Several federal and state regulations require companies to protect their clients’ and/or employees’ confidential information. The most common ones are HIPAA and FACTA, but others exist as well. Below you will find a breakdown of some of the more common regulations to help you make sense of it all.
Yes! Utilizing a 3rd party destruction vendor is one way to establish corporate compliance to these regulations. Plus, the tracking and accountability built into the Shred a Box process offers a more robust compliance option than many other services. Destruction at a secure facility, destruction videos, certificates of destruction, and online order history are just some of the ways we’ll help your company meet its compliance needs.
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 and establishes national standards for the security of protected health information. Part of the language in the act requires that covered entities take appropriate and reasonable safeguards to prevent unintended use of this protected data.
FACTA stands for the Fair and Accurate Credit Transactions Act of 2003 and requires that entities use reasonable and appropriate measures to dispose of information derived from consumer reports. Examples of this type of information include but are not limited to credit reports, credit scores, employment background, residential history and medical history.
GLBA stands for the Gramm-Leach-Bliley Financial Modernization Act of 1999 and requires financial institutions to provide customers with privacy notices explaining the organization’s information-sharing policies. It also allows consumers to opt out of this information sharing in most instances. The institution must adopt appropriate standards to protect consumer information as well. For more information on GLBA, please visit http://business.ftc.gov/documents/bus53-brief-financial-privacy-requirements-gramm-leach-bliley-act.
The Red Flag Rule is enforced by the Federal Trade Commission and requires many organizations to implement a written “Identity Theft Prevention Program” to detect the warning signs or “red flags” of identity theft in their ongoing operations. For more information on the Red Flag Rule, please visit http://www.business.ftc.gov/privacy-and-security/red-flags-rule.
Massachusetts 201 CMR 17.00 requires any person or entity with access to personal information of a Massachusetts resident to protect that information, including the development of a Written Information Security Program. For more information on Massachusetts 201 CMR 17.00, please visit http://www.mass.gov/ocabr/government/oca-agencies/dpl-lp/re-compliance-with-201-cmr-1700-standards.html.
The Public Company Accounting Reform and Investor Protection Act of 2002 (aka Sarbanes Oxley) is a federal law which mandates a number of reforms in order to enhance corporate responsibility, enhance financial disclosures, and combat corporate and accounting fraud. It includes a provision requiring public companies to evaluate and disclose the effectiveness of their internal control systems. This law was passed in an effort to improve corporate responsibility in response to scandals and fraudulent activity. For more information, please visit http://www.sec.gov/about/laws.shtml#sox2002.
NAID is the National Association of Information Destruction and serves as the leading international trade association for the information destruction industry. NAID-compliance indicates that an organization adheres to NAID’s required standards and ethics and is therefore considered a certified service provider. For more information about NAID, please visit their website at http://www.naidonline.org/nitl/en/index.html.