Various privacy laws have been enacted to ensure the confidentiality of a client’s information. 

HIPAA – Healthcare Insurance Portability and Accountability Act – Essentially, this act ensures that patient records remain private and do not become part of the public domain.  The government imposes severe penalties for non-compliance with HIPAA.  It is to reduce healthcare fraud and abuse and guarantee security and privacy of health information.  HIPPA provides safeguards that require all companies to have proper disposal procedures in place. 

Noncompliance of HIPAA will have devastating consequences with severe fines and penalties and litigation.  Noncompliance can result in civil fines of up to $25,000 a year and criminal penalties reaching $250,000 and up to 10 years in prison 

GLBA – Gramm Leach Bliley Act – Places restriction on the use of customer information by those in the financial industry.  Companies such as banks, brokers and underwriters, securities and investment firms, mortgage and finance companies and non-bank services finance firms must provide secure handling of records and information. These restriction recognize that non-public personal and financial information must be safeguarded and to include proper disposal procedures.   

Noncompliance of GLBA could be subject to severe fines and even subject to class-action lawsuits. Noncompliance can result in civil penalties of up to $100,000 for each and every violation.  The officers and directors of the financial institution can be subject to and personally liable for a civil penalty of up to $10,000, and imprisonment for up to five years is possible.  

FACTA – Fair and Accurate Credit Transaction Act – This act requires the destruction of sensitive consumer information and has provision designed to help its victims.  It contains a number of rules designed to combat consumer fraud, identity theft and similar crimes.  This act is a broad-sweeping consumer rights bill.  A final ruling was issued in November 2004 from FACTA to which it addresses the disposal of consumer information – names, address, SSN, credit information and data complied from this information.  Any person who maintains or otherwise possesses consumer information for a business purpose – in electronic or paper format must “take reasonable measures to protect against unauthorized access or use of the information in connection with its disposal."  FACTA requires disposal to be done properly – burning, pulverizing or shredding. 

Noncompliance of FACTA can be subject to severe fines and even subject to class-action lawsuits.  Refusal to obey FACTA can result in civil liability up to $1,000 per employee.  If a large number of employees are affected, they may be able to bring a class-action suit and get punitive damages from employers.  Federal Fines are up to $2,500 for each violation and State Fines are up to $1,000 for each violation. 

Georgia Information Privacy Act – SB475 – On May 2, 2002, Georgia Governor Roy Barnes signed into law SB475, which makes it a crime for any business to discard personal information unless it first “shreds, erases, modified” and makes “reasonably” sure no one will have access to it before it is destroyed. This law protects businesses’ customers from problems that can result from having personal information fall into the wrong hands.  

Noncompliance can subject businesses’ to fines up to $10,000 for improper disposal of materials that contain personal information about customers. 

Red Flag Rules

This act requires financial institution or creditors to develop and implement an Identity Theft Prevention Program in connection with both new and existing accounts.  This must include reasonable policies and procedures for detecting and preventing identity theft.  Financial institutions face a mandatory deadline of November 1, 2008 to comply.