Businesses are often required to collect personally identifiable information from their customers, prospects, and employees as part of normal day to day operations.
Once a business takes possession of this data, they are responsible for protecting it, and must adhere to the many laws and regulations enacted to protect PII and PHI.
These regulations are put in place to benefit both consumers and business owners.
However, navigating the complex web of rules can be daunting, especially since federal, state, and local governments all issue their own overlapping and sometimes incompatible provisions.
Failure to comply with data privacy regulations often comes with steep legal consequences, including fines, lawsuits, or civil penalties. But that’s not all.
In the unfortunate event of a data breach, a business can face more than just legal troubles. The news of a data breach can send a businesses reputation into a spiral, and in some cases, can even force a business to close its doors.
For this reason, it is important to understand the scope of what data is protected and what laws are on the books to protect it.
Note: This article provides general information only and should not be relied upon or construed as legal advice.
What kind of personal information is considered “sensitive”?
An important distinction to make when discussing data protection is whether or not a particular piece of information is considered sensitive.
Personally identifiable information (PII) is a catch-all term that encompasses any information that can be linked to an individual’s identity, including names, physical addresses, social security numbers, credit card details and so on.
Personal Health Information (PHI) is a subset of this, and applies specifically to health related information /medical records. Under the HIPAA law (covered below) these particularly sensitive records require additional protective measures.
Disclosure of sensitive data can leave an individual vulnerable to discrimination, harassment, or financial crimes, and therefore must be protected at all costs. For this reason, most data privacy laws address these two main categories of data.
HR/personnel records are the most common source of PII that must be managed by businesses. The collection of sensitive information is required as part of the processes of hiring employees, providing medical benefits, paying salaries, and more, which is why HR documents typically have strict retention requirements.
Federal Data privacy laws
The United States doesn’t have a singular overarching law that protects the privacy of personal data. Instead, a variety of disparate regulations have been enacted to protect privacy of personal data.
The need to address modern privacy issues and data protection rights is expanding globally. However, unlike most democracies around the world, the U.S. does not have a federal data protection agency.
Instead, the US regulates data privacy through a variety of laws passed on the state and federal level.
Below are some of the regulations that are most concerning for the average business.
US Privacy Act of 1974
The US Privacy Act of 1974 law was passed to address concerns about the potential misuse of personal data held by the government.
The Privacy Act prohibits government agencies from disclosure of any record about an individual without the written consent of the individual, unless the disclosure is pursuant to one of the twelve statutory exceptions.
The act also provides additional protections:
- The right for any US citizen to gain access to personal data held by any government agency, and the ability to update or correct any errors within this data.
- Requires government agencies to collect the minimum amount of information required to fulfill its role.
- Restricts access to personal information on a need to know basis only. Government employees can only access data when required for their job role.
- Restrictions about how government agencies (federal and state) can share personal data in their possession with other agencies.
Organizations affected by this law
The Privacy Act applies to any records held by the government that contain private personal information; are maintained by a Government agency or its contractors; or are retrieved by a personal identifier, such as a name or Social Security Number.
Compliance Tips:
- Keep an inventory of systems of records and ensure they are clearly outlined as per the Act.
- Provide individuals with a means to access their records and correct any inaccuracies.
- Ensure that personal data is only used for necessary and lawful purposes, and that there is transparency about such uses.
Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (GLBA) requires institutions that offer financial products including loans, financial or investment advice, and insurance to explain their data sharing practices to their customers, as well as setting requirements to safeguard sensitive data.
The GLBA does not restrict how companies can use the data the have collected, only sets requirements to disclose such usage beforehand.
Organizations affected by this law
The financial institution designation is applied loosely, the importance of GLBA compliance applies any business engaged in providing financial products or services. This includes payday lenders, tax preparers, mortgage lenders, and even car dealerships who provide financing to customers.
Compliance Tips:
- Maintain a robust information security program to protect customer data.
- Regularly update your retention policy to reflect the latest GLBA requirements.
- Train employees on the importance of confidentiality and security of financial records.
The Fair Credit Reporting Act
Passed in 1970, the Fair Credit Reporting Act (FCRA) is part of a group of acts contained in the Federal Consumer Credit Protection Act. The goal of the FCRA is to protect the information collected by consumer reporting agencies, regulating how personal information in your consumer report can be used and when it can be accessed.
The law ensures the sensitive information in a consumer report cannot be shared, unless for specific purposes specified in the Act.
It also requires lenders and employers to notify an individual if the information in their credit file is used to deny them of a job application, loan, or insurance policy.
FCRA is not limited to credit reporting though, it also applies to criminal and civil records, civil lawsuits, reference checks and other information obtained by a consumer reporting agency.
Organizations affected by this law
Employers routinely obtain background checks and drug tests to help avoid legal claims of negligent hiring. However, these checks are considered “consumer reports” and are therefore protected by the FCRA.
Therefore, it is important that employers protect the information gathered during this process, and ensure that access is provided only to those who require it.
Employers who fail to comply with the provisions of the FCRA face civil and statutory penalties. The FRCA also allows job applicants to sue their employer should they fail to comply with any requirement of the law.
Compliance Tips:
- Ensure accurate documentation and retention of credit reports and related inquiries.
- Implement a secure disposal procedure for when records are no longer required.
- Restrict access to credit records to safeguard consumer information.
Fair and Accurate Credit Transactions Act
The Fair and Accurate Credit Transactions Act (FACTA) is an amendment to the FCRA that improves protections for consumers’ credit related records. It provides access to one free credit report per year and requires bureaus to disclose details about how the credit score issued was calculated.
FACTA also contains provisions designed to prevent identity theft, allowing consumers to place fraud alerts on their credit history whenever suspicious activity is detected.
In addition, FACTA has specific provisions that require any organization who possesses credit related records to dispose of it in a secure fashion.
Organizations affected by this law
While FACTA specifically targets credit reporting agencies, the disposal rules contained within it apply to virtually all businesses who maintain or possess consumer information for a business related purpose.
For this reason, it is important to purge outdated credit-related materials in a manner that meets or exceeds FACTA regulations. This is most easily accomplished by outsourcing the document destruction to a third party FACTA compliant shredding service.
Compliance Tips:
- Shred or properly destroy paper documents containing consumer information before disposal.
- Employ a document destruction policy that complies with FACTA’s disposal rule.
- Use digital document management solutions that include secure deletion methods once the retention period ends.
HIPAA
Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law that provides privacy standards to protect patients’ medical records and other health information from disclosure without a patient’s expressed consent.
HIPAA standardizes the processing and transmission of electronic healthcare information. It requires the organizations to implement safe electronic access to the patients’ health data, in a manner compliant with the privacy regulations set by the HHS.
Under HIPAA, records that contain any of the following 18 identifiers are considered to be protected health information:
- Names
- Geographic identifiers smaller than a state (street address, city, county, zip code etc.)
- Dates other than the year ex (birth date, admission date, discharge date)
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers
- Device identifiers and serial numbers
- Web URLs
- IP addresses
- Bio-metric identifiers; including fingerprints and voice
- Full face photos
- Any other unique identifying number, characteristic, or codes
If these identifiers are removed from a record, it is considered to be “de-identified protected health information”, which is not covered by the HIPAA Privacy Rule.
*Note: New rules announced in 2024 enhance HIPAA’s protection of reproductive health records.
Organizations affected by this law
HIPAA applicable to anyone providing treatment, payment, or operations in the healthcare field. It also applies to subcontractors or any other businesses that work alongside a medical practice who may handle sensitive health information.
Compliance Tips:
- Utilize document management systems that enforce access controls and audit trails.
- Engage in ongoing staff training to ensure HIPAA requirements are well understood.
- Conduct regular risk assessments to ensure all personal health information is securely managed.
Family Educational Rights and Privacy Act
The Family Educational Rights and Privacy Act (FERPA) is a federal law designed to protect the privacy of student education records. It grants parents rights over their child’s records, which transfer to the student once they turn 18.
FERPA allows parents or eligible students to inspect and review their education records at any time. It also restricts schools from releasing information from a student’s records without written consent, except under specific circumstances outlined by law.
The law specifies who can request access to student records, including parents, eligible students, and, in some cases, other schools requesting records for enrollment purposes.
Organizations affected by this law
FERPA applies to any public or private elementary, secondary, or post-secondary school and any state or local education agency that receives funds under an applicable program of the US Department of Education.
Compliance Tips:
- Implement a record-keeping system that logs disclosures and requests for access.
- Ensure that only authorized individuals can access educational records.
- Securely destroy records that are no longer required to be retained under FERPA.
State Specific Laws
US State privacy laws and legislation is a constantly evolving landscape. The appetite for comprehensive consumer data privacy laws is at an all time high, as new regulations are needed to keep up with modern technology.
Although many proposed bills are never signed into law, the trend toward state level privacy protections in the United States is growing.
California, Colorado, Connecticut, and Virginia have enacted consumer data privacy laws which provide additional rights to access and delete personal information, and the right to opt out of the sale of personal information.
Many state regulations include provisions to address online privacy, including a requirement that ensures e-commerce websites and web services provide publicly accessible privacy policies that describe what type of information they collect and share with third parties.
In some cases, state-level regulations have overlapping or incompatible provisions which can be difficult to navigate for multi-state businesses, highlighting the need for more comprehensive federal regulations.
It’s important that businesses who handle PII and PHI of any kind are aware of state laws that may impact the way they handle this data.
The diagram below shows the current status for state privacy legislation on a state by state basis. Our diagram was last updated in May of 2022.
Data Disposal Laws
Improper disposal of confidential information can lead to data breaches and identity theft. For this reason, more than 35 states have implemented data disposal laws that require entities to take “reasonable measures” to destroy, dispose of, or otherwise make personal information unreadable or indecipherable. These reasonable measures include the “burning, shredding, or pulverizing” of paper documents in a secure manner.
The FTC has also stepped in to protect the privacy of consumer information by issuing its own disposal requirements. The FACTA disposal rule requires proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.” The rule applies to consumer reports or any information derived from consumer reports.
HIPAA also contains provisions that require “covered entities and business associates” to implement safeguards to avoid prohibited use or disclosure of personal health information. This includes policies and procedures to address the final disposal of records that contain PHI. HIPAA also requires that all employees are trained in proper HIPAA compliant data disposal procedures.
Security Breach Notification Laws
All 50 states and U.S. territories have passed laws that require businesses and government agencies to notify individuals of security breaches involving personally identifiable information.
Each state issues its own rules about who must comply with the law, as well as defines what constitutes as personal information, what is considered to be a breach, who should be notified should the breach occur, and the required time-frame of notification.
The NCSL provides a comprehensive list of security breach notification laws by state for reference.
What are the penalties for non-compliance with data privacy laws?
Businesses should be aware of all relevant regulations before they collect any personal information. Failure to comply with data privacy laws can lead to lawsuits and hefty fines.
For example, failure to abide by FACTA may result in stiff penalties. Victims are entitled to the actual damages caused by noncompliance and may also seek statutory damages, and, in some cases, file class-action suits. Federal and state authorities are also authorized to bring legal enforcement actions against businesses that violate the Act.
Violations of HIPAA can also include criminal penalties, including up to ten years imprisonment in certain cases.
States also establish their own consequences for non-compliance with their privacy laws. For example, violations of the California Consumer Privacy Act issues fines of up to U$2,500 per violation or USD 7,500 if the violation was intentional, with no cap on the total amount of fines.
How can a business stay compliant with data privacy laws?
For businesses that collect or store personally identifiable information, it is easy to recognize the value of investing in data privacy and security.
Even though your company may not be required by law to comply with any particular data privacy regulation, doing so mitigates legal risks, reduces the chance of a data breach, and helps ensure your customers’ personal information is secure. In other words, data security is good for business.
Staying compliant with the many data privacy laws and regulations can be difficult without significant resources dedicated to it. That’s why many organizations turn to credentialed third party providers like SecureScan for their document management and disposal needs.
We provide FACTA and HIPAA compliant shredding services that make it easy and affordable to comply with the most stringent data disposal requirements. No matter what industry you’re in, our mobile paper shredding service will exceed your data privacy requirements. We provide a certificate of destruction with every service, which records pertinent details about the process in compliance with the law.
SecureScan also offers document scanning services to help you digitize paper records, improving both the security and accessibility of your data. Storing documents electronically allows you to control who has access to sensitive data, and provides additional oversight over the chain of custody for your records.