Applies to virtually every person and business in the United States

What is FACTA?

FACTA is a federal law created to protect the privacy of consumer information and reduce the risk of identity theft created by improper disposal of a consumer report or any information derived from one. FACTA was enacted in 2003 with specific document destruction rules effective June 1, 2005.

FACTA’s disposal rule states that “any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measure to protect against unauthorized access to – or use of – the information in connection with its disposal.”

Penalties for non-compliance:

Civil Liability. Consumers may be entitled to recover their actual damages sustained as a result of a violation which, in the case of identity theft, could be very large. In other cases, consumers may be able to recover statutory damages of up to $1,000 for each consumer affected by a violation of the rule.

Class Action. Where large numbers of consumers are affected, they may be able to bring class actions seeking potentially massive statutory damages. For example, if 1,000 consumers were affected, a class action might seek up to $1,000,000 in statutory damages. Courts are also authorized to award punitive damages in either individual suit or a class action. Finally, they may also be able to recover reasonable attorney’s fees.

Federal Enforcement. The government may bring an action in federal district court of up to $2,500 in penalties for each independent violation of the rule.

State Enforcement. The states may recover up to $1,000 for each willful or negligent violation. As with private lawsuits, the state may recover its reasonable attorney’s fees.

How do I comply?

FACTA cites several examples of how to comply with the requirements including implementing and monitoring policies and procedures that require shredding or other forms of destruction, and after due diligence, contracting with a third party to properly dispose of consumer information. The FTC’s recommendations for due diligence include:

• Reviewing an independent audit of the disposal company’s operations.
  Our NAID Certification annual audit, performed by an independent Certified Protection Professional (CPP), fulfills this recommendation. The results are available for client review.

• Requiring that the disposal company be certified by a recognized trade association.
  OMS is certified by The National Association for Information Destruction.

• Reviewing and evaluating the disposal company’s information security policies and procedures.
  NAID Certification establishes security criteria for policies and procedures that clients can easily review on our website.

How can Ohio Mobile Shredding help?

• As an authorized NAID Information Destruction Compliance Toolkit representative we can help you develop the information destruction policies and procedures required for compliance.
• We provide you with a Confidential Destruction Agreement warranting your information is destroyed in accordance with NAID Certified^® standards and practices and Reasonable Care requirements of federal legislation.
• Because compliance with FACTA requires safe disposal of more than just documents, we provide certified destruction of your hard drives, microfilm, fiche and other types of data.
• Our EasyShred℠ service provides you with consistent, reliable, and cost-effective shredding and ensures sensitive information is safeguarded and destroyed in accordance with the FACTA Disposal Rule. Compliance is achieved in 5 easy steps:
  1. We help you write information destruction policies and procedures. (this step is optional)
  2. We provide your offices with free lockable document disposal containers that prevent unauthorized access to sensitive information
  3. On a schedule that suits your needs, our bonded and insured shredding specialist securely shreds your information
  4. With every service visit, we provide you with a numbered Accountability Receipt documenting a chain of custody and a chronological history of your shredding practices – a shredding “log” for your records
  5. We provide you with a Certificate of Destruction: a third-party verification that your information was completely and confidentially destroyed in accordance with NAID Certified^® specifications and the FACTA Disposal Rule

With Ohio Mobile Shredding and EasyShred℠ compliance with FACTA could not be easier!

More information:

• www.ftc.gov
• NAID: FACTA Press Release

What is the Health Insurance Portability and Accountability Act (HIPAA)?

Enacted in 1996, HIPAA is a federal law that was created to prevent abuse of personal health information (PHI), including unauthorized access. HIPAA applies to any and all organizations or individuals (“Covered Entities”), who retain or collect health related information. Examples include hospitals, doctors, dentists, insurance companies, counselors, billing centers and collection agencies.

The HIPAA Privacy Rule requires that organizations “maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information” (PHI). PHI includes names, contact information, account numbers, license numbers, dates of birth and other information.

ARRA/HITECH Act

On February 17, 2009, President Obama signed the American Recovery and Revitalization Act of 2009 (ARRA) into law. Title XIII of the Recovery Act, known as the Health Information Technology for Economical and Clinical Health (HITECH) Act, encourages the advancement of health information technology and broadens HIPAA privacy and security requirements.

Most notably, the legislation makes business associates, and not just the covered entities to which they provide services, directly subject to HIPAA’s privacy and security requirements as well as the penalties for violating those requirements. Additionally, business associates that experience a data breach are required to notify the covered entity with which they have contracts.

Each state’s Attorney General has clear and explicit authority to enforce HIPAA, with a new tiered penalty structure – amounts ranging from $25,000 to as much as $1.5 million – depending on the “intent” behind the violation.

How do I comply?

Organizations covered under HIPAA, regardless of size, must implement policies and procedures to ensure PHI is properly safeguarded and not improperly disclosed. While HIPAA does not mandate a method for destruction, “shredding prior to disposal” is identified as an appropriate safeguard. In addition, covered entities are required to enter into a contract known as a Business Associate’s Agreement with vendors who have access to PHI that incorporates the provisions of ARRA/HITECH.

How can Ohio Mobile Shredding help?

• As an authorized NAID^® Information Destruction Compliance Toolkit representative we can help you develop information the information destruction policies and procedures required for compliance.
• We provide you with a Confidential Destruction Agreement warranting Protected Health Information (PHI) is destroyed in accordance with NAID Certified^® standards and practices and Reasonable Care requirements.
• We provide you with a Business Associate’s Agreement, drafted by a leading privacy attorney in Washington, D.C., that incorporates the necessary provisions required by ARRA/HITECH.
• Because compliance with HIPAA requires safe disposal of more than just documents, we provide certified destruction of your hard drives, microfilm, fiche and other types of data.
• Our EasyShred℠ service provides you with consistent, reliable, and cost-effective shredding and ensures PHI is safeguarded and destroyed in accordance with the HIPAA Privacy Rule. Compliance is achieved in 5 easy steps:
  1. We help you write information destruction policies and procedures (This step is optional)
  2. We provide your offices with free lockable document disposal containers that prevent unauthorized access to sensitive information
  3. On a schedule that suits your needs, our bonded and insured shredding specialists shred the PHI quickly and securely
  4. With every service visit, we provide you with a numbered Accountability Receipt documenting a chain of custody and a chronological history of your shredding practices – a shredding “log” for your records
  5. We provide you with a Certificate of Destruction: a third-party verification that your information was completely and confidentially destroyed in accordance with NAID Certified^® specification and the HIPAA Privacy Rule

More information:

• HHS.gov Health Information Privacy

• OCR HIPAA Audit Protocol

• The “Red Flags” Rule: What Health Care Providers Need to Know

• HHS FAQ: About the Disposal of Protected Health Information

Identity theft prevention program for businesses

What is the “Red Flags” Rule?

The Red Flag Rule was promulgated by the Federal Trade Commission and other federal agencies charged with overseeing compliance to the Financial Service Modernization Act (GLB), the Fair Credit Reporting Act (FCRA) and the Fair and Accurate Credit Transaction Act (FACTA). It states that all financial institutions and others who are considered “creditors” must:

• Identify in writing the areas of their operation where the personal information of their clients is at risk of unauthorized access

• Develop written procedures to mitigate that risk
• Detect unauthorized access if or when it happens
• Periodically re-evaluate and update your Program

How do I comply?

• If you work for a bank, federally chartered credit union, or savings and loan, check with your regulatory agency for guidance. Otherwise, the FTC’s booklet, Fighting Fraud with the Red Flags Rule: A How-To Guide for Business, has tips for determining if you are covered by the Rule.

• Every healthcare organization and practice must review its billing and payment procedures to determine if it’s covered by the Red Flags Rule. Whether the law applies to you isn’t based on your status as a healthcare provider, but rather on whether your activities fall within the laws’ definition of two key terms: “creditor” and “covered account”.
  The “Red Flags” Rule: What Health Care Providers Need to Know

• The Red Flags Rule gives you the flexibility to design an Identity Theft Prevention Program appropriate for your business, given its size and potential risk for identity theft. While some companies need a comprehensive Program, businesses and organizations at low risk for identity theft may find that a streamlined Program fits the bill. If you are at low risk for identity theft, this do-it-yourself Program may be sufficient.
  link Create your own Identity Theft Prevention Program: A Guided 4-step process

How can Ohio Mobile Shredding help?

While Ohio Mobile Shredding is not subject to the Red Flag Rule directly, we have provisions within our operations and Confidential Destruction Agreement to help our clients comply with their Red Flag Rule obligations:

1. Ohio Mobile Shredding is a NAID Certified® provider. NAID Certification criteria identify all areas of our operation where information transferred to our custody for processing is put at risk of unauthorized access. Our company’s compliance with security measures specifically designed to mitigate these risks is verified through periodic announced and unannounced audits by accredited, authorized third-party security professionals. NAID Certification security specifications, as well as verification of our NAID Certified® status, are included as addendums to these policies and procedures.
2. As a condition of employment, all Ohio Mobile Shredding employees are required to notify management of any actual or potential unauthorized access to information transferred to our custody for processing. If such information is verified by management to constitute unauthorized access to information transferred to our custody, it is our policy to fully disclose to clients all relevant details in a timely manner and to reasonably cooperate in any subsequent investigation.
3. The acceptance, transfer and processing of information transferred to our custody shall be documented and verified in writing and such documentation made available to the customer in the course of business upon request.

Data security plays an essential role in keeping people’s sensitive information from falling into the wrong hands. Protect what you have a legitimate business reason to keep and securely dispose of what you no longer need. Our EasyShred℠ service provides you with consistent, reliable, and cost-effective shredding and ensures sensitive information is safeguarded and properly destroyed:

1. We help you write information destruction policies and procedures (this step is optional)
2. We provide your offices with free lockable document disposal containers that prevent unauthorized access to sensitive information
3. On a schedule that suits your needs, our bonded and insured shredding specialist securely shreds your information
4. With every service visit, we provide you with a numbered Accountability Receipt documenting a chain of custody and a chronological history of your shredding practices – a shredding “log” for your records
5. We provide you with a Certificate of Destruction: a third-party verification that your information was completely and confidentially destroyed in accordance with NAID Certified® specifications and Federal Regulations

With Ohio Mobile Shredding and EasyShred℠ compliance with the Red Flag Rule could not be easier!

More information:

• FTC: The Red Flag Rule

• The “Red Flags” Rule: What Health Care Providers Need to Know

What is the Sarbanes-Oxley Act?

Due to high-profile business failures of companies such as Enron and Tyco International, the Sarbanes-Oxley Act of 2002 (SOX) was enacted to protect investors by improving the accuracy and reliability or corporate disclosures. SOX establishes new or enhanced standards for all U.S. public and international companies that have registered equity or debt securities with the Securities and Exchange Commission. It also affects related businesses including accounting and information management professionals who provide financial and reporting services to them.

Penalties for non-compliance:

SOX is very complex and penalties depend on which section of the act was violated. Penalties range from the loss of exchange listing, loss of D&O insurance to multimillion dollar fines and imprisonment. For example, a CEO or CFO who submits wrong certification is subject to a fine up to $1 million and imprisonment for up to 10 years. If the wrong certification is submitted “willfully”, the fine can be increased up to $5 million and the prison term can be increased up to 20 years.

How do I comply?

Among other things, SOX requires companies to implement detailed policies and procedures for the retention, control, management, usage and disposal of information.

How can Ohio Mobile Shredding help?

OMS can provide you with destruction of your documents once their retention period ends. Our comprehensive Audit Trail and Certificate of Destruction will provide you with a chronological history of shredding, establishing your adherence to a program and responsible destruction procedures. It will also eliminate the chance that shredding practices will be construed as suspicious.

With Ohio Mobile Shredding, compliance with SOX could not be easier!

What is the Economic Espionage Act?

The Economic Espionage Act (EEA) makes the theft or misappropriation of trade secrets a criminal offense. The act defines trade secrets as “all forms and types of financial, business, scientific, technical, economic or engineering information” that the owner has taken reasonable measures to keep secret and that is not known to the public. The law applies to any individual or organization that knowingly steals, copies, receives, buys or possesses trade secrets.

For the EEA to apply, the organization or individual must be able to show that they took “reasonable measures” to protect the information.

Dumpster diving is not illegal

“Dumpster diving” is just one common tactic used to gain trade secrets. It involves collecting and going through trash left out for collection from residences and businesses. Stealing trash is not illegal. The Supreme Court ruled in 1998 that once an item is in the trash there is no expectation of privacy or continued ownership.

Penalties for violation

A person convicted can be imprisoned for up to 10 years and fined $250,000 and an organization can be fined up to $5,000,000.

How do I comply?

EEA does not stipulate compliance requirements; however, it is important to understand that companies must be able to show that they took “reasonable measures” to protect trade secrets.

How can Ohio Mobile Shredding help?

Your trade secrets are the only thing that distinguishes you from your competition and their loss could be devastating. OMS can help you implement a consistent, reliable, and cost-effective shredding program that protects your trade secrets and, should a breach occur, proves that you have taken “reasonable measures” to protect them. Our comprehensive Audit Trail and Certificate of Destruction is your best defense!

More information:

Department of Justice

What is the Gramm-Leach-Bliley Act (GLBA)?

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to ensure the confidentiality of consumer information including names, addresses, phone numbers, bank and credit card account numbers, income and credit histories and Social Security numbers. It also requires providing consumers with detailed privacy notices that explain their information-sharing practices and gives consumers the right to limit the information that is shared.

Penalties for non-compliance:

The financial institution is subject to a civil penalty of up to $100,000 for each violation, and the officers and directors of the financial institution are subject to, and are personally liable for, a civil penalty of not more than $10,000 for each violation.

How do I comply?

The GLBA Safeguard Rules requires companies to develop a written security plan that describes their information safeguarding practices. Among other things, the FTC recommends limiting employee access to customer information and shredding documents before they are discarded.

How can Ohio Mobile Shredding help?

OMS can help you implement a consistent, reliable, and cost-effective shredding program that will ensure your consumer information is safeguarded and destroyed in accordance with the GLBA.

• We provide, free of charge, the quantity, size, and type of locked document containers that will best suit your volume and needs.
• Your staff members deposit discarded consumer information, including staples, rubber bands and paper clips, into the containers whenever needed.
• On a schedule that you choose, our bonded and insured Service Representatives will shred the contents and issue you a Certificate of Destruction.

With Ohio Mobile Shredding, compliance with the GLBA could not be easier!
More info:
Bureau of Consumer Protection