Corporate records retention policy and federal regulations

by on July 6, 2009 · 0 Comment POSTED IN: HR Info Center

Your records retention policy needs to verify total and complete records disposal

Disposal rules are another example of the FTC taking a rather narrow law just because they took the GLBA Safeguards Rule and applying it as a best practice in records retention policy to other types of companies as well.

The disposal rule arises under the Fair and Accurate Credit Transactions Act, which amended FCRA, the Fair Credit Reporting Act. This rule applies to consumer reports and background checks – the same sort of document that would be covered by FCRA.

The rule here is that when you dispose off a consumer report or background check report, you have to take reasonable measures to protect that data from unauthorized access in the disposal process.

So plain and simple example is shredding documents before recycling them or burning or pulverizing them as the regulation also suggest. Also if you’re using electronic media like CDs or hard drive, you have to make sure that that data is rendered unreadable before you dispose of it.

Records retention policy and data destruction operations
So even if the data is old, even if there’s a question about whether it really could be used for identity theft, take the precautions and follow the disposal rule in getting rid of those records.

There are also related questions that come up here in practice. For instance, if you use a vendor for shredding your documents, do you actually know what that’s the vendor takes to keep those documents secured before they’re shredded. Are they kept in locked bins for instance? How are they transported?

How do old hard drives affect your records retention policy
Another good question in records retention policy here to ask if you don’t already know is what happens to your company’s old hard drives when you’re disposing of computers. You know, there’s an unfortunate case that involves a computer that the company thought had been completely cleaned and the hard drives have been erased.

It ended up being resold and two or three years later, somebody called and says, “Gee, I bought a computer and it has thousands of customer records of yours on it. If you want this back, you know pay me however many hundreds of dollars for it.” And it turned out that while their IT people thought they had the drive cleaned, they were not in fact thoroughly cleaned.

So, this is really an issue, I think to make sure that you cover with the IT department because as we know from litigation, people thinks that they’ve completely obliterated information from a hard drive and may have even downloaded software that’s supposed to do that.

But if somebody’s really determined, it oftentimes is possible for somebody who’s an experienced forensic person or just a very computer savvy person to recover the data. It is important in your records retention policy to know what’s happening to your equipment that’s being sold as well as you documents.

Edited remarks from the Rapid Learning Institute webinar: “Identity Theft: What HR Can Do To Protect Sensitive Employee Data” by Christine E. Lyon, Esq.

Leave a Reply


Request a Free Demo

We'd love to show you how this industry-leading training system can help you develop your team. Please fill out this quick form or give us a call at 877-792-2172 to schedule your one-on-one demo with a Rapid Learning Specialist.