Document Destruction, Personal Identifying Information
The Colorado Consumer Protection Act, CRS 6-1-713, regulates document disposal and destruction of paper and electronic documents containing “personal identifying information” (PII).
- Social Security Number
- personal identification number
- password or passcode
- state or government-issued driver’s license or ID card number
- government passport number
- biometric data
- employer, student or military ID number
- financial transaction device
when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable.
Each public or private entity that uses documents containing personal identifying information shall develop a written policy for the destruction or proper document disposal of paper and electronic documents containing personal identifying information.
If a third-party recycler, storage or disposal firm is used for handling documents, the contract must require the recycler, storage or disposal firm to follow reasonable security procedures to protect PII until the documents have been properly destroyed or otherwise disposed of.
In addition to Colorado laws on document destruction, there are federal laws to follow including the Health Insurance Portability and Accountability Act (HIPAA), Financial Services Modernization Act (Gramm-Leach-Bliley), and the Fair and Accurate Credit Transactions Act (FACTA).
Businesses should also use secure document destruction for confidential data such as business plans, trade secrets, marketing plans, sales reports, financial reports, customer lists, vendor lists, employee lists, payroll data, and other sensitive information.
Courts have ruled there is no expectation of privacy once documents are discarded for disposal or recycling. Criminals and competitors may acquire discarded information by “dumpster diving“. Documents pending document destruction should be kept in a secure container, not piled up near a paper shredder.
Notarized Certificate of Document Destruction
TIP: For good record keeping, a business should keep a notarized Certificate of Destruction, listing the specific documents or data files that were destroyed, type of PII, date, address, destruction method, name of person or company that destroyed the documents, and the legal chain of custody. Reasonable care must be used to make sure that destruction is completed using a secure process, to prevent unauthorized access to personal identifying information.