The increase in identity theft crimes has resulted in the enactment of
several federal laws designed to protect consumers' private information.
Some states have also enacted laws, including the states of California,
Wisconsin and Georgia. In the state of Georgia, the primary law all businesses
should concern themselves with is the Georgia Information Privacy Act SB475.
Georgia Information Privacy Act SB475
Georgia State Bill 475 was passed to insure all companies properly destroy
any document that contains individuals’ private information. Specifically,
section 10-15-2 states:
A business may not discard a record containing personal information unless it:
- Shreds the customer´s record before discarding the record;
- Erases the personal information contained in the customer´s record
before discarding the record;
- Modifies the customer´s record to make the personal information unreadable
before discarding the record; or
- Takes actions that it reasonably believes will ensure that no unauthorized
person will have access to the personal information contained in the customer´s
record for the period between the record´s disposal and the record´s
In addition to Georgia’s law, the following Federal Laws also require
businesses to properly destroy any document containing personal information.
The Fair and Accurate Credit Transactions Act of 2003 also known as the
FACT Act was signed into law on December 4, 2003. The Act amends the Fair
Credit Reporting Act (“FCRA”). The Act contains a number of
provisions intended to combat identity theft and consumer fraud and related
crimes. Specifically the act requires the destruction of PAPERS CONTAINING
CONSUMER INFORMATION. Virtually every business or organization is bound
by this law.
The DISPOSAL RULE
Sec. 682.3 Proper disposal of consumer information.
(a) Standard. Any person who maintains or otherwise possesses consumer
information, or any compilation of consumer information, for a business
purpose must properly dispose of such information by taking reasonable
measures to protect against unauthorized access to or use of the information
in connection with its disposal.
(b) Examples. Reasonable measures to protect against unauthorized access
to or use of consumer information in connection with its disposal would include:
(1) Implementing and monitoring compliance with policies and procedures
that require the burning, pulverizing, or shredding of papers containing
consumer information so that the information cannot practicably be read
National Consumer Law Center:
Federal Trade Commission:
Privacy Rights Organization:
Health Insurance Portability and Accountability Act (HIPAA), was enacted
in 1996 and includes provisions intended to safeguard the privacy of patient
health records. HIPAA is a significant piece of legislation with onerous
penalties. For a full text of the SUMMARY OF THE HIPAA PRIVACY RULE from
the Department of Human Services, available online go to: http://www.hhs.gov/ocr/privacysummary.rtf.
See page 14 of this document in regards to shredding information.
Penalties for HIPAA Violations:
American Medical Association:
Health and Human Services:
GLB (Gramm Leach Bliley)
Gramm Leach Bliley (GLB) is another federal law with a much broader scope
than HIPAA. This law was designed to compel financial institutions to
“respect the privacy of its customers and to protect the security
and confidentiality of those customers’ non-public personal information.”
This language suggests that paper documents containing such personal information
should also be protected when in use and safely destroyed when no longer
current and usable.
Senate Banking Committee Report:
Federal Trade Commission Report: