would leave no doubt as to what the law requires.
As far as Johnson and NAID are concerned, well-crafted legislation is also specific. Johnson says he’d like to see the definition of personal information broadened to include any identifying information, not just what comes off of a credit report. "States have done a better job with that," he says.
In addition, Johnson says effective legislation would offer direction on how to best implement the requirements, specify enforcement measures, address charges for violations and provide victims with redress in civil court.
While some states are taking such recommendations into consideration when drafting comprehensive ID theft legislation, progress at the federal level is slower.
The author is managing editor of SDB magazine and can be reached at dtoto@gie.net.
Explore the June 2006 Issue
Check out more from this issue and find your next story to read.
Latest from Recycling Today
- Summa Equity acquires majority stake of Bollegraaf
- PTR adds new inside sales account manager
- Cascade Engineering distributes free carts in Flint, Michigan
- CMRA selects venue for nonferrous recycling event
- Biffa adds C&D recycling firm to its portfolio
- Cliffs lines up funding for Canadian acquisition
- BIR joins plastics life cycle effort
- Black mass analysis in the sights of equipment maker
