Employers Must Comply with State and Federal Document Disposal Rules
Jun 19, 2006
As we reported in our Summer 2005 newsletter (“Employers Bound by FTC’s New Consumer Information Disposal Rule,” the Federal Trade Commission (“FTC”) instituted a sweeping rule that provides severe penalties for the improper disposal of personal identifying information, including social security numbers, names, addresses, phone numbers, etc. Now, in addition to the FTC rule, Texas employers, excluding certain financial institutions and insurance companies, must also comply with Texas House Bill 698 (“HB 698”).
Like the FTC rule, HB 698 was implemented to prevent fraud and identity theft by prohibiting the improper disposal of sensitive personal information. However, unlike the broader FTC rule governing all consumer information (e.g., personal identifying information in employee personnel files), HB 698 is specifically directed at the improper disposal of “personal identifying information” of a “customer of a business.” Despite its narrower focus, all employers should be aware of HB 698 and train their employees to properly dispose of documents in compliance with this statute. Employers should also ensure their document disposal policies are updated to include all state and federal disposal requirements.
HB 698 defines personal identifying information as an individual's first name or initial and last name in combination with any one or more of the following items: (a) date of birth; (b) social security number or other government-issued identification number; (c) mother's maiden name; (d) unique biometric data, including the individual's fingerprint, voice print, and retina or iris image; (e) unique electronic identification number, address, or routing code; (f) telecommunication access device, including debit and credit card information; or (g) financial institution account number or any other financial information.
Clearly, this definition is far-reaching and encompasses an extensive range of customer information—for instance, any document containing an individual’s name and “any . . . financial information.” Therefore, companies would be wise to assume all customer files contain some information subject to HB 698. To comply with HB 698 in the disposal of personal identifying information, a business must “modify” the records “by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.” Obviously, all businesses should be careful to shred (or burn or otherwise totally destroy) all such documents. Companies disposing of large volumes of customer information may create a safe harbor from liability by hiring an outside vendor “engaged in the business of disposing of records.”
Businesses failing to properly dispose of customer records containing personal identifying information are subject to fines of up to $500 per “record,” plus costs and attorney fees. Accordingly, HB 698 creates the potential for any company, large or small, to feel the sting if it is caught red-handed after having failed to properly dispose of records containing sensitive customer information.
Employers should also be mindful that Congress is considering federal identity theft legislation that may soon be effective. We will tell you more about this legislation if it is enacted.