Mounting Privacy Laws Have Companies Struggling to Keep Up and Keep Compliant
BOSTON, July 7 /PRNewswire/ -- When it comes to shredding sensitive
business documents, leaders of some of America's largest companies are
devoting more attention and more money to keeping information safe. But
despite the extra effort, many admit unfamiliarity with key federal and state
laws governing information privacy, leaving them vulnerable to fines and
identity theft.
These are the central findings from a survey of business professionals and
managers responsible for safeguarding their company's information. Conducted
on behalf of Iron Mountain Incorporated (NYSE: IRM), the global leader in
information protection and storage services, the survey targeted companies
with annual revenue of at least $750 million.
Perhaps most surprising among the survey's findings is that companies
believe they're more familiar with federal requirements for information
destruction than they actually are. While nearly three in four respondents (74
percent) express familiarity with federal requirements, fewer than one in
three (30 percent) are aware of the Federal Trade Commission's Fair and
Accurate Credit Transactions Act (FACTA) Disposal Rule, one of the top laws
governing U.S. businesses on information security and disposal. The FACTA
Disposal Rule mandates that organizations properly dispose of papers that
contain consumer information through methods such as burning, pulverizing or
shredding so that the "information cannot practically be read or
reconstructed."
It's not surprising that some companies seem unsure of the law. Over the
last five years, a myriad of state and federal legislation like FACTA has been
enacted to protect consumers and their sensitive information. Currently 28
states have must-shred laws, and 43 have notification requirements for
disclosing privacy breaches. With each new law, companies must revisit their
policies and procedures for destroying information-an increasingly difficult
task, given the variety and distribution of information across an enterprise.
Fifty-nine percent of respondents feel familiar with their existing state
laws.
Already overwhelmed, companies face even more rules for protecting
information
Some companies will soon have to contend with a new set of FACTA mandates
from the FTC. Effective Nov. 1, 2008, financial institutions and creditors
must have a formal program for preventing identity theft. Commonly known as
the Red Flag Regulations, these new guidelines require companies to identify
and account for "red flags," defined by the FTC as "patterns, practices and
specific forms of activity that indicate a possible risk of ID theft."
Along with these new regulations, the FTC appears intent on enforcing its
Disposal Rule for the first time since its enactment in June 2005. In
December, the FTC found against an Illinois-based mortgage company for
improperly disposing of loan documents. As a result, the company must undergo
a third-party audit every two years over the next 10 years and pay a $50,000
fine for leaving consumers' personal and financial information in and around a
Dumpster near its office.
"The FTC is serving notice that it's no longer enough for companies to
simply say they have a policy for shredding or information destruction" said
Colleen Langevin, a vice president at Iron Mountain. "Now, organizations must
prove their policies and procedures actually work. Proving this means
demonstrating good-faith efforts to document policies; train employees; audit
behavior; and oversee service providers."
While questions over companies' compliance emerged as a key theme of the
Iron Mountain survey, findings also lent insight into current behaviors around
information destruction. Key findings included:
-- Shredding is a universal practice, but not universally compliant:
Nine in 10 companies outsource their shredding, while more than half (57
percent) also rely on on-site commercial-grade shredding or incineration
equipment. But less than one in four report on compliant destruction of
consumer information (24%), or audit compliant policies and procedures (23%)
based on best industry practices. Companies will need these audit controls to
comply with the FACTA requirements.
-- Information destruction receiving greater attention:
One in two respondents (54 percent) say their company's leaders paid more
attention over the last year to how their company destroyed and disposed of
sensitive information. And nearly one third (30 percent) report their company
increased its budget over the same time for information destruction and
disposal.
-- Training and policy compliance top companies' data privacy concerns:
For those who have some familiarity with state, federal or pending
legislation, nearly one third (30 percent) worry that company policies do not
comply with newer legislation or that they will not comply if pending
legislation is passed. Twenty-nine percent express concern with getting
employees up-to-speed on new requirements.
-- New laws, bad press and customer demand drive data disposal:
Two in three companies (66 percent) say it has become more important to
formalize policies and procedures for destroying sensitive information. Those
companies cited new laws (63 percent), negative press of data losses (43
percent), customer demand for information security (29 percent) and pressure
from industry groups (28 percent) as the top reasons why.
Conducted between Oct. 1, 2007, and Jan. 2, 2008, the Compliant
Information Destruction: Inside Corporate America Survey polled 115 business
professionals involved in and/or responsible for information privacy at
publicly held, for-profit companies with annual revenues of at least $750
million. It has a margin of error of (+/- 9%) at the 95 percent confidence
level. For an executive summary of the results and additional information on
the upcoming FACTA Red Flag Regulations, visit
www.ironmountain.com/redflagpaper.
About Iron Mountain
Iron Mountain Incorporated (NYSE: IRM) helps organizations around the
world reduce the costs and risks associated with information protection and
storage. The Company offers comprehensive records management and data
protection solutions, along with the expertise and experience to address
complex information challenges such as rising storage costs, litigation,
regulatory compliance and disaster recovery. Founded in 1951, Iron Mountain is
a trusted partner to more than 100,000 corporate clients throughout North
America, Europe, Latin America and Asia Pacific. For more information, visit
the Company's Web site at www.ironmountain.com.
Contact:
Dan O'Neill, Iron Mountain
dan.oneill@ironmountain.com
(617) 535-2966
Kristen Georgian, Weber Shandwick
kristen.georgian@webershandwick.com
(617) 520-7042
SOURCE Iron Mountain Incorporated
CONTACT:
Dan O'Neill of Iron Mountain, +1-617-535-2966
dan.oneill@ironmountain.com
or
Kristen Georgian of Weber Shandwick for Iron
Mountain, +1-617-520-7042
kristen.georgian@webershandwick.com
Web site: http://www.ironmountain.com
http://www.ironmountain.com/redflagpaper