For guidance on compliant secure document disposal practices, most businesses and organizations look to federal regulations, such as HIPAA and FACTA. But the State of California has long had a record for enacting its own consumer and environmental protection laws that go above and beyond what most states require. The same is true for the laws governing how businesses handle personal information and sensitive documents.
If you’d like to read the entire California civil code yourself, you can do so online. But we thought we’d save you some time by pulling out a few salient lines that pertain to privacy, document security and your business. Take note of these important reminders from the law.
If Personal Information is Compromised, You’re Responsible
California Civil Code Section 1798.81 says that a business must take “all reasonable steps” to dispose or arrange for the disposal of all documents containing personal information by means of “(a) shredding, (b) erasing, or (c) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.” (Emphasis added.)
That last bit is particularly important. Instead of laying out specifically how obscured the data has to be (i.e. cross cut, ribbon cut, formatted), California law says that it must be completely unreadable by any means. So, even if you shred a document into tiny fragments and someone comes along and pieces it back together or uses special scanning software to digitally restore it, you’re responsible, in spite of your good intentions. The same is true if a third party digs old hard drives out of the trash and uses data recovery software to extract personal information from it.
The lesson: err on the side of caution. Don’t underestimate the persistence of identity thieves, and don’t stop anywhere short of completely eradicating your data.
Compromised Electronic Data Equals Bad PR and High Costs
California Civil Code Section 1798.82 states that any breach of the security of a system containing personal data must be disclosed to all California residents whose information may have been compromised as soon as the breach is detected. While this law typically applies to servers which have been hacked, it holds true for hard drives which may have fallen into the wrong hands. The law states that you must send an electronic or written notice to each person who may have been affected by the security breach. Given that a hard drive can hold hundreds of thousands of records, that’s a lot of letters and emails! According to the law, if the costs of sending out a notice exceeds $250,000, then you can notify the public via a prominent notice on your website or via a major statewide media outlet.
At any rate, even if no one’s identity is stolen and no other adverse impacts result from the security breach, such as a box full of used hard drives being stolen off the back of a truck on its way to the landfill, you’re facing a potential PR nightmare. Publicly announcing that your servers or data systems were compromised can shake the confidence of existing or potential customers that you will be a good steward of the sensitive data, and that can be bad for business in the long run.
The Law is Not on Your Side
The California state legislature takes privacy concerns seriously, and their number one priority is protecting the personal information of individuals, not cutting businesses a break. That sentiment is summed up in the opening line of California Civil Code Section 1798.81.5, which says: “It is the intent of the Legislature to ensure that personal information about California residents is protected.”
The lesson: You won’t get much sympathy from the court if it comes down to a legal action. Your best defense is a well documented record of your due diligence, including dates when documents and digital media was destroyed and a Certificate of Destruction indicating the time, place and manner of destruction.
We can help you cover those bases and more with our mobile shredding services. From hard drives and DVDs to file boxes and office papers, we can shred all of your sensitive documents to the point of unreadability by any means on-site.
Call Go Green Mobile Shredding at (877) 821-0217 for more information.
