Just Shred It

Destroy personal information instead of tossing it in the trash.

Got a Pile of unnecessary data about employees, customers and vendors? Better shred it … or dread it.

That's the succinct message state and federal law enforcement officials are sending to companies and service providers that simply toss sensitive and confidential information into the trash. The crackdown comes on the heels of legislation in a number of states.

When mortgage companies and other lenders go out of business, they often leave behind sensitive information, including social security numbers, and personal credit and account histories. Some of these firms destroy the private data, but many don't bother taking the time or spending the money to do so.

Although mortgage arrangers are a big part of the problem these days, they are not the only culprits. In March, Texas Attorney General Greg Abbott reached an agreement with CVS Pharmacy that, state officials say, “will protect [CVS's] Texas customers from identity theft.” In April 2007, the state filed suit against the drug store chain after hundreds of documents containing customers' personal information were dumped behind a CVS store in Liberty, Texas.

The attorney general's office stated that its investigation turned up numerous receipts with complete credit card numbers and expiration dates. CVS agreed to overhaul its information security program to protect the personal information of its customers and pay $315,000 to the state, which intends to use the money for investigating and prosecuting identity theft cases.

Elsewhere, the Indiana attorney general has filed charges against 18 pharmacies, including CVS and Walgreens, and the pharmacists themselves for dumping personal medical information into the trash. Also, Kentucky law enforcement officials say they are engaged in voluntary compliance efforts with some 30 businesses that were found to be throwing private records into the trash.

“Big companies tend to have their act together on this, but it's the small ones that are just not making it a priority,” Kristen Mathews, a New York attorney, told The National Law Journal. “[I]f they are going out of business, [s]hredding documents is not going to be the highest on their priority list.” Mathews also says more than a dozen states now require that documents and computer disks containing personal information be shredded or wiped clean, as the case may be.

The Federal Trade Commission (FTC) has a useful guide, “Protecting Personal Information — A Guide for Business,” which is available at www.ftc.gov/bcp/edu/pubs/business/privacy/bus69.pdf. It outlines a “sound data security plan,” which consists of five elements: (1) knowing what personal information you have in your files, (2) keeping only essential information, (3) protecting that information, (4) properly disposing of whatever is not necessary, and (5) planning for possible security breaches.

For a business starting from scratch, the FTC guide is a solid reference. But, given the growing governmental interest in this issue, it is best to check with legal counsel on new state laws and regulations.