What’s Your Liability for Improperly Discarded Documents?
It’s the worst-case scenario—you’ve allowed some sensitive documents to slip through your security cracks, and someone has used the information they contain to commit a crime or get access to private information. Are you financially responsible for the resulting losses? The short answer: Yes.
Ideally, all your important documents will be securely disposed of using a professional shedding service. If you don’t take this important security safeguard, criminals can get access to improperly disposed of documents by dumpster diving or other means. As dumpster diving itself it not illegal (except in cases of trespassing on private property) and there is no expectation of privacy for documents that are in the garbage, if someone gets hold of an unshredded document by dumpster diving, the person or company that threw it away could be liable.
Once in possession of key personal and financial information, thieves can:
- Steal someone’s identity
- Make charges on someone else’s credit cards
- Open new credit cards or lines of credit
- Use someone’s healthcare insurance to get medical treatment
- File a tax return in someone else’s name
- Steal proprietary corporate information
- Find out sensitive information that could compromise someone’s finances or privacy
If your credit card is stolen and you report the theft promptly, you are not responsible for any unauthorized charges over $50. But what if you failed to properly dispose of a sensitive legal, medical or other document that led to a security breach?
In 2009, the CVS pharmacy chain disposed of unshredded materials containing protected health information about patients in dumpsters accessible to the public.
Such improper disposal is a violation of the HIPAA Privacy Rule, which requires all covered entities to put in place “appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information” such as demographic, financial, diagnosis, and treatment information.
Entities covered by HIPAA include:
- Nursing Homes
- Health insurance companies
- Company health plans
Safeguards recommended by the U.S. Department of Health and Human Services include “shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes.”
Because it did not take the step of having its documents professionally shredded, CVS had to pay $2.25 million in penalties. In a similar case, Rite Aid had to pay $1 million.
The medical industry isn’t the only one legally required to properly dispose of paper documents. The Safeguards Rule, which is part of the Gramm-Leach-Bliley Act, requires any company that offers financial products or services to consumers to keep customer information secure, including disposing of it properly by shredding or otherwise destroying documents so they can’t be read or reconstructed.
The Safeguards Rule covers:
- Payday lenders
- Check-cashing businesses
- Professional tax preparers
- Auto dealers who offer financing or leasing
- Electronic funds transfer networks
- Mortgage brokers
- Credit counselors
- Real estate settlement companies
- Retailers that offer credit cards to consumers
- Educational institutions that offer student loans
Failure to comply with the Safeguards Rule could result in substantial fines and penalties.
Businesses and Individuals
The FTC’s Disposal Rule requires any business or individual that uses consumer information for a business purpose to properly dispose of consumer information by “burning, pulverizing or shredding” papers that contain consumer information.
Entities covered by the Disposal Rule include:
- Insurance companies
- Car dealerships
- Any individual who obtains a personal credit report for a business purpose, including hiring employees or contractors, or renting an apartment
Businesses that violate the Disposal Rule are subject to substantial penalties, and consumers are entitled to recover actual damages that result, including as part of class action lawsuit.
In addition to federal regulations, more than half of the United States have state laws governing document disposal. Connecticut law regarding safeguarding personal information requires that “any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.”
Failure to properly shred or otherwise destroy sensitive document can result in a civil penalty of $50 to $500,000 per event.
Fortunately, it’s easy to avoid penalties and problems due to improperly disposed of documents. Make sure that all documents that contain any sensitive personal or corporate data are shredded by a professional security and document destruction company such as PROSHRED Connecticut.