Sunday, March 25, 2007

The New Basics of Record Disposal in New York.

Identity theft seems to be all the rage these days. From e-mail phishing to sorting through people's garbage cans, identity theft is big business for the crooks as well as a financial nightmare for the victims. In an effort to help reduce or even eradicate the problem, New York General Business Law §399-h became effective as of December 4, 2006. The new law sets forth procedures that businesses must follow for disposing of paper and electronic records which contain an individual’s "personal identifying information" such as social security numbers, driver's license information, a mother's maiden name, financial service account numbers, checking or savings account numbers, and credit or debit card numbers.

Disposal of such records is prohibited unless: (a) the record is shredded prior to its disposal; (b) the personal identifying information contained in the record is destroyed; (c) the record is modified to make the personal identifying information unreadable; or (d) the person or entity disposing of the record takes actions consistent with commonly accepted industry practices that are reasonably believed will ensure that no unauthorized person will have access to the personal identifying information contained in the record. Quite frankly, I have no idea what that last option entails, but it appears to be a catch-all, safe-harbor type of provision to cover most any instance. I'm certain, however, that its vagaries will be the subject of a sufficient amount of litigation seeking clarification, thereby resulting in additional litigation seeking further clarification (and so on) of a statutory section which should have been clear in the first place. Makes you sort of dizzy, doesn't it?

Most every type of paper and electronic record is covered as long as it contains "personal identifying information." The statute doesn't contain any specific time frame for disposal, but requires that appropriate disposal methods be used when the record is discarded. Civil penalties of up to $5,000 per violation can be imposed, although acts arising out of the same incident or occurrence constitute a single violation. On a positive note, it's an affirmative defense to show that "due diligence" was used in the attempt to properly dispose of the records. Uh, oh, there's another term that will likely need clarification through litigation, and so on, and so on ...

No comments: