Identity theft is a huge issue. Consumers are aware of it — nearly 50% of Internet users in the U.S. have foregone certain activities online because they were concerned with privacy and security, including the possibility of identity theft, according to a 2018 study by the National Telecommunications and Information Administration.
More importantly, the government is aware of it. The U.S. Federal Trade Commission (or FTC) is one of the federal agencies responsible for protecting consumers from illegal and unfair business practices. The FTC has posted extensive guidance for businesses to practice information security. But this information is not provided for altruistic reasons.
As of October 2019, the FTC has brought 253 enforcement cases against businesses for harming consumers due to failures in their privacy and security practices. These cases include some of the most recognizable companies including Google's YouTube, Equifax, and Office Depot. The FTC even brought a case against Lifelock, whose sole purpose is protecting customers against identity theft, for failing to safeguard customer information, including printed faxes containing private customer information. If it had used high security shredders to dispose of the faxes, it might have avoided at least some of the charges.
Here are six examples given by the FTC of document types that should be destroyed using high security shredders, such as a level 6 shredder:
- Credit Transaction Documents
- Financial Institutions
- Businesses Using Credit Reporting Agencies
- Health Care Providers
- Apps and Websites That Collect Private Information
- Everyone Else With Private Information
Businesses that provide credit services to consumers, such as credit card companies, mortgage lenders, car dealerships offering financing, and retailers extending store credit, have to comply with the Fair Credit Reporting Act and other federal laws governing credit privacy. Under this law, credit applications, debt collection notices, and any internal documents that include information like names, account numbers, financial data, or social security numbers, should be destroyed using high security paper shredders before disposal.
Privacy laws covering financial institutions are contained in the Gramm-Leach-Bliley Act. Under these laws, the FTC recommends that financial institutions destroy all paper records containing any customer information using high security shredders so that they cannot be read or reconstructed.
Many businesses use credit reports, including insurance companies, landlords and property management companies, background check investigators, and lawyers. Individuals and businesses run credit checks when hiring contractors and employees. Government agencies and law enforcement use credit reports during criminal investigations and employee background checks. There are even people who run credit checks before meeting a blind date. According to the FTC, all these credit reports have to be shredded using secure paper shredders before disposal.
Similarly, many businesses supply information to credit reporting agencies, such as landlords, utilities, or collections agencies reporting late payments or bad debts. The FTC recommends that any documents supplied to credit reporting agencies by these businesses be destroyed by both parties before disposing of them.
Under the Health Insurance Portability and Accountability Act (or HIPAA), health care providers must destroy medical records using high security shredders before disposing of them. This includes doctors and their medical offices, hospitals, and insurance companies.
The FTC has also reminded pharmacies, drug counselors, and mental health therapists that they too are covered by HIPAA if they accept health insurance. This means that any records containing names, prescriptions, insurance policy numbers, social security numbers, or payment information should be destroyed using high security shredders.
If your app or website collects private information, such as names, birth dates, addresses, phone numbers, e-mail addresses, photographs, or location tracking data, or payment information, such as financial account or credit card numbers, your business will probably be required to safeguard that information according to FTC rules. Under these rules, documents containing this information will need to be rendered unreadable using high security shredders prior to disposal.
Using common sense, any other business, government agency, non-profit or charitable organization, educational institution, or law enforcement agency that keeps records containing private information may be subject to privacy laws and regulations governing that information. These laws mandate destruction with high security shredders prior to disposal.
The FTC has provided useful guidance for steps that businesses can take proactively, such as using secure paper shredders, to avoid running afoul of consumer protection and privacy laws.