National pharmacy chains such as CVS and Walgreens are not the only ones to experience “dumpster-diving” by investigative reporters.
These drugstores were merely the first to be featured in media reports about customers’ personal information being disposed of without
being destroyed first, a violation of state and federal privacy laws.
Local reporters have since rummaged through the trash of mortgage brokers, title insurance companies, fitness centers, banks, law firms, hospitals and government organizations.
While searching through the trash, investigative reporters found plenty of discarded Starbucks cups, take-out food wrappers and banana peels. Unfortunately, they also found prescription bottles con
taining patients’ names and the names of prescribed drugs, as well as Social Security numbers, credit card numbers, banking and financial information, and other personal data.
Journalists across the nation have gone trash-diving, identifying companies who fail to comply with federal and state privacy and security requirements pertaining to the disposal of confidential information.
Some U.S. regulators seem to welcome investigative reporters’ efforts. The Indiana Attorney General, as well as those in other states, have filed complaints against the
pharmacies whose trash revealed personally identifiable patient information, and opened investigations relating to the other violations. The Indiana State Board of Pharmacy and the Indiana Department of Insurance have also filed complaints and in some cases, imposed fines.
On the federal level, the U.S. Federal Trade Commission, which enforces privacy and investigates security breaches, opened at least one investigation against an Indiana business after a reporter revealed that the company was not shredding documents containing Social Security numbers and other personal information.
All of these unfavorable outcomes cost the companies a considerable amount of money and stress, and diverted countless hours of management and employee time away from core business activities.
Is your organization next? And what can you do to protect yourself?
First and foremost, you can comply with federal and state obligations to destroy confidential information securely.
Indiana disposal laws require all companies and government organizations to dispose of confidential personal information pertaining to customers, employees, patients and other individuals in a secure manner, such as by shredding, pulverizing or burning. Similar federal obligations apply to most industries.
Companies should be particularly vigilant about irreversibly destroying Social Security numbers, credit card numbers, financial information or identifiable health or benefit information, because such data are particularly sought-after by identity thieves. The improper disclosure of this information also triggers notification obligations to the affected individuals.
Companies that dispose of non-paper files containing personal information-such as disks, remote devices, and video or audio tapes-must take extra steps to dispose of that data.
Companies need written policies requiring appropriate and secure data destruction, and should train their employees-including new hires, temporary employees and contractors-to comply with these requirements.
However, having written policies and not following them can get you into additional trouble. The FTC generally considers that to be a deceptive trade practice. (And not having the policies at all may be considered an unfair trade practice.)
Companies should also conduct periodic monitoring to ensure that their employees are complying. The policies and the training should stress repercussions for employees who don’t follow the rules; privacy regulators look at the company’s actions taken for noncompliance when they evaluate sanctions and other remedies against the company.
Invest in shredders and locks for your dumpster. Hire vendors to burn or shred your documents. I’ve also found that pouring leftover coffee and spoiled food all over shredded trash works as a good deterrent to snooping.
Antokol is a partner with Baker & Daniels, LLP and chairs the firm’s privacy and data management group. Views expressed here are the writer’s.