July 12, 2008
If businesses haven’t got the word, they need to pay attention. The Texas AG is very serious about protecting Texans from Identity theft. If you don’t have an active paper shredding policy, you are at risk….in many ways. Last week the Texas Attorney General’s Office issued new charges and announced a settlement agreement with EZCORP.
Austin based EZCORP, a payday and pawn lending company, has reached a settlement with the Texas Attorney’s General office in which it will pay the state a sum of $600,000.00. Now you may ask yourself, what would warrant a $600,000.00 settlement? Failure to do proper paper shredding! That’s right, EZCORP had improperly discarded customer records in the back dumpster. Had this been in Houston, they could have called a Houston shredding company, it would have taken about a half hour and cost them less than a hundred dollars.
April 1, 2008
Select Medical to face charges….
It looks like the Texas Attorney General has started 2008 the way he ended 2007; prosecuting companies who fail to protect consumer’s information. Select Medical is the latest company to feel the wrath of the Texas Attorney General’s office. Select Medical is being charged with violating the State’s Identity Theft Protection Act of 2005. Thousands of documents were allegedly improperly discarded last October in Levelland Texas. The police department in Levelland discovered the documents strewn in and about dumpsters on the premises; if found guilty, Select Medical will face millions in fines. I’m always surprised to find many business owners do not know that there are actual laws on the books as to how they must dispose of business records. The following is taken from the Texas Business & Commerce Code pertaining to the disposal of Business Records (Chapter 35 and Chapter 48).
§ 35.48. RETENTION AND DISPOSAL OF BUSINESS RECORDS.
(a)In this section:
(1)”Business record” means letters, words, sounds, or
numbers, or the equivalent of letters, words, sounds, or numbers,
recorded in the operation of a business by:
- (F)magnetic impulse;
- (G)mechanical or electronic recording;
- (H)digitized optical image;or
- (I)another form of data compilation.
(1-a)”Personal identifying information” means an individual’s first name or initial and last name in combination with any one or more of the following items:
- (A)date of birth;
- (B)social security number or other government-issued identification number;
- (C)mother’s maiden name;
- (D)unique biometric data, including the individual’s fingerprint, voice print, and retina or iris image;
- (E)unique electronic identification number, address, or routing code;
- (F)telecommunication access device, including debit and credit card information; or
- (G)financial institution account number or any other financial information.
(2)”Reproduction” means a counterpart of an original business record produced by:
- (A)production from the same impression or the same matrix as the original;
- (B)photograph, including an enlargement or miniature;
- (C)mechanical or electronic rerecording;
- (D)chemical reproduction;
- (E)digitized optical image;or
- (F)another technique that accurately reproduces the original.
(3)”Telecommunication access device” has the meaning
assigned by Section 32.51, Penal Code.
- (b)A business record required to be kept by state law may be destroyed at any time after the third anniversary of the date the record was created unless a law or regulation applicable to the business record prescribes a different retention period or procedure for disposal.
- (c)A state law requiring retention of a business record is satisfied by retention of a reproduction of the business record.
- (d)When a business disposes of a business record that contains personal identifying information of a customer of the business, the business shall modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.
- (e)A business is considered to comply with Subsection (d) if the business contracts with a person engaged in the business of disposing of records for the modification of personal identifying information on behalf of the business in accordance with Subsection (d).
- (f)A business that does not dispose of a business record of a customer in the manner required by Subsection (d) is liable for a civil penalty of up to $500 for each record. The attorney general may bring an action against the business to:
- (1)recover the civil penalty;
- (2)obtain any other remedy, including injunctive relief; and
- (3)recover costs and reasonable attorney’s fees incurred in bringing the action.
- (g)A business that modifies a record as required by Subsection (d) in good faith is not liable for a civil penalty under Subsection (f) if the record is reconstructed, in whole or in part, through extraordinary means.
- (h)Subsection (d) does not require a business to modify a record if:
(1) the business is required to retain the record
under other law; or
(2) the record is historically significant and:
(A) there is no potential for identity theft or
fraud while the record is in the custody of the business; or
(B) the record is transferred to a professionally
managed historical repository.
(i) Subsection (d) does not apply to:
(1) a financial institution as defined by 15 U.S.C.
Section 6809; or
(2) a covered entity as defined by Section 601.001 or
602.001, Insurance Code.
Added by Acts 1989, 71st Leg., ch. 955, § 1, eff. June 15, 1989.
Renumbered from § 35.47 by Acts 1990, 71st Leg., 6th C.S., ch.
12, § 2(2), eff. Sept. 6, 1990.Amended by Acts 1991, 72nd Leg.,
ch. 472, § 1, eff. Aug. 26, 1991;Acts 1995, 74th Leg., ch. 735,
§ 3, eff. Sept. 1, 1995.
Acts 2005, 79th Leg., Ch. 935, § 1, eff. September 1, 2005.
Acts 2005, 79th Leg., Ch. 935, § 2, eff. September 1, 2005.
Acts 2005, 79th Leg., Ch. 935, § 3, eff. September 1, 2005.
Text of section effective until April 1, 2009
48.102.BUSINESS DUTY TO PROTECT AND SAFEGUARD
SENSITIVE PERSONAL INFORMATION.(a)A business shall implement
and maintain reasonable procedures, including taking any
appropriate corrective action, to protect and safeguard from
unlawful use or disclosure any sensitive personal information
collected or maintained by the business in the regular course of
(b)A business shall destroy or arrange for the destruction
of customer records containing sensitive personal information
within the business's custody or control that are not to be retained
by the business by:
(3)otherwise modifying the sensitive personal
information in the records to make the information unreadable or
undecipherable through any means.
(c)This section does not apply to a financial institution
as defined by 15 U.S.C. Section 6809.
Added by Acts 2005, 79th Leg., Ch. 294, § 2, eff. September 1,
Text of section effective until April 1, 2009
Source - Texas Business & Commerce Code