The coverage of identity theft in the media is at an all-time high and the public is concerned about what companies and government officials are doing to protect them. As a result of increased coverage and the inevitable scrutiny that goes with it, a lot of dealers are left to sift through the misinformation and myths about required document disposal laws and develop a system that protects their customers and complies with state and federal regulations (without breaking the bank). But complying with the Disposal Rule under the Fair and Accurate Credit Transactions Act of 2003 doesn't have to be an arduous task. Here, we’ll explore the five myths preventing dealers from implementing an easy and convenient document disposal process that complies with the law.

1. Identity-theft laws only protect the consumer.

While compliance to the various state laws and federal regulations is important from several perspectives, including the avoidance of financial penalties and civil litigation, sound business practices like a good document destruction program can protect a dealer’s good name.

Consider all the non-customer credit information that gets printed in your store and is not covered by laws and regulations: sales reports, e-mails, HR files, strategy planning, and marketing outlines. If it goes into a trash can, it ends up in the dumpster. This makes that information fair game for anyone to read. Dumpster diving does happen and not just by your competitors. News organizations and even attorney generals have been known to do so as well.

"In this ever-changing world we live in, where more and more information is transmitted over the Internet, a lot of people think that a lot of identity theft is really something that takes place over the Internet and on computers," says Texas Attorney General Greg Abbott. "That’s true. However, the reality is most identity theft still takes place the good old-fashioned way, which is based upon hard documents."

2. Regulations require me to make certain information unreadable, but they do not tell me how to do it.

Some state identity-theft prevention acts only require a lesser "unreadable" standard. According to the federal FACTA law, documents can be destroyed by:

"Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed."

(They are kidding about the ‘burning’ suggestion, right?) You can be confident that compliance to the federal disposal rule will satisfy the disposal requirements imposed at the state level.

3. A written document disposal policy that is distributed to my staff keeps me in compliance.

The answer to that statement is "almost." A written policy is the first step toward compliance with the disposal rule. Next, you must train your associates on the policy. Here's what FACTA says about that: "…reasonable measures are very likely to require elements such as the establishment of policies and procedures governing disposal, as well as appropriate employee training." Finally, you must provide your staff with a means to comply with the policy. You do have options when it comes to this part of the rule, including in-house shredding, a unique new national destruction service, or the best known option described in the next myth.

[PAGEBREAK]

4. The only way to get documents shredded is to use one of those expensive document destruction trucks.

This is an option, especially if your store is in or near a metropolitan area. Rural areas may not have access to this service. If you can get service, your choices will be between mobile and "plant-based" shredding services. Either service will provide you with collection consoles at no additional charge. The consoles are serviced on a defined weekly or bi-weekly schedule whether empty or full. You can expect to pay between $25 and $50 per console for the service, depending on how many consoles you use.

Remember that the disposal rule dictates requirements for due diligence for these vendors (as addressed in the next myth). Using certified vendors saves you the trouble of qualifying your vendors. Be aware that most document destruction vendors are not certified.

For dealers in rural areas, a new option is available from Maxxafe System, a Dallas-based company that has partnered with FedEx to provide nationwide document disposal service. The Maxxafe system provides shippable containers that hold around 4,000 sheets of paper, which you can place throughout the store.

With Maxxafe's on-demand system dealers pay for usage and the cost of transportation. Shredding of each container will cost under $20. FedEx will come to the dealership when called, and will scan the container and transport it to the company for secure destruction and recycling. Additional, the company makes a compliance measurement (i.e., proof in the event of a regulatory inquiry) available online. It includes customized tracking reports.

5. Buying shredders is the best way to get into compliance.

This couldn't be further from the truth. In addition to the issues of cost (purchase and maintenance of containers, and employee time) and low capacity, even if you expect your employees to shred your covered information you retain liability in the event of a breach.

The federal government has provided important guidance and an unusual exclusion from liability when a business associate agreement is signed with a third party for document destruction services. Here's what the rule says: "After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material … due diligence could include reviewing an independent audit … requiring that the disposal company be certified by a recognized trade association …"

So before selecting your vendor, do your homework or rely on an industry-recognized certification. One association that offers a highly respected certification program for secured document destruction is the National Association for Information Destruction (NAID).

An effective disposal policy will minimize a dealer's liability. Once again, the disposal rule offers guidance for compliance: "Take reasonable steps to select and retain a service provider that is capable of properly disposing of the consumer information at issue; notify the service provider that such information is consumer information; and enter into a contract that requires the service provider to dispose of such information in accordance with the rule."

Looking beyond the liability issue, consider the environmental impact of using a shredder to destroy documents. Vendors certified through the NAID recycle the shredded paper, which is an eco-friendly solution. With 93 percent of consumers indicating they prefer doing business with companies who practice environmental stewardship, a dealership can tout the positive impact its document destruction program has on the environment and the security of the customer’s personal information.

Compliance is possible and help is available.

Complying with identity-theft prevention laws is achieved by creating a written policy, training your associates on it, and giving them a measurable means to comply. Select a vendor, preferably one who is NAID certified, and enter into a business associate agreement that clearly explains your expectations. Don’t let the myths of an inadequate plan put your store on the six o'clock news or earn a visit from your state attorney general.

0 Comments