Document Destruction, Personal Identifying Information
The Colorado Consumer Protection Act, CRS 6-1-713, regulates document disposal of paper documents containing “personal identifying information“.
- Social Security Number
- personal identification number
- pass code
- state or government-issued driver’s license number
- state or government-issued ID card number
- government passport number
- biometric data
- employer, student or military ID number
- financial transaction device
Each public or private entity that uses documents containing personal identifying information shall develop a policy for the destruction or proper document disposal of paper documents containing personal identifying information.
If a recycler or disposal firm is used for document destruction, the recycler or disposal firm is not required to verify that the documents it received for document disposal or recycling have been properly destroyed or disposed of, unless specifically stated by contract.
In addition to Colorado laws on document destruction, there are federal laws to follow. Health Insurance Portability and Accountability Act (HIPAA), Financial Services Modernization Act (Gramm-Leach-Bliley), and Fair and Accurate Credit Transactions Act (FACTA).
Businesses should also use secure document destruction for confidential data such as business plans, trade secrets, marketing plans, sales reports, financial reports, customer lists, vendor lists, employee lists, payroll data and other sensitive information.
Courts have ruled there is no expectation of privacy once documents are discarded for disposal or recycling. Criminals and competitors may acquire discarded information by “dumpster diving“. Documents pending document destruction should be kept in a secure container, not piled up near a paper shredder.
Notarized Certificate of Destruction
TIP: For good record keeping, a business should keep a notarized Certificate of Destruction, listing the specific documents or data files that were destroyed, date, address, destruction method, name of person or company that destroyed the documents, and the legal chain of custody. Reasonable care must be used to make sure that document destruction is completed using a secure process, to prevent unauthorized access to personal identifying information.