Slashdot Mirror
Document Disposal Law Kicks In
dougrun wrote to link to a story on MSNBC regarding a new federal law requiring individuals who handle other people's personal information to dispose of the data properly. From the article: "Recycling the paperwork isn't good enough -- it must be destroyed, the rule says, rendered useless to anyone who might stumble upon it. The FTC can sue and obtain fines of up to $2,500 for each instance of neglect."
I really hope these masses of shredded papers aren't dumped in our landfills
1. Where do you think it all goes now?
2. Shredding the paper most likely *helps* it decompose as it provides more corners and surface area for the bacteria to attack.
Javascript + Nintendo DSi = DSiCade
It seems to talk about disposal, not storage, so if someone breaks into your computer, then I'd guess it's not covered. On the other hand, I'd strongly suggest that people get a knoppix CD and learn to type 'shred /dev/hda' before they throw their computers into the dumpster.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Some cities (at least it's the case here in Vancouver) have zoning bylaws that don't allow regular wood (or, by implication, paper) burning fireplaces and stoves to be installed anymore. This may not be feasible.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
The United States Government takes it seriously. While they may be exempt from this law, there are regulations and policies in place to safeguard personal information. These policies are stricter than anything you're likely to find in the private sector.
Mea navis aericumbens anguillis abundat
The entirety of H.R.2622 Fair and Accurate Credit Transactions Act of 2003 and the specific section SEC. 216. DISPOSAL OF CONSUMER REPORT INFORMATION AND RECORDS.
The actual imortant part of this is the regulations (which may be yet to be created) for what needs to be done to appropriately destroy associated data. Hopeflly most people should be able to get away with just doing a single write of zeroes or pseudo-random data, while places like equifax should be required to do a bit more work. (because their collections would be especially valuable).
Of course, knowing the way that the political system works, it's probably going to end up being the other way 'round.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
There is no way you could recover anything but wood pulp from those things. They rendered paper to a fluffy mass with individual chunks around a millimeter in size. I've never seen shredders as beefy as those for sale in the civilian world. I wonder if this is intentional...
While this could be seen as a good idea, why not let people make the decision NOT to do business with companies that have bad business practices and lose your personal information? why force every business to abide by these wasteful laws because a few companies fuck up?
Because of the company I work at. We routinely throw entire pages of customer information in the trash and recycle bin: these contain names, addresses, telephone numbers and social security numbers among other info. I have been trying to get my boss to mandate that we shred/destroy the paperwork with customer info, but he doesn't give a crap. So far no one has had their identitiy stolen through us that we know of. And I guarantee you that none of our customers know we do this. So they can't make an informed choice.
I am going to point this article out to my boss first thing Monday and hopefully he will FINALLY decide to do at least minimal destruction of the paperwork we toss out.
If Ford sell you a car with tires imported from another country and they keep blowing up, it is still Ford's responsibility.
See my journal, I write things there
We have similar laws here in Canada, but they are an utter joke. Under the BC Personal Information Protection Act, there are stiff penalties on paper, but the enforcement procedure requires a minimum of six months of attempting to affect things internally to the organization, before an investigator from the privacy commissioner's office will even speak to you. Even then, the investigator doesn't really investigate anything, they just phone the organization who's in violation and ask them nicely to not do that. If the organization doesn't comply, back to square one with the six months of internal pressure. I left a job recently over this very issue...after I was asked to lower the security on the network, exposing insane amounts of client data to the bare internet. If the Act ever gets any teeth, my ass would be on the line. But I guess I needen't have worried, as there's no possibility of enforcement.
Stasis is death. Embrace change.
The easy way is you scan each rectangle and then run length encode each edge and you sort that in combination with length and you end up with a nice list of which bits go next to which other bits. If the shreds are small than 2mm x 2mm, its trivial to decode if you can get all the bits scanned.
That is pretty much my thoughts on it, Alaska.
...No... We punish the business.
Bad guy does bad things with data found in recycle bin. We all agree that bad guy is a criminal. So do we punish bad guy?
I've been a victim of this kind of before myself.I worked in a pharmacy that also did home care. I had to go out this patients house that was way out in the boonies in a trailer complex. The kind of place that 60 miles of dirt roads around it with no addresses and no street signs. As the medical profession had already performed maximum cash extraction from this family, they no longer had a phone or any kind, so calling for directions out to RR-1102-L22-22 was simply impossible (and the post office can't legally give you directions anymore to those RR addresses due to an antistalking law).
One of the RN's had made a map & another with directions to the place and stuck it in the patients medical record. After talking with the RN, I retrieved the medical record and made a copy of that page, the page with the map and stuck them in my folder so I could find my way out there. Didn't think another thing of it, we frequently exchanged maps of this type amoung the different services for the patients.
When I got back to the office, I stuck the folder with only the map, directions, and other stuff completely related to my job function in with the rest of my work stuff in the employee (non-public accessable) area, it had plenty of other maps I had hand drawn for the same reason, our customers were in a 190 mile radius and most of that is pretty rural.
Some pinhead came across it over the weekend and noticed the stripe on the top (which is on all of our medical records). Result? My contract with pharmacy terminated for improper medical records storage, and no chance to tell my side of story.
It contained no personal medical information other than the patients name and their pharmacy ID-code.(Which is on the order sheets for everything anyway and I had to keep those as part of my contact, and even fed-ex boxes we ship to them.) Everything else I had blacked out with a piece of paper while copying. There was no issue with release, and no issue with non-authorized access (all of these patients signed a release which covered us). I ran it over with my lawyer and we couldn't find anything illegal in my actions, nor anything that violated patient conidentiality (I had full sets of signed releases from the patients, the pharmacy, the nursing company), but I was a contractor and not an employee so I couldn't do much about it.
It applies to online records, but 1) it only applies to consumer credit reports, and 2) it only applies to disposal, not storage. From FTC.gov:
The United States Government takes it seriously. While they may be exempt from this law, there are regulations and policies in place to safeguard personal information. These policies are stricter than anything you're likely to find in the private sector.
Specifically, the Privacy Act of 1972. In a sentence, it mandates that all federal government employees will treat personal information with respect.
24 beers in a case, 24 hours in a day. Coincidence? I think not!