Small firms must now protect sensitive information

Small firms must now protect sensitive information

Rhonda Abrams (USA Today)
6/17/2005 – If you don’t already have a shredder, get one. As of June 1, you’re now required to shred many documents you’ve routinely tossed in the trash — or you may be violating federal law. Really!
A new federal regulation — the Federal Trade Commission’s “disposal rule” — almost certainly applies to your business. The disposal rule, part of the Fair and Accurate Credit Transactions Act or FACTA, requires anyone with access to “consumer information” used for a “business purpose” to properly dispose of such information by “taking reasonable measures to protect against unauthorized access or use of that information.”Jen Schwartzman, spokeswoman for the FTC, said the rule applies to “consumer reporting agencies, lenders, insurers, employers, landlords, any governmental agency, mortgage broker, car dealers, attorneys, private investigators, debt collectors, and then any individual who may obtain information on somebody who’s doing work for them in their home such as a nanny or contractor.”

What do you do with the pile of rejected resumes after you’ve selected a new employee? With the stack of unwanted tenant applications after you’ve rented out an apartment? In the past, you may have just tossed all that paper in the trash. If so, it’s relatively easy for a cleaning person or “dumpster diver” to get hold of it, potentially leading to identity theft.

Once a thief has sensitive personal data — such as Social Security, bank account, or credit card numbers — they can empty a person’s bank account, run up huge debts, and wreck havoc with someone’s credit and reputation. The disposal rule was created to help combat the growing crime of such identity theft.

Obviously, if you’re a mortgage broker with stacks of clients’ credit reports, you’ve probably already developed methods of carefully disposing or shredding such highly sensitive information. But even if you’re just interviewing nannies to watch the kids after school, you’ve now got to shred any past employment histories applicants give you rather than just tossing that information in the trash.

“This is the first time a very small business has come under these kind of requirements,” explained Schwartzman. “The important thing to remember is that it’s not the size of the business, but the type of information you have. If you’re a landlord with only one tenant, and you’re looking at reports on applicants’ rental history, that type of information has to be disposed of properly.”

The types of information covered by the new disposal rule include:

• Credit reports.
• Credit scores.
• Employment background.
• Residence history.
• Medical history.
• Insurance history.
• Check-writing history.

What should you do with that information when you’re ready to get rid of it? The FTC suggests:

• Shredding or burning paper records.

• Hiring a document disposal service.

• Smashing electronic disks with a hammer.

• Wiping or overwriting electronic records stored on a computer.

• When giving away a computer, making certain the hard drive is permanently erased.

“The goal is not to create great expense for businesses; there’s flexibility, Schwartzman says. “If you’re a small business with three or four employees, there’s no need for you to pay hundreds of dollars to a private disposal firm when you can buy a $12 shredder.”

It’s important to note that the disposal rule does not apply to how you store information. The government isn’t sending someone to check whether you’re locking the files where you keep those employment applications. The key issue is what happens when you get rid of data.

Don’t leave employment applications or resumes on desktops; lock cabinets with credit reports. After all, you don’t want to contribute to someone else’s identity being stolen. And you certainly would want another business to protect yours.

For more information, visit the FTC’s Web site at

paper shredding services