Records Management - Storage/Access/Security/Disposition of Records – Legal Requirements
From EDRM
Contents |
Fair and Accurate Credit Transaction Act (FACTA) – Consumer Disposal Rule
The Disposal Rule went into effect June 1, 2005 to provide enhanced protection against identity theft. The rule was issued by the FTC pursuant to the Fair and Accurate Credit Transaction Act (FACTA). The rule requires businesses to properly dispose of consumer information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. Consumer information is defined as “any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report.” A consumer report is “any written, oral or other communication of any information by a consumer reporting agency that bears upon a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living, which is used or expected to be used. . . as a factor in establishing the consumer’s eligibility for credit or insurance to be used primarily for personal, family, or household purposes or employment purposes.” The rule provides examples of measures the FTC believes are reasonable for disposing of consumer information. These include: implementing and monitoring policies and procedures that require (i) the burning, pulverizing and shredding of papers containing consumer information and (ii) the destruction or erasure of electronic media containing consumer information so the information cannot practicably be read or reconstructed. Another reasonable measure is contracting with a record destruction service, but only if due diligence was conducted in the hiring process.
Noncompliance with the rule can subject the violator to substantial civil liability. If a business willfully fails to comply with the rule, the victim may recover actual damages not to exceed $1,000, punitive damages and attorney’s fees. If a business negligently fails to comply, the victim may recover any actual damages and attorney’s fees.
The federal government is authorized to bring enforcement actions in federal court for violations and impose civil penalties of up to $2,500 per violation. The states are also authorized to bring actions on behalf of their residents and may recover up to $1,000 for each willful or negligent violation. In addition, the state may recover its attorneys’ fees if successful in such action.
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) applies to “covered entities,” which includes health care providers, employer-sponsors of group health plans, health insurers and administrators of group health plans. The rules provide privacy protection for all medical records and any other individually identifiable health information. The privacy protection mandated requires action by the covered entity both internally and in their external communication with patients. Internally, covered entities are required to adopt written privacy procedures, take precautions to ensure that business partners adequately protect the privacy of health information, provide sufficient training to employees regarding implementation of the rules, appoint an individual responsible for compliance with the rules, and establish a process for patients to make inquiries and/or complaints regarding the privacy of their health information. In their communications with patients, covered entities are required to provide a clear written explanation of how the protected information is used, kept, and/or disclosed, afford patients access to their records and the opportunity to correct errors, and seek and receive patient consent before any disclosure.
The Financial Services Modernization Act of 1999, AKA Gramm-Leach-Bliley (GLB)
The Financial Services Modernization Act of 1999, commonly known as Gramm-Leach-Bliley, governs the privacy of consumer financial information. The act broadly defines “financial institutions” to include any entity engaging in activities that are financial in nature. The definition of consumer is somewhat more limited, only applying to individuals who obtain financial products or services for personal, family, or household purposes. Business consumers are not afforded protection under the definition of consumer. The act prohibits financial institutions from disclosing consumers’ nonpublic personal information to nonaffiliated third parties unless specific notice provisions are complied with. Under the act, three types of notice must be provided to the consumer prior to any disclosure:
- Initial notice;
- Annual notice; and
- Opt-out notice.
Each notice must contain:
- The type(s) of information collected;
- The financial institution’s privacy policy; and
- Any disclosure(s) required under other federal law, specifically the Fair Credit Reporting Act.
The initial and annual notices must be provided as their names suggest, and an opt-out notice must be provided before any information is shared.
Data Breach Laws
Many states, including Arkansas, California, Connecticut, Delaware, Florida, Georgia, Illinois, Indiana, Louisiana, Maine, Minnesota, Montana, Nevada, New Jersey, New York, North Carolina, North Dakota, Rhode Island, Tennessee, Texas, and Washington have enacted Data Breach Laws. Though they vary slightly, most require businesses and government agencies to notify state residents and government authorities if they discover an unauthorized security breach of computerized personal information. The laws in Georgia and Maine only apply to information brokers. Though the definitions differ, personal information is generally defined as an individual's name plus one or more pieces of information, such as a Social Security number or bank account information. Most of the laws require that there be some threat of harm from the breach before notification is required. The laws require that notice be sent to the victims by differing means such as writing, telephone, or e-mail. They also allow substitute notice if a certain number of people are affected or the cost to send the notice exceeds a certain amount. Several Federal Data Breach Notification bills have been proposed.
