Current Events
![]() ![]()
Shred It or Regret It
"Your responsibility to protecting customers' private information doesn't end when your use for that information ends,...You don't want to be known as the company that throws your consumer records in the trash." says Rebecca Kuehn, assistant director with the FTC's Division of Privacy and Identity Protection. ![]()
AGs Tell Companies: Shred It, or Regret It
Tresa Baldas, The National Law Journal, April 3, 2008 Shred it, or regret it. That's the message that attorneys, and state and federal authorities, are sending out to companies that throw sensitive and confidential information into the trash, an illegal yet widespread practice that has triggered litigation and legislation in several states. The practice has become particularly prevalent in the crippled banking and mortgage industries. "Local offices are being closed. Local mortgage companies are going out of business. There is so much information left behind when that happens," said attorney Luis Salazar, a member of the data privacy and security law group in Greenberg Traurig's Miami office. But the problem goes far beyond foundering mortgage loan companies. Texas Attorney General Greg Abbott has filed six lawsuits against companies in the past year, including CVS Caremark Corp., RadioShack Corp. and Select Medical Corp., alleging illegal disposal of records. Most recently, Abbott announced a judgment on March 26 against CVS, which will pay $315,000 and overhaul its information security program to settle claims that hundreds of customer records were dumped behind a CVS store in Liberty, Texas. Texas v. CVS Pharmacy, No. CV-72881 (Liberty Co., Texas, Dist. Ct.). CVS spokesman Michael DeAngelis said that all 6,200 CVS stores have policies in place to protect the privacy of their customers. He also said that no personal customer information was disclosed in the Liberty incident. SPREADING CRACKDOWN In Indiana, the attorney general has filed 36 complaints with the state pharmacy board against 18 pharmacies -- including CVS and Walgreens Co. -- and 18 pharmacists for allegedly throwing personal medical information into the trash. In Kentucky, an investigation by the state attorney general's office last fall revealed that 33 companies were illegally dumping private records into the trash. Charges were not filed, but the attorney general's office said that it is working with the companies to bring them into compliance with state disposal laws. In December, American United Mortgage Corp. agreed to pay $50,000 to settle federal charges that it left loan documents with consumers' personal and financial information in and around an unsecured Dumpster. The settlement, which was reached with the Federal Trade Commission (FTC), also mandated routine security audits. USA v. American United Mortgage Corp., No. 07C 7064 (N.D. Ill.). In Hawaii, the now-defunct Fidelity Escrow Services Corp. paid a $10,000 fine in July for disposing thousands of customer records in a dumpster at a school. But most companies are seeking to stymie the trend of tossing records into the trash, said Salazar, who conducted a seminar in Chicago last week for dozens of companies that came to learn, among other things, how to prevent information from winding up in the garbage. Kristen Mathews, partner in the New York office of Thelen Reid Brown Raysman & Steiner, agreed with Salazar that "it's a significant problem." "The big companies tend to have their act together in this ... but it's the small ones that are just not making it a priority, especially if they're going out of business. Shredding documents is not going to be the highest on their priority list." But it should be, Mathews said, noting that, in the past two years, more than a dozen states have passed laws mandating that paper documents containing private data be shredded and computer disks wiped clean. "The state laws are popping up like wildfire," Mathews said, "so it seems natural that state AGs will begin to enforce these laws." The FTC is also cracking down on records being tossed in the trash. "The FTC has made data security a priority, and disposal of information is part of data security," said Rebecca Kuehn, assistant director with the FTC's Division of Privacy and Identity Protection. According to Kuehn, the general rule of thumb for disposing of records is to shred or burn paper documents, and wipe computer hard drives clean. "Your responsibility to protecting customers' private information doesn't end when your use for that information ends," Kuehn cautioned companies. Besides, she added: "You don't want to be known as the company that throws your consumer records in the trash." |