Image: American Mobile Shredding and Recycling worker
Tim Boyle  /  Getty Images
A new federal law requires those who handle other people's personal information to dispose of the data properly.
By Bob Sullivan Technology correspondent
updated 6/3/2005 2:19:01 PM ET 2005-06-03T18:19:01

Got a nanny? Or a tenant? Then you probably need a paper shredder. Or at least a wood-burning stove.

On Wednesday, a new federal law kicked in requiring those who handle other people's personal information to dispose of the data properly.  Recycling the paperwork isn't good enough -- it must be destroyed, the rule says, rendered useless to anyone who might stumble upon it.

The disposal rule, developed by the Federal Trade Commission, covers, all employers, large and small -- even those with only one employee. 

"You might be surprised," warned FTC attorney Catherine Armstrong.  "If you hire a contractor or a nanny, you are covered by this law."

Even if you ordered a background check on your kid's coach, or nanny, or -- as is the latest trend in online dating -- on a prospective blind date, the law applies to you.

Transgressions -- such as tossing paperwork containing personal information into a recycling bin, or leaving it on a discarded computer's hard drive  -- might be costly.  The FTC can sue and obtain fines of up to $2,500 for each instance of neglect.  State attorneys general can also enforce the law. Victim consumers can, too. People who spot their old medical forms in a dumpster outside a doctor's office can obtain damages of up to $1,000, the rule says, if a judge agrees the dumpee was willfully negligent.

Carelessly discarded consumer reports have swelled in recent years, as the use of such data has become much more widespread. Background checks involving credit reporting data and other information have become increasingly common -- even by home consumers -- as companies like ChoicePoint make accessing reporting data easier and cheaper.  For its part, ChoicePoint says it is now training its operators to warn consumers doing "nanny checks" that they'd better be careful how they throw out that data.

'Need to plug the gaps'
The disposal rule is part of the 2003 Fair and Accurate Transaction Act, which contains dozens of provisions designed to slow the growth of identity theft, a crime that affects about 10 million Americans each year.

Some financial institutions and medical offices were already covered by other laws mandating safe records disposal, but the new regulations cover a wide swath of industries that deal in consumer data: mortgage brokers, auto dealers, private investigators, to name a few.

"We needed to plug all those gaps," said Michigan State's Judith Collins, author of Preventing Identity Theft in Your Business.

The 2003 law instructed the FTC to come up with proper disposal rules, which it published in November. Data-gatherers had 6 months to get their acts together and get to the shredder store.

Alas, much like consumers who line up outside air conditioner retailers on the first hot day of summer, shredder sales didn't really begin to spike until this week, said John Fellowes, spokesman for Fellowes Inc., a shredder maker. Of course, the law is seen as a boon for the industry.  Fellowes said his business saw a double-digit percentage spike in recent days.

Privacy advocates said the rule will also be boon for consumers.

While the disposal rule only covers consumer credit reports and information derived from credit reports, experts say it's best to destroy anything that includes personal information because the definition is not crystal clear.

"I certainly think it's a good idea that we have some better business practices," said Tena Friery, research director at the Privacy Rights Clearinghouse. "It is a step in the right direction."

Won't dent the problem
But the shredder rule won't necessarily do much to reduce ID theft, Collins said. Catching sloppy nanny employers won't even dent the problem, she says, because most identity theft is caused by inside employees who steal data -- not street thugs digging through garbage cans.

What it will do is cut down on a number of embarrassing news stories showing just how easy it has been to steal data while sifting through neighborhood trash.

Sen. Bill Nelson, R-Fla., who is credited with inserting the disposal rule into the FACT Act, began a crusade against sloppy data trash practices in 2002 after the discovery of 1,000 customer files outside a financial firm in Naples, Fla.

The discovery was made by NBC affiliate WBBH-TV, in Fort Myers, Fla. The files contained everything from Social Security numbers to credit reports neatly organized in boxes, said Gregg Palermo, who runs the station's investigative unit.  Subsequent dumpster diving stories by his station uncovered discarded files outside law firms and government records of lottery winners.

Those news stories, Nelson's office said, were the motivation for the FACT Act disposal provisions.

Old-fashioned methods
How can consumers make sure they are in compliance with the FTC rule? Of course, for those who felt comfortable cutting up credit cards and disposing of them, the manual method is still available, Fellowes said. When his father -- credited with bringing shredding to home consumers -- clipped old credit cards into two pieces, he was sure to drop the halves into different garbage bins. But torn consumer paperwork must be ripped so well that the data on them is indistinguishable, according to the new FTC rule. "If you do rip it, you have to rip it into fine bits," Fellowes said.

Burning is also an option, "if you sit there and watch it burn," said Chris Ockenfels, president of the National Association for Information Destruction, a new industry group. 

Shredders are the automated solution. Traditional "strip" shredders create about 15 pieces that can be reassembled -- an annoying, but achievable task for identity thieves .  Cross shredders chop documents into about 300 pieces.

Digital documents pose their own disposal challenges. The FTC says simply deleting contents from an e-mailed criminal background check isn't enough. The data must be destroyed and irretrievable.  When an old computer is thrown away, physical destruction of the hard drive is recommended, Ockenfels said. 

But until companies and data users become diligent destructors, criminals will continue to find data lying around neighborhoods.

"It's happening in every city all across the nation, every day," he said. Destroying data is estimated to be an over $2 billion-a-year business he said.

All that destruction is a good idea, Collins said.  But she warned that diligent shredders might end up with disappointing results.

"I encourage everyone to shred their own documents but for goodness sake, the problem of someone stealing their information from a dumpster is considerably less than when they go to work and give that out information at the workplace."

Bob Sullivan is author ofYour Evil Twin:  Behind the Identity Theft Epidemic

© 2013 Reprints


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments