U.S. Laws Governing Data Disposal
The Fair Credit Reporting Act (FCRA) and the Federal Trade Commission's Rule concerning the Disposal of Consumer Report Information and Records (the Disposal Rule) requires small businesses that obtain consumer information from consumer reporting companies (e.g., Equifax, Experian, or TransUnion) to take "reasonable measures" to properly dispose of that information. Health care providers and financial institutions may have additional obligations to destroy consumer information under the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA).
Approximately 24 states have statutes that require small businesses to dispose of records that contain personal information. Similar to the Disposal Rule, the majority of these statutes require small businesses to take "reasonable steps" when destroying records. Some of the state statutes only apply to specific types of small businesses, such as health care providers, financial institutions, or tax preparers. You should consult an attorney to determine whether any state laws apply to your business.