More than 9 million U.S. consumers were victims of identity theft in 2004. Contrary to popular belief, most of these thefts resulted from sifting through trash, not electronic hacking. While nine out of 10 large companies employ someone whose sole function is dealing with competitor intelligence (espionage), you probably spend little time worrying about record storage, recycling or trash disposal.
As an electrical contractor, you face potential exposure on two fronts. First, you must protect consumer information in your possession. Second, you have a duty to manage your business records appropriately, to preserve your right to protection of proprietary information.
The Fair and Accurate Credit Transactions Act (FACTA) of 2003, effective June 1, 2005, amended the Fair Credit Reporting Act, directing the Federal Trade Commission (FTC), Securities and Exchange Commission, and several other federal agencies to implement consistent rules for the disposal of sensitive consumer report information.
The FTC’s published Disposal Rule applies to “any person over which the FTC has jurisdiction that, for a business purpose, maintains or otherwise possesses such consumer report information,” and requires that entity to “take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”
The law covers “any business, school, or other entity that collects sensitive personal information,” such as Social Security numbers and driver’s license information, as well as third parties who purchase or acquire this information. If you have employee records, such as I-9 or benefits forms, you possess this type of information. If you collect credit report information for customers, you are covered by these regulations.
Why are federal agencies, Congress and states such as Georgia, Florida and Wisconsin concerned enough about records disposal to enact these so-called “shred laws,” dictating the methods by which businesses dispose of records? A recent study by the financial industry and an FTC survey revealed that most identity theft results from “dumpster diving.” It is not illegal to take what has been discarded, so whatever goes into your open wastebaskets is fair game.
The FBI estimates that information theft costs businesses billions of dollars per year. Businesses may be liable for the theft of employee and customer information, and exposure of proprietary information such as trade secrets or customer lists. Most victims never know of the theft.
As a professional electrical contractor, you presumably manage your records for compliance with the law and efficient retrieval, but you may be ignoring the importance of having a retention schedule as well as policies and procedures for the disposition of records.
Casual discarding of “incidental” records may expose your company to potential legal challenges. According to the U.S. Code 3301, Chapter 44, these “nonrecords” include photocopies, routing slips, transmittals and other daily records that have no value beyond their immediate use, with a “lifetime” of minutes, days or weeks. Comprising some 60 percent of office waste paper, these records contain information that may cause you to forfeit your right to protect your trade secrets.
A famous 1973 case involved a multimillion dollar settlement paid to an Iowa State University professor, who used a drawing on a cocktail napkin to prove that he had originated the idea of the computer in 1937. In a precedent-setting 1950s case, a Detroit armored car manufacturer unsuccessfully sued former employees for using stolen trade secrets to start a competitor, when the evidence from its trash included customer lists and design information.
The court ruled that the company had not properly protected the information. In 1987, the Supreme Court ruled, in California v. Greenwood, that the same forfeiture of rights applied to information taken from the trash, affirming that it was not illegal to take discarded information.
The Economic Espionage Act of 1996 gave the Department of Justice standing to prosecute trade infringement cases directly on behalf of the victims, as long as the victim took “all reasonable measures” to identify and protect the information.
One measure of your intent to protect information is the degree of employee exposure, so use a “need-to-know” yardstick to measure employee access to proprietary and confidential information. You should also make sure to implement a consistent, documented process for scheduling retention and disposal of all records, in all locations.
What should this process include? Should you store, recycle or shred your outdated documents? How will you evaluate vendors and subcontractors? What are your potential areas of liability? Should you be concerned about the post-Watergate perception of auditors, prosecutors or customers that you are hiding something if you choose to shred records? Next month, we’ll look at your options. EC
NORBERG-JOHNSON is a former subcontractor and past president of two national construction associations. She may be reached at firstname.lastname@example.org.