How does your company dispose of personally identifiable information (medical records, financial information, applications containing sensitive information, etc.) and other sensitive information when the information is no longer needed? Do you throw it in the trash can next to your desk? Where does it go after that? Is it securely shredded, or thrown into an unsecured dumpster with the trash of other offices and companies? What about sensitive electronic information?
These questions might not seem important, but the way in which your company disposes of sensitive information can have significant consequences on your business, as two companies learned recently when they discarded personally identifiable information in unsecured dumpsters and were fined over $100,000 by the Federal Trade Commission (FTC).
The FTC filed charges against three companies that own, manage, and operate payday loan and check cashing stores, alleging that they failed to safeguard personally identifiable information by discarding “documents containing sensitive personal identifying information – including Social Security numbers, employment information, loan applications, bank account information, and credit reports – in unsecured dumpsters near [the defendants’] locations.”
What Were The Causes Of Action?
The FTC’s complaint claims that the defendants violated:
(1) the FTC’s Disposal Rule, which requires companies that maintain or possess certain consumer information for a business purpose “properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information”;
(2) the Gramm-Leach-Bliley Safeguards Rule and Privacy Rule, which require that financial institutions (companies significantly engaged in providing financial products or services) develop and use safeguards to protect consumer information, and deliver privacy notices to consumers explaining their policies and practices; and,
(3) the FTC Act, which prohibits misrepresentations about the reasonable measures companies implement to protect sensitive consumer information.
What Was The Result?
Two of the three defendants settled with the FTC after agreeing to pay a $101,500 fine and agreeing to establish what will likely be an expensive and comprehensive information security program, obtaining regular independent, third-party audits every other year for 20 years, and adopting a number of recordkeeping and compliance monitoring requirements.
What Are The Takeaways?
First, you need to assess how your company disposes of sensitive information. Next, you must identify the policies and procedures your company has adopted to ensure that sensitive information is disposed of securely. Can those policies and procedures be improved? Do your employees comply with existing policies and what “checks” are in place to maximize compliance and minimize risk? When was the last time you trained and reminded employees about the proper way to securely dispose of sensitive information? Do you know how your vendors and business associates, with whom you share sensitive information, are disposing of that information? If you are not sure whether the safeguards your company has adopted meet the legal requirements for secure disposal, it might be wise to retain counsel.
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.