Survey: Companies Struggling To Keep Up With Information Privacy Laws

When it comes to shredding sensitive business documents, leaders of some of America's largest companies are devoting more attention and more money to keeping information safe. But despite the extra effort, many admit unfamiliarity with key federal and state laws governing information privacy, leaving them vulnerable to fines and identity theft.

These are the central findings from a survey of business professionals and managers responsible for safeguarding their company's information. Conducted on behalf of Iron Mountain Inc., the survey targeted companies with annual revenue of at least $750 million.

Perhaps most surprising among the survey's findings is that companies believe they're more familiar with federal requirements for information destruction than they actually are. While nearly three in four respondents (74 percent) express familiarity with federal requirements, fewer than one in three (30 percent) are aware of the Federal Trade Commission's Fair and Accurate Credit Transactions Act (FACTA) Disposal Rule, one of the top laws governing U.S. businesses on information security and disposal. The FACTA Disposal Rule mandates that organizations properly dispose of papers that contain consumer information through methods such as burning, pulverizing or shredding so that the "information cannot practically be read or reconstructed."

It's not surprising that some companies seem unsure of the law. In the last five years, a myriad of state and federal legislation like FACTA has been enacted to protect consumers and their sensitive information. Currently 28 states have must-shred laws, and 43 have notification requirements for disclosing privacy breaches. With each new law, companies must revisit their policies and procedures for destroying information-an increasingly difficult task, given the variety and distribution of information across an enterprise. Fifty-nine percent of respondents feel familiar with their existing state laws.

Already overwhelmed, companies face even more rules for protecting information.

Some companies will soon have to contend with a new set of FACTA mandates from the FTC.

Effective Nov. 1, financial institutions and creditors must have a formal program for preventing identity theft. Commonly known as the Red Flag Regulations, these new guidelines require companies to identify and account for "red flags," defined by the FTC as "patterns, practices and specific forms of activity that indicate a possible risk of ID theft."

Along with these new regulations, the FTC appears intent on enforcing its Disposal Rule for the first time since its enactment in June 2005. In December, the FTC found against an Illinois-based mortgage company for improperly disposing of loan documents. As a result, the company must undergo a third-party audit every two years in the next 10 years and pay a $50,000 fine for leaving consumers' personal and financial information in and around a Dumpster near its office.

"The FTC is serving notice that it's no longer enough for companies to simply say they have a policy for shredding or information destruction" said Colleen Langevin, a vice president at Iron Mountain. "Now organizations must prove their policies and procedures actually work. Proving this means demonstrating good-faith efforts to document policies; train employees; audit behavior; and oversee service providers."

While questions over companies' compliance emerged as a key theme of the Iron Mountain survey, findings also lent insight into current behaviors around information destruction. Key findings included:

Shredding is a universal practice, but not universally compliant. Nine in 10 companies outsource their shredding, while more than half (57 percent) also rely on on-site commercial-grade shredding or incineration equipment. But less than one in four report on compliant destruction of consumer information (24 percent), or audit compliant policies and procedures (23 percent) based on best industry practices. Companies will need these audit controls to comply with the FACTA requirements.

Information destruction receiving greater attention. One in two respondents (54 percent) say their company's leaders paid more attention over the last year to how their company destroyed and disposed of sensitive information. And nearly one third (30 percent) report their company increased its budget over the same time for information destruction and disposal.

Training and policy compliance top companies' data privacy concerns. For those who have some familiarity with state, federal or pending legislation, nearly one third (30 percent) worry that company policies do not comply with newer legislation or that they will not comply if pending legislation is passed. Twenty-nine percent express concern with getting employees up-to-speed on new requirements.

New laws, bad press and customer demand drive data disposal. Two in three companies (66 percent) say it has become more important to formalize policies and procedures for destroying sensitive information. Those companies cited new laws (63 percent), negative press of data losses (43 percent), customer demand for information security (29 percent) and pressure from industry groups (28 percent) as the top reasons why.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3