Government
Mandates
Federal Law
The Health Insurance
Portability and Accountability Act (HIPAA) of 1996
Regulates the healthcare industry in the United
States and assures that healthcare organizations will be responsible for the secure
electronic transmission, secure storage and disposal of patient information.
The first conviction for a violation of the Health Insurance Portability and
Accountability Act (HIPAA) took place the week of November 19, 2004. Richard W. Gibson was
ordered to pay $9,000 in restitution and sentenced to 16 months in jail for taking
personal information while employed at a cancer treatment center in Seattle, WA. The
information was then used to commit identity theft.
Advice: If you handle medical or insurance records, you better have and practice a
certified document destruction program or you are risking jail time under HIPAA.
The Gramm-Leach-Bliley Act
of 1999 (GLB)
Financial institutions that obtain nonpublic
personal information through the normal course of their business must develop precautions
to ensure the security and confidentiality of customer records and information, and to
protect against unauthorized access to or use of such records. This includes secure
storage, disposal, and sharing of confidential information.
| Who must comply with the Gramm-Leach-Bliley Act: |
Banking and credit issuing |
Stocks, bonds, and investing |
| Insurance |
Financial
Service Providers |
Penalties
for noncompliance: |
Up to
$100,000 for each violation. Criminal penalties may include up to five years in prison |
The Economic Espionage Act
(EEA)
Makes the theft or misappropriation of trade secrets
a criminal offense. Taking papers from dumpsters outside offices is called "dumpster
diving" and is a common tactic used by commercial information brokers as well as
foreign intelligence services. It involves collecting and going through the trash left out
for collection from residences and businesses. Stealing trash is not illegal. The Supreme
Court ruled in 1988 that once an item is left for trash pickup, there is no expectation of
privacy or continued ownership.
| Who is affected by EEA: |
| U.
S. Citizens |
General
businesses handling sensitive data in hardcopy |
Penalties for
convicted individuals and organizations: |
Up to $500,000 or up to
15 years in prison. In some cases an organization can be fined up to $5,000,000. |
Penalties for
the citizen or business: |
Priceless |
The Fair and Accurate Credit
Transactions Act of 2003
Also known as the FACT Act was signed into law on
December 4, 2003. In general, the Act amends the Fair Credit Reporting Act (``FCRA''). The
Act contains a number of provisions intended to combat consumer fraud and related crimes,
including identity theft, and to assist its victims. Specifically the act requires the
destruction of PAPERS CONTAINING CONSUMER INFORMATION. It is hard to imagine any business
or organization that is not bound by this law.
DISPOSAL RULE - Sec.
682.3 Proper disposal of consumer information. |
| Standard. Any person who
maintains or otherwise possesses consumer information, or any compilation of consumer
information, for a business purpose must properly dispose of such information by taking
reasonable measures to protect against unauthorized access to or use of the information in
connection with its disposal. |
| Examples. Reasonable
measures to protect against unauthorized access to or use of consumer information in
connection with its disposal would include: |
- Implementing and monitoring compliance with policies and
procedures that requires the burning, pulverizing, or shredding of papers containing
consumer information so that the information cannot practicably be read or reconstructed.
|
State Law
California Senate Bill 1386
(SB 1386)
Requires businesses that maintain personal data on
California residents to disclose security breaches that result in unauthorized access to
unencrypted personal data. The law pertains to any organization, whether based in
California or in other parts of the country. Personal information includes an individual's
name along with their Social Security number, driver's license number, state
identification number, or credit or debit card numbers with security codes.
| Who must comply with SB 1386 |
| Banking and
credit issuing |
Insurance |
| Stocks, bonds,
and investing |
Financial
Service Providers |
| Any business
handling sensitive data |
|
| Penalties for
noncompliance: |
| Up to $10,000 for each
violation. |
Georgia Senate Bill 475 (SB
475)
Establishes guidelines for proper discarding and
disposal of certain business documents containing personal information. According to the
law, a business may not discard a record containing personal information unless it:
| A business may not discard a record containing personal information
unless it: |
| Shreds
the customer’s record before discarding the record |
Erases
the personal information contained in the customer’s record before discarding the
record |
| Modifies
the customer’s record to make the personal information unreadable before discarding
the record |
Takes
actions that it will ensure that no unauthorized person will have access to the personal
information. |
| Penalties: |
| The fines range from $500
to $10,000 |
