4 minute read
Don's Discussion
Are you a member with a question? Contact IA&B Corporate & Legal Affairs Director Don Bankus at 717-918-9204 or DonB@IABforME.com.
QUESTION:
Can our agency use a shredding company to dispose of customer files – including MVRs and other personal information – if the company doesn’t shred on site?
ANSWER:
First, let’s review the basics. The disposal of MVRs and other consumer reports which contain personally identifiable information is governed by the federal Consumer Information Disposal Rule. The Rule requires agencies to take “reasonable steps” to protect against unauthorized access to, or use of, consumer information in connection with its disposal.
WHAT CONSTITUTES “CONSUMER INFORMATION”?
The Rule defines consumer information as “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report.” For our purposes, MVRs, credit or insurance scores, and C.L.U.E. reports are all “consumer reports.”
WHO MUST COMPLY WITH THE RULE?
The Rule applies to both individuals and organizations that use consumer reports. Among those required to comply: consumer reporting agencies; lenders, insurers, and their agents; employers; and government agencies.
DOES THE RULE HAVE GUIDELINES FOR CHOOSING A SHREDDING COMPANY?
When choosing shredding as the method of destruction and disposal, the Rule’s due diligence requirements are flexible and could include the agency doing any one of the following:
▲ Reviewing an independent audit of the shredding company’s operations and/or its compliance with the Rule;
▲ Obtaining information about the shredding company from several references or other reliable sources;
▲ Taking appropriate measures to determine the competency and integrity of the shredding company; or
▲ Requiring that the shredding company be certified by a recognized trade association or similar third party.
IS THERE AN EASY WAY TO DO THIS?
Yes, there is. If your agency is looking for a simple and efficient method of conducting due diligence, you could use a shredding company which has been NAID AAA-certified by the International Secure Information Governance & Management Association (“i-SIGMA”). i-SIGMA is the international trade association for companies that provide information destruction services. The NAID AAA certification is designed to validate and monitor ongoing compliance with critical data protection and related regulatory specifications. You can read more and view a list of NAID AAA-certified shredding companies at isigmaonline.org (see “Certifications” tab).
While not a requirement of the Rule, agencies may want to request that the shredding company provide a Certificate of Destruction (COD) upon completion of the shredding process. While there is no uniform COD in the marketplace, a COD should include: The name of your agency; the date and location of destruction/disposal; the method of destruction/disposal; a description of the destroyed/disposed of records; and names and signatures of the individuals conducting and witnessing the destruction/disposal.
As a final related thought: Because your agency will be entering into a contract with a third-party service provider (the shredding company) which will have access to your customer information, the contract with the shredding company should include provisions whereby the vendor acknowledges the agency’s customer information may not be used by the shredding vendor in a manner inconsistent with the limited services they intend to provide for you.
A broader overview of the Rule, and sample language to include as part of an information protection addendum for third-party service contacts, can be found at IABforME. com/privacy.
This document is not a legal opinion and should not be relied upon as such. The intent of this document is to provide a general background regarding the topic or topics discussed, not to provide legal advice. Producers and agencies should consult an attorney regarding specific situations and specific questions with respect to the topic or topics covered in this document. Neither the Insurance Agents & Brokers nor any of its employees shall be responsible for any errors or omissions regarding any statements made in this document, nor any errors or omissions regarding any statutes, regulations, court rules, and/or any other government documents cited in this document.