| In 2004, nearly 70% of all identity thefts occurred | | | | information management and destruction partner who |
| offline*. The reason? Lack of proper information | | | | can rapidly and effectively implement a program |
| disposal and inadequate document shredding programs | | | | consistent with the various requirements of the new |
| within organizations. | | | | rule. |
| To address the responsibility of businesses to better | | | | Why Iron Mountain? |
| police their procedures for destroying personal | | | | For over 50 years, Iron Mountain has been the world |
| information, the federal government enacted the | | | | leader in records and information management. Today, |
| Disposal Rule, effective June 1st, 2005. This broad | | | | our team of experienced, knowledgeable professionals |
| regulation impacts all U.S. businesses regardless of size | | | | can offer your company a Disposal Rule-compliant |
| or industry that possess consumer information. The | | | | Secure Shredding Program that will quickly and |
| regulation defines acceptable methods of consumer | | | | cost-effectively help you meet compliance |
| information disposal and assigns penalties when a | | | | requirements. It is available at no extra charge to |
| company is non-compliant. | | | | businesses that outsource their shredding programs |
| Under the Disposal Rule, businesses are now | | | | with us. As your information management partner, we |
| compelled to assess the effectiveness of security | | | | will work with your organization to: |
| procedures related to information disposal to meet | | | | * Create new policies or modify your existing ones |
| federal compliance guidelines. Failure to do so can | | | | regarding the disposal of confidential and consumer |
| have grave consequences. | | | | information |
| * Does your company have an information destruction | | | | * Identify any new procedures or necessary training |
| policy in place tomeet the Disposal Rule requirements? | | | | and determine what key personnel need to be |
| * Are you taking the steps necessary to rapidly | | | | involved |
| ensure federal compliance? | | | | * Assist in the implementation of all new policies and |
| * If not, you may be exposing your customers, your | | | | procedures |
| company and youremployees to tremendous liability. | | | | * Provide a written contract as to what steps will be |
| As the industry leader in records and information | | | | taken during the destruction process to ensure |
| management, Iron Mountain has prepared a brief | | | | compliance |
| Disposal Rule overview to help you understand its | | | | * Constantly monitor program adherence and |
| implications and take the necessary steps to ensure | | | | effectiveness |
| compliance. | | | | * Provide compliance monitoring procedures your own |
| The Disposal Rule: What It Says | | | | employees can follow |
| The Disposal Rule requires "any person or company | | | | * Develop education and training materials to help guide |
| who maintains or otherwise possesses consumer | | | | your employees in performing these duties |
| information to take reasonable measures to protect | | | | How Iron Mountain Can Help You Transform Your |
| against unauthorized access to or use of the | | | | Records Management Program into a Compliance |
| information in connection with its disposal." "Consumer | | | | Program |
| information" is defined as any record about an | | | | At Iron Mountain, we don't approach disposal as a |
| individual that is a consumer report, or is derived from | | | | separate program but as the final stage of a larger, |
| a consumer report, including compilations of such | | | | more encompassing Compliant Records Management |
| records. | | | | program. Based on our experience working with |
| What It Means by "Reasonable Measures" | | | | hundreds of large corporations, we strongly |
| Disposal Rule compliance cannot be achieved by | | | | recommend the following six-stage approach for |
| relying on a personal shredder under a desk. Nor can | | | | company-wide consistency, accountability, adoption |
| your janitorial staff or your landlord be expected to | | | | and accessibility: |
| properly destroy critical data. Today, a secure, proven | | | | Organize -- Gain executive level support of the |
| system of records disposal is legally required if your | | | | program and assign a program manager to delegate |
| records contain consumer information. Here are two | | | | departmental responsibilities. |
| examples the FTC has given of destruction techniques | | | | Assess -- Evaluate existing disposal procedures, |
| that would constitute "reasonable measures" taken to | | | | define new Disposal Rule requirements and determine |
| protect against unauthorized access or use of | | | | necessary actions. |
| consumer information: | | | | Develop -- Create or modify your existing program |
| 1) Burning, pulverizing or shredding of information | | | | with the partner you have selected to ensure your |
| 2) Destruction or erasure of electronic media so that | | | | disposal procedures are in compliance with the |
| information cannot be read or reconstructed | | | | Disposal Rule. |
| However, focusing only on physical document | | | | Implement -- With the help of your secure shredding |
| destruction does not go far enough. Companies must | | | | partner, send advanced communications to managers |
| create, and abide by, well-defined policies and | | | | in all offices affected by the new Rule and roll out your |
| procedures governing what information gets | | | | program company-wide. |
| destroyed and how. A clear and effective employee | | | | Manage -- Regularly review reports that identify gaps |
| communications program discussing what to do and | | | | in your plan that could increase risks and costs. |
| why is required. Without these policies, information | | | | Audit -- Conduct a formal examination of your |
| disposal bins lying around the copy room will be | | | | FACTA program to remain compliant and ensure |
| meaningless and companies will risk the dangers | | | | top-level accountability. |
| associated with noncompliance. | | | | Given the challenges of today's heavily regulated |
| In addition, if companies elect to use a third-party | | | | environment, companies must choose a partner they |
| shredding serviceprovider, the Disposal Rule requires | | | | trust to store, manage and safeguard their valuable |
| them to exercise due diligence in making sure the | | | | information assets. With incomparable service, |
| service provider's procedures keep records secure | | | | resources and leading edge technologies, Iron Mountain |
| during the disposal process. Also, after the service | | | | will provide you with a comprehensive, cost-effective |
| contract is signed, companies must monitor their | | | | records management solution that will protect your |
| service provider's performance to make sure it meets | | | | customers, and your business, fromrisk and exposure. |
| contractual requirements. | | | | To learn more about FACTA Disposal Rule |
| What are the Costs of Non-Compliance? | | | | compliance, please contact us at(800) 899-IRON or |
| The new Disposal Rule impacts every business that | | | | visit us at |
| operates in the United States, from financial | | | | The Federal Trade Commission |
| organizations to entertainment studios; national retailers | | | | 16 CFR Part 682 Final Rule: Disposal of Consumer |
| to local law firms; securities firms to landlords. To | | | | Report Information and Records |
| ignore or fail to fully comply with the law exposes you | | | | Sec.682.1 Definitions. 682.2 Purpose and scope. 682.3 |
| and your company to very serious risk. | | | | Proper disposal of consumer information. 682.4 |
| Irreparable damage to your corporate reputation. | | | | Relation to other laws. 682.5 Effective date. Authority: |
| For most companies, this is by far the greatest liability. | | | | Pub. L. 108-159, sec.216. 682.1 Definitions. (a) In general. |
| If charged with non-compliance, your company could | | | | Except as modified by this part or unless the context |
| also risk: | | | | otherwise requires, the terms used in this part have the |
| * Loss of investor confidence and shareholder value | | | | same meaning as set forth in the Fair Credit Reporting |
| * Loss of revenue, market share and customers | | | | Act, 15 U.S.C. 1681 et seq.(b) "Consumer information" |
| Other costs of non-compliance: | | | | means any record about an individual, whether in |
| * Significant fines | | | | paper, electronic, or other form, that is a consumer |
| * Expensive litigation that drains precious capital, time | | | | report or id derived from a consumer report. |
| and productivity | | | | Consumer information also means a compilation of |
| How Can Your Company Become FACTA | | | | such records. Consumer information does not include |
| Compliant? | | | | information that does not identify individuals, such as |
| Companies already governed by industry specific | | | | aggregate information or blind data.(c) "Dispose, |
| legislation, such as HIPAA and the Gramm-Leach-Bliley | | | | disposing or disposal means:"1. the discarding or |
| Act, cannot become complacent. They too must | | | | abandonment of consumer information, or 2. the sale, |
| review internal policies and procedures to ensure | | | | donation, or transfer of any medium, including computer |
| Disposal Rule compliance. Disposal Rule compliance | | | | equipment, upon which consumer information is stored. |
| demands the design and implementation of new, | | | | 682.2 Purpose and scope.(a) Purpose. This part ("rule") |
| stricter policies that better manage how consumer | | | | implements section 216 of the Fair and Accurate |
| information flows from your employees to its final, | | | | Credit Transactions Act of 2003, which is designed to |
| non-recoverable form. How does the information get | | | | reduce the risk of consumer fraud and related harms, |
| created? How does it move within your organization? | | | | including identity theft, created by Improper disposal of |
| How does it get removed from your site? How does it | | | | consumer information.(b) Scope. This rule applies to |
| get destroyed? | | | | any person over which the Federal trade Commission |
| The compliance solution you select must ensure that | | | | has jurisdiction, that, for a business purpose, maintains |
| security principles are applied throughout all phases of | | | | or otherwise possesses consumer information.682.3 |
| the information's life cycle. One weak link could | | | | Proper disposal of consumer information.(a) Standard. |
| jeopardize your whole program. Steps you must take | | | | Any person who maintains or otherwise possesses |
| include: | | | | consumer information for a business purpose must |
| * Create or modify existing policies regarding the | | | | properly dispose of such information by taking |
| disposal of consumer information | | | | reasonable measure to protect against unauthorized |
| * Identify any new procedures, training and involvement | | | | access to or use of the information on connection with |
| of necessarypersonnel | | | | its disposal.(b) Examples. Reasonable measures to |
| * Select, after investigation, an appropriate information | | | | protect against unauthorized access to or use of |
| management partner if needed | | | | consumer information in connection with its disposal |
| * Establish service agreements with this partner that | | | | include the following examples. These examples are |
| specify frequent monitoring of procedures to ensure | | | | illustrative only and are not exclusive or exhaustive |
| on-going compliance | | | | methods for complying with this rule (1) Implementing |
| * Educate and train employees | | | | and monitoring compliance with policies and |
| * Audit the process to identify "weak links" or | | | | procedures that require the burning, pulverizing, or |
| performance gaps | | | | shredding of paper containing consumer information so |
| How Do You Build a Compliant Program? | | | | that the information cannot practicably be read or |
| Today's challenge is to develop a defensible program | | | | reconstructed.(2) Implementing and monitoring |
| that clearly shows the "reasonable measures" a | | | | compliance with policies and procedures that require |
| company has taken to manage and demonstrate | | | | the destruction or erasure of electronic media |
| compliance. Keys to creating this type of successful | | | | containing consumer information so that the information |
| program include: | | | | cannot practicably be read or reconstructed. (3) After |
| * Reasonable Measures. The Disposal Rule does not | | | | due diligence, entering into and monitoring compliance |
| define "reasonable measures," although it furnishes | | | | with a contract with another party engaged in the |
| examples of what constitute reasonable measures. | | | | business of record destruction to dispose of material, |
| Until the FTC expands upon the definition of | | | | specifically identified as consumer information, in a |
| "reasonable measures," companies have an ongoing | | | | manner consistent with this rule. In this context, due |
| duty to protect all consumer information during the | | | | diligence could include reviewing an independent audit |
| disposal process. Other laws and regulations set | | | | of the disposal company's operations and/or its |
| requirements for security of personal information prior | | | | compliance with this rule, obtaining information about |
| to disposal for many industries. | | | | the disposal company from several references or |
| * Consistent disposal practices and procedures | | | | other reliable sources, requiring that the disposal |
| company-wide that establish a standardized approach | | | | company be certified by a recognized trade |
| to compliance. | | | | association or similar third party, reviewing and |
| * Management accountability: maintaining an unbroken | | | | evaluating the disposal company's information security |
| chain of custody. This ensures the highest level of | | | | policies or procedures, or taking other appropriate |
| security, from the moment the information is created | | | | measures to determine the competency and integrity |
| until its disposal. Remember, one weak link can | | | | of the potential disposal company.(4) For persons or |
| jeopardize your entire program. | | | | entities who maintain or otherwise possess consumer |
| * Employee adoption. Employees should understand | | | | information through their provision of services directly |
| how to comply and should have the knowledge to | | | | to a person subject to this part, implementing and |
| mak decisions in the best interest of your company. | | | | monitoring compliance with policies and procedures |
| * An efficient and cost-effective program. Information | | | | that protectagainst unauthorized or unintentional |
| should be stored and disposed of with consideration | | | | disposal of consumer information, and disposing of |
| for your company's workflow, workforce and | | | | such information in accordance with examples (1) and |
| workplace environment. | | | | (2) above.(5) For persons subject to the |
| * Minimal organizational impact. Implementation of | | | | Gramm-Leach-Bliley Act, 15 U.S.C. 6081 et seq., and the |
| compliance policies should be transparent and | | | | Federal Trade Commission's Standards for |
| non-disruptive. | | | | Safeguarding Customer Information, 16 CFR 314 |
| * An ability to measure the success of your | | | | ("Safeguards Rule"), incorporating the proper disposal |
| compliance program. This allows for correction of any | | | | of consumer information as required by this rule into |
| failure points or modifications as changes in work | | | | the information security program required by the |
| patterns, work force and new laws require. | | | | Safeguards Rule.682.4 Relation to other laws. Nothing |
| Depending on the nature and size of your company, | | | | in this rule shall be construed:(a) To require a person to |
| the sensitivity of the information held and the costs | | | | maintain or destroy any record pertaining to a |
| benefits of different disposal methods, your | | | | consumer that is not imposed under other law; or (b) |
| compliance solution could be as simple as instituting a | | | | To alter or affect any requirement imposed under any |
| few basic in-house procedures. However, for most | | | | other provision of law to maintain or destroy such a |
| companies, a more secure alternative -- and one the | | | | record. 682.5 Effective date. This rule is effective on |
| FTC recognizes -- is to contract with a reputable | | | | June 1, 2005. By direction of the Commission. |