On Oct. 30, 2007, the Kentucky Office of the Attorney General (KOAG) announced the results of a records disposal investigation to determine if Kentucky businesses are complying with state law by properly disposing of personal information contained in business records.
During July and August, KOAG's Office of Consumer Protection examined publicly accessible trash receptacles of 121 businesses in Florence, Frankfort, Lexington and Louisville. Of those examined, 33 threw away over 500 records containing the personal information of over 1,250 people. Of these, 14 businesses threw away more sensitive information, like Social Security numbers; bank and credit card account numbers; birth dates; driver’s license or personal ID card numbers; loan numbers; customer account numbers; insurance policy numbers; medical insurance policy and group numbers; and personal medical information of almost 1,000 people.
Kentucky law requires businesses to properly dispose of records containing personal information by shredding, erasing or another method that makes the personal information unreadable.
“Consumers face an increased risk of identity theft or loss of privacy when their personal information is not destroyed when records are discarded,” said Attorney General Stumbo. “There have been numerous accounts in the past few years of dumpster diving by identity thieves. It is vitally important that businesses take care to destroy consumers’ personal information when disposing of records.”
The Office of Consumer Protection has notified the 33 businesses of their violations of the law and is requesting additional information from the 14 businesses that threw away sensitive information. Additionally, other federal and state agencies will be notified of these instances, as appropriate. These businesses will be asked to develop or strengthen policies to ensure compliance with the law and the Attorney General's office will work with them as appropriate. The records that were retrieved during the investigation are in secure storage and will be shredded when they are no longer needed.
Kentucky’s customer records disposal law is codified at KRS 365.720 to 365.730 and went into effect on July 12, 2006. In summary, the law:
- Requires a business to take steps when disposing of records to make sure that the portions containing personally identifiable information about customers are destroyed by shredding, erasing, or some other method that makes that information unreadable or indecipherable;
- Applies whether the business is itself disposing of the records or is using anyone else to destroy the records;
- Defines "personally identifiable information" as data that identifies a particular customer, including but not limited to name, address, telephone number, electronic mail address, fingerprints, photographs or computerized image, Social Security number, passport number, driver identification number, personal identification card number or code, birth date, medical information, financial information, tax information and disability information; and
- Allows a state court lawsuit by a customer injured by a violation of the law, and an injunction against a business that violates the law, in addition to any other available rights or remedies.
Failure to take reasonable security measures to protect consumers’ personal information, when that failure is likely to cause substantial injury to consumers and is not otherwise offset by countervailing benefits to consumers or competition, could also be an unfair act or practice prohibited by the Kentucky Consumer Protection Act at KRS 367.170.
Other federal and state laws may also apply. For instance, the Health Insurance Portability and Accountability Act provides privacy and security protections for patients. The Fair Credit Reporting Act requires that proper methods, including shredding, be used when disposing of consumer reports or information derived from consumer reports. The Gramm-Leach-Bliley Act requires financial institutions that handle customer information to have an information security program for safeguarding customer information, including disposal of records, and state insurance regulations require the same for insurance companies operating in Kentucky. Additionally, some occupational licensing state laws prohibit unfair practices by those working in certain occupations.
The Attorney General hopes to educate businesses and consumers about the importance of properly disposing of personal information. A “Kentucky Small Business Compliance Guide to Customer Records Destruction” is available on the Attorney General’s Web site at http://tinyurl.com/3arsbq. The Office of Consumer Protection suggests that a consumer should ask a business about its policy for keeping personal information secure, and ask for a copy of the policy if it is available, before giving personal information to the business. A consumer who learns that his or her personal information has been improperly disposed of may file a consumer complaint with the Office of Consumer Protection and may want to contact an attorney for advice regarding any claims they may have against the business.
The Attorney General’s office also recommends that state and local government agencies should be careful, and develop proper policies, to ensure that personal information is not exposed when records are discarded. The Attorney General will recommend to the General Assembly that the records disposal law be clarified to apply to all records and to state agencies.