4. Disposing of Data — Do It Responsibly

U.S. Laws Governing Data Disposal

Federal Laws

The Fair Credit Reporting Act (FCRA) and the Federal Trade Commission's Rule concerning the Disposal of Consumer Report Information and Records (the Disposal Rule) requires small businesses that obtain consumer information from consumer reporting companies (e.g., Equifax, Experian, or TransUnion) to take "reasonable measures" to properly dispose of that information. Health care providers and financial institutions may have additional obligations to destroy consumer information under the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA).

State Laws

Approximately 24 states have statutes that require small businesses to dispose of records that contain personal information. Similar to the Disposal Rule, the majority of these statutes require small businesses to take "reasonable steps" when destroying records. Some of the state statutes only apply to specific types of small businesses, such as health care providers, financial institutions, or tax preparers. You should consult an attorney to determine whether any state laws apply to your business.

35% of data breaches involve a contractor or someone inside the organization.

Source: 2013 Ponemon Institute Cost of Data Breach Study