Slashdot Mirror
Document Disposal Law Kicks In
dougrun wrote to link to a story on MSNBC regarding a new federal law requiring individuals who handle other people's personal information to dispose of the data properly. From the article: "Recycling the paperwork isn't good enough -- it must be destroyed, the rule says, rendered useless to anyone who might stumble upon it. The FTC can sue and obtain fines of up to $2,500 for each instance of neglect."
A cute McDonald French Fry
Too bad the government has, quite naturally, exempted itself from this law.
"While the disposal rule only covers consumer credit reports and information derived from credit reports, experts say it's best to destroy anything that includes personal information because the definition is not crystal clear."
Considering I handle contact and billing information for ~50-100 customers per day this could get interesting (in a bad way) real fast. I'm just waiting for corporate to interpret whether this effects our paperwork or not then change their minds a few week later and make us redo everything.
I really hope these masses of shredded papers aren't dumped in our landfills... I think we
already have enough junk in there that won't be decomposing any time soon.
What about the work that are outsourced to foreign countries? Every now and then we hear stories about foreign workers taking liberities with personal information, a Federal law doesn't exactly cover foreign soil.
ELOI, ELOI, LAMA SABACHTHANI!?
-Ted
-=-=- Quantum physics - the dreams stuff are made of.
Rural Alaska nuclear power gets legislative backing
..make laws that, through our supposedly demcratic system, on our behest and vote, "protect and serve" us by putting into black and white writ all that we deem harmful. With this in mind, my question is this: Who would most want to be protected from incompletely destroyed "sensitive" documents?
The article speaks of the "good it does for the little people" - but who asked for this law? Wouldn't it be better (and more targeted) to fine people who steal identity? Is the government going to spend billions checking every garbage can to enforce this law? This law reeks of one made for unwritten "other" purposes. Most likely this administration's own.
I smell something burning. Something shredded.
No, no sig. Really.
ThePromenader
While this could be seen as a good idea, why not let people make the decision NOT to do business with companies that have bad business practices and lose your personal information? why force every business to abide by these wasteful laws because a few companies fuck up?
so a few people mess up and we are going to hit EVERY business owner with a fine (increased costs of doing business due to destroying docs = fine)?
let the people decide who they do business with, company X loses peoples info, company X goes out of business because people lose faith in them. Austrian economics at work!
Really. Just shred the documents and recycle them. It's not as if some people don't shred their documents. *cough*
It would, of course, be nice to get a pointer to the actual law, so we're not just blathering blindly about something that is really barely referenced in the article.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
One of the funniest TV commercials I've ever seen was an Xmas commercial that started out with snow falling down onto a city street to the tune of "Let it Snow, Let it Snow". The camera pans up toward the top of a nearby building. Eventually we see that most of the "snow" is really from a bunch of accountants frantically shredding documents Arthur Anderson style with the windows open. Then the announcer says, "Whether you've been naughty or nice, enjoy a cup of [product] this holiday season".
Table-ized A.I.
I would rather suggest not to memorize other people's personal information, for obvious reason...
There you are, staring at me again.
Another step for personal privacy? Which country is this again?
The article says that the FTC can sue people for up to $2500 under this law, but is the FTC really the department enforcing this? I would assume that the only way stuff like this would get to the FTC is if someone came across their own information, in which case, wouldnt it make more sense for that person to sue the "company" in question under this law themselves?
"Its a grey area". "How grey?" "Somewhat of a charcoal shade"
The entirety of H.R.2622 Fair and Accurate Credit Transactions Act of 2003 and the specific section SEC. 216. DISPOSAL OF CONSUMER REPORT INFORMATION AND RECORDS.
The actual imortant part of this is the regulations (which may be yet to be created) for what needs to be done to appropriately destroy associated data. Hopeflly most people should be able to get away with just doing a single write of zeroes or pseudo-random data, while places like equifax should be required to do a bit more work. (because their collections would be especially valuable).
Of course, knowing the way that the political system works, it's probably going to end up being the other way 'round.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Just print them out and shred them! Problem solved! All of your sensitve data is safe, and the only copy of it destroyed!
That's what my grandmother (bless her soul) does everytime she needs to get rid of information. Seems to work for her...
There is no way you could recover anything but wood pulp from those things. They rendered paper to a fluffy mass with individual chunks around a millimeter in size. I've never seen shredders as beefy as those for sale in the civilian world. I wonder if this is intentional...
$2500 doesn't seem to be a very harsh punishment for my personal data being compromised when the FCC can fine companies $11000 per do not call violation.
... the paperwork shreds you!
This law should be more severe.
Companies should not be allowed to keep sensitive, personal info for more than a few days after a transaction. If one comes back to a company to modify the transaction (refund, exchange, etc.), the customer can resubmit the sensitive info then.
Only federal government entities should ask for a social security number, and only state government entities should ask for driver's license numbers. All other entities (private, municipal, etc.) should generate their own identity codes, which should be destroyed after a reasonable time period.
We have similar laws here in Canada, but they are an utter joke. Under the BC Personal Information Protection Act, there are stiff penalties on paper, but the enforcement procedure requires a minimum of six months of attempting to affect things internally to the organization, before an investigator from the privacy commissioner's office will even speak to you. Even then, the investigator doesn't really investigate anything, they just phone the organization who's in violation and ask them nicely to not do that. If the organization doesn't comply, back to square one with the six months of internal pressure. I left a job recently over this very issue...after I was asked to lower the security on the network, exposing insane amounts of client data to the bare internet. If the Act ever gets any teeth, my ass would be on the line. But I guess I needen't have worried, as there's no possibility of enforcement.
Stasis is death. Embrace change.
So you are required to destroy documents unless you knowingly do so when there's about to be a federal investigation that will require those documents, in which case you can be sent to prison for destroying them? Sounds like a good reason not to use paper at all...
Quid festinatio swallonis est aetherfuga inonusti?
Africus aut Europaeus?
Unfortunately, companies can't be fined for breaching any aspect of the Data Protection Act, apart from when they don't pay the Information Commissioner their data controller register subscription fee!
So in the UK, you can dispose of personal information by leaving it on the street and you can't be prosecuted. The fine should be much higher though, and personal and punitive damages should be applied, IMO.
"It's not your information. It's information about you" - John Ford, Vice President, Equifax
Why the need for a new federal law? This is already adequetely handled by state tort laws. Looks like the federal government just wants to get its hands in the pie.
Anyway, fortunately this law only applies to credit reports.
In other words, someone who hires a nanny would probably not be under the purview of FTC or any other such federal rule -- unless the nanny had to travel across state lines. Nonetheless, It seems that the rules qould require that somebody providing you with the information would have to warn you that the infomation is protected -- and you'd probably be best off to destroy it properly just in case you should find that you're under FTC control because of some technicality.
In any case, they call for reasonable measures -- in other words, a little mom and pop (literally) operation hiring a nanny wouldn't have the same requirements as equifax disposing of thousands of documents, so ripping up the mammy's credit/bond report and distributing the pieces between two or three different garbage cans would probably suffice.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
They would recycle old used paper by giving it to us as scrap paper. The problem with this was these were customer lists with the CC and complete addr. I explained to them the concept of downstream liability and it didn't take long they found other papers to hand out.
Erik
medical records are already covered under hipaa. this sounds like similar legislation, maybe not to the same extent as hipaa, but with the same sort fo intentions. if they enforce it like they do hipaa, then the fine might stick. we already take extensive measures in place to comply with hipaa, but those measures aren't out of the reach of small businesses or those with paper records.
I'm fairly sure the Govn't has passed a law that applies only to themselves, way back.
Or that may only apply to military. I'm not sure.
I have noticed a lot of web sites are horrible at protecting peoples information. For instance, if a web site is able to email you your login password instead of just resetting it, that means they are not one way hashing it, and it could be stolen, leaked, or looked at by employees... how many other sites are you using that same password for? Old deleted accounts end up in audit tables forever in some places. Not good. Some will say "be careful of what sites you sign up for"... but people won't be. Others will say "do not use the same password for 'weather action news' that you use for your bank account... but most people do.
Any Idea on how this law applies to copyshops? FedExKinkos I know does not have shredders.
Check these shredders out.
You need a bucket. The size of the bucket depends on the amount of paper documents to be destroyed. The bucket can be metal or plastic. Wax lined paper buckets will not work.
You tear up the paper documents into little pieces and put them in the bucket one handful at a time, sprinkling soggy coffee grounds on top of each layer. You then take a can or two, or more as needed of Pepsi(tm) and pour it on top. Mix the contents of the bucket. Preferably with a stick. You then piss in the bucket. Mix the contents again. Finally, you take a dump in the bucket. Mix thoroughly for the last time.
I 100% guarantee that no one will be able to read the documents - or even want to...
So this law says you need to shred the documents that contain personal information about another person. Well, what if you kill the other person? No need to shred hundreds of pages in you can take out one idiot.
Could probrably use the same tool for both, too, assuming it's a big enough shredder.
From TFA: "The disposal rule, developed by the Federal Trade Commission, covers, all employers, large and small -- even those with only one employee."
Really? Since when did the FTC and Congress have any jurisdiction over intrastate commerce? Hiring a nanny would be covered under this law unless the nanny had to travel across state lines to get to work.
Many small, single employee businesses probably do not do interstate commerce and are also exempt, unless the state they are located has its own similar law.
Those documents could just be court records in the future.
Section 216 of the bill basically amends the Fair Credit Reporting Act, instructing "Federal banking agencies, the National Credit Union Administration, and the [Federal Trade] Commission" to "issue final regulations requiring any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose to properly dispose of any such information or compilation." And they need to do so in ways that don't contradict one another or the Gramm-Leach-Bliley Act, a/k/a GLBA a/k/a Public Law 106-102. I did a quick search of GLBA and didn't find anything specific to such record destruction.
Got it. Federal banks, the National Credit Union Admin, and the FTC need to make rules on how people should dispose of credit reports.
So can anyone link the actual rules issued by any of these agencies? I struck out in finding those. And they're, y'know, the meat of the matter.
The stated intent is that smaller entities which rarely handle customer/consumer data will not be required to do 'heavy lifting' to dispose of their documents. That's stated in the report, and even aluded to in the rules. Bigger companies will fight to minimize what 'reasonable measures' entail, and smaller companies will benefit from that, because they'll be expected to have to do less (by dint of the wording of the rule).
As for "everything" being interstate commerce -- no. Things like websites are now effectively interstate (because they can reach anywhere), but an agreement between my and my nanny wouldn't be because it doesn't touch anywhere non-local. Even local investment-raising is under the purview of state investment boards, so you can still escape the control of the FTC there.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
We've found a solution for the deficit!
...of a lot of things that I work on. I have to sign NDAs stating that I will do so, and that I have done so.
It affects the interstate market for nannies, as well as the nanny's demand for interstate commerce, and thus constitutes interstate commerce.
More importantly, the records collection agency that you got the info on your nanny from is likely interstate (if not in their customer base, then at the very least in their information base.) That could easilly provide grounds for putting any information collected under the jurisdiction of interstate commerce. So just shred your nannie's credit report. Now it's probably the law, in addition to just being plain ethical.
I'll never make that mistake again, reading the experts' opinions. - Feynman
From the ChurchStreet's FAQ.
:)
10) Can the reconstruction software be purchased?
Not unless you are a qualifying intelligence agency. Our digitizing techniques and proprietary software cannot be purchased at this time unless your team is a high level governmental intelligence team. For others, ChurchStreet offers the reconstruction as a service, not as a product to be purchased.
Qualifying intelligence agencies should call ChurchStreet directly to get more information about our Reconstruction Software Suite.
This is just a simple(?) exercise in matching edges and colors at those edges to each other in all the piecess. This is how a standard jigsaw puzzle is assembled in 'meatspace'. ChurchStreet's software likely does this all inside the computer after the document shreds have been scanned in.
These guys are in the best postion to write/adapt such software and make it available to the public at large--not just government intelligence organizations.
P.S. For secure document destruction, burn it--it is the only way to be sure the document cannot be reconstructed. This applies to assorted forms of computer related information storage and processing--just toss the hard drives, CD-ROMs, floppy disks, RAM chips, memory sticks, motherboards, CRTs, etc., into the nearest (approved) incinerator and be done with it. It's an environmental/safety nightmare but the data in the destroyed media is now gone for good.
Want to give the ChurchStreet boys an 'impossible job?' Do the following:
1) Print up a document in English using a monospaced font.
2) Cross cut the document so that each character is in its own square 'cell' and is completly surrounded on all four sides by whitespace.
3) Hire ChurchStreet to reconstitute this document and send them the 'confetti'.
They won't be able to reconstruct the document because all the pieces are edgewise topologically identical to each other. The best they can do is use all the 'letters' and reconstruct all the words in the document. If they accomplish that, then they have to put them into the right order. If the document had 58 words on it, there would be so many message combinations that you could easily assign each one to every atom in the universe.
If their 'proprietary' document reconstruction techniques take into consideration the texture, grain, and thickness of the paper then they would stand a fighting to good chance of reconstituting such a 'challange document'.
I remember a MacGyver episode where he reconstructs a burned paper - so yeah it can be done because I saw it on tv!