A few days ago I reblogged a post from Naked Security about an enforcement action by the Massachusetts Attorney General’s Office against doctors in Massachusetts that unlawfully disposed of patient records. You can read the original post here. In summary, the doctors allegedly violated the Health Insurance Portability and Accountability Act (or “HIPAA“) by throwing out documents that contained the nonpublic personal information of their patients. If “nonpublic personal information” has triggered thoughts about your compliance programs at your dealership then you’re off to a good start today (or you spend a lot of time thinking about compliance, which is a good thing). The Safeguards Rule of the Gramm-Leach-Bliley Act obligates your dealership to create and maintain processes that protect nonpublic personal information. Piggybacking off of the Safeguards Rule is the Disposal Rule, which, like HIPAA does for health care professionals, requires dealers to maintain processes that effectively destroy documents that contain nonpublic personal information. With fines up to $1000 per violation, as well as allowing plaintiffs to recover their legal fees , the Disposal Rule is something your staff should not ignore.
Gone are the days when a dealership employee could simply throw a completed credit application or “dead deal” folders full of deal paperwork in a garbage can. Now, if dealers have any documents that contain nonpublic personal information, such as social security numbers, customers’ date of birth and so on, they must dispose of the documents in a way compliant with the Disposal Rule. The Disposal Rule requires dealerships to maintain “disposal practices that are reasonable to prevent the unauthorized use, or access to, information in a consumer report.” Suggested practices include burning, pulverizing or shredding hard copies containing nonpublic personal information, or, if the information is stored electronically, appropriate erasure or destruction procedures. If you contract with third parties to handle document document disposal, your dealership may be liable for their failures to comply with the Disposal Rule. You can find a summary of the Disposal Rule and examples of what compliant processes contain here.
In the case cited by Naked Security, a photographer for the Boston Globe discovered the documents discarded by the doctors while dumping his own garbage. Apparently the doctors’ offices shared a community dumpster with the photographer. The photographer then referred the matter to the Attorney General’s office, who later brought suit against the parties. It is easy to image similar discoveries made by employees or customers at a dealership that fails to comply with the Disposal Rule. A disgruntled employee could report the dealership to the proper authorities or a consumer could see intact documents in a waste bin and file a complaint. Compliant Safeguards Rule processes include processes that comply with the Disposal Rule. Protect your dealership against similar suits by developing processes and training that addresses how your employees will dispose of information in accordance with the Disposal Rule.
Via: Naked Security
Image Courtesy of Paper Shredding Review