Survey: Companies Struggling To Keep Up With Information Privacy Laws
When it comes to shredding sensitive business documents, leaders of some of America's largest companies are devoting more attention and more money to keeping information safe. But despite the extra effort, many admit unfamiliarity with key federal and state laws governing information privacy, leaving them vulnerable to fines and identity theft.
These are the central findings from a survey of business professionals and managers responsible for safeguarding their company's information. Conducted on behalf of Iron Mountain Inc., the survey targeted companies with annual revenue of at least $750 million.
Perhaps most surprising among the survey's findings is that companies believe they're more familiar with federal requirements for information destruction than they actually are. While nearly three in four respondents (74 percent) express familiarity with federal requirements, fewer than one in three (30 percent) are aware of the Federal Trade Commission's Fair and Accurate Credit Transactions Act (FACTA) Disposal Rule, one of the top laws governing U.S. businesses on information security and disposal. The FACTA Disposal Rule mandates that organizations properly dispose of papers that contain consumer information through methods such as burning, pulverizing or shredding so that the "information cannot practically be read or reconstructed."
It's not surprising that some companies seem unsure of the law. In the last five years, a myriad of state and federal legislation like FACTA has been enacted to protect consumers and their sensitive information. Currently 28 states have must-shred laws, and 43 have notification requirements for disclosing privacy breaches. With each new law, companies must revisit their policies and procedures for destroying information-an increasingly difficult task, given the variety and distribution of information across an enterprise. Fifty-nine percent of respondents feel familiar with their existing state laws.
Already overwhelmed, companies face even more rules for protecting information.
Some companies will soon have to contend with a new set of FACTA mandates from the FTC.
Effective Nov. 1, financial institutions and creditors must have a formal program for preventing identity theft. Commonly known as the Red Flag Regulations, these new guidelines require companies to identify and account for "red flags," defined by the FTC as "patterns, practices and specific forms of activity that indicate a possible risk of ID theft."
Along with these new regulations, the FTC appears intent on enforcing its Disposal Rule for the first time since its enactment in June 2005. In December, the FTC found against an Illinois-based mortgage company for improperly disposing of loan documents. As a result, the company must undergo a third-party audit every two years in the next 10 years and pay a $50,000 fine for leaving consumers' personal and financial information in and around a Dumpster near its office.
"The FTC is serving notice that it's no longer enough for companies to simply say they have a policy for shredding or information destruction" said Colleen Langevin, a vice president at Iron Mountain. "Now organizations must prove their policies and procedures actually work. Proving this means demonstrating good-faith efforts to document policies; train employees; audit behavior; and oversee service providers."
While questions over companies' compliance emerged as a key theme of the Iron Mountain survey, findings also lent insight into current behaviors around information destruction. Key findings included:
Shredding is a universal practice, but not universally compliant. Nine in 10 companies outsource their shredding, while more than half (57 percent) also rely on on-site commercial-grade shredding or incineration equipment. But less than one in four report on compliant destruction of consumer information (24 percent), or audit compliant policies and procedures (23 percent) based on best industry practices. Companies will need these audit controls to comply with the FACTA requirements.
Information destruction receiving greater attention. One in two respondents (54 percent) say their company's leaders paid more attention over the last year to how their company destroyed and disposed of sensitive information. And nearly one third (30 percent) report their company increased its budget over the same time for information destruction and disposal.
Training and policy compliance top companies' data privacy concerns. For those who have some familiarity with state, federal or pending legislation, nearly one third (30 percent) worry that company policies do not comply with newer legislation or that they will not comply if pending legislation is passed. Twenty-nine percent express concern with getting employees up-to-speed on new requirements.
New laws, bad press and customer demand drive data disposal. Two in three companies (66 percent) say it has become more important to formalize policies and procedures for destroying sensitive information. Those companies cited new laws (63 percent), negative press of data losses (43 percent), customer demand for information security (29 percent) and pressure from industry groups (28 percent) as the top reasons why.