Privacy Act of 1974
Right to Financial Privacy Act of 1978
California v. Greenwood
U.S. SUPREME COURT RULING
(CALIFORNIA V. GREENWOOD – 1988)
What does the law say about the privacy of trash?
Summary: Supreme Court ruled that trash is not private. The Court ruled “It is common knowledge that plastic garbage bags left along a public street are readily accessible to animals, children, scavengers, snoops, and other members of the public.”
SUPREME COURT OF THE UNITED STATES No. 86-684, May 16, 1988.
CALIFORNIA v. GREENWOOD ET AL.
CERTIORARI TO THE COURT OF APPEAL OF CALIFORNIA, FOURTH APPELLATE DISTRICT.
Acting on information indicating that respondent Greenwood might be engaged in narcotics trafficking, police twice obtained from his regular trash collector garbage bags left on the curb in front of his house. On the basis of items in the bags which were indicative of narcotics use, the police obtained warrants to search the house, discovered controlled substances during the searches, and arrested respondents on felony narcotics charges. Finding that probable cause to search the house would not have existed without the evidence obtained from the trash searches, the State Superior Court dismissed the charges under People v. Krivda, 5 Cal. 3d 357, 486 P. 2d 1262, which held that warrantless trash searches violate the Fourth Amendment and the California Constitution. Although noting a post-Krivda state constitutional amendment eliminating the exclusionary rule for evidence seized in violation of state, but not federal, law, the State Court of Appeal affirmed on the ground that Krivda was based on federal, as well as state, law.
- The Fourth Amendment does not prohibit the warrantless search and seizure of garbage left for collection outside the curtilage of a home. Pp. 39-44.
(a) Since respondents voluntarily left their trash for collection in an area particularly suited for public inspection, their claimed expectation of privacy in the inculpatory items they discarded was not objectively reasonable. It is common knowledge that plastic garbage bags left along a public street are readily accessible to animals, children, scavengers, snoops, and other members of the public. Moreover, respondents placed their refuse at the curb for the express purpose of conveying it to a third party, the trash collector, who might himself have sorted through it or permitted others, such as the police, to do so. The police cannot reasonably be expected to avert their eyes from evidence of criminal activity that could have been observed by any member of the public. Pp. 39-43.
(b) Greenwood’s alternative argument that his expectation of privacy in his garbage should be deemed reasonable as a matter of federal constitutional law because the warrantless search and seizure of his garbage was impermissible as a matter of California law under Krivda, which he contends survived the state constitutional amendment, is without merit. The reasonableness of a search for Fourth Amendment purposes does not depend upon privacy concepts embodied in the law of the particular State in which the search occurred; rather, it turns upon the understanding of society as a whole that certain areas deserve the most scrupulous protection from government invasion. There is no such understanding with respect to garbage left for collection at the side of a public street. Pp. 43-44.
HIPAA (Health Insurance Portability and Accountability Act)
(HEALTH INFORMATION PORTABILITY AND ACCOUNTABILITY ACT)
What does HIPAA REALLY say about paper shredding?
It doesn’t require covered entities to shred. Really, it doesn’t. It does, however, require covered entities to protect PHI and specifically uses shredding as one of several examples of appropriate safeguards for PHI. Here is the pertinent text:
We do not prescribe the particular measures that covered entities must take to meet this standard, because the nature of the required policies and procedures will vary with the size of the covered entity and the type of activities that the covered entity undertakes. (That is, as with other provisions of this rule, this requirement is “scalable.”)Examples of appropriate safeguards include requiring that documents containing protected health information be shredded prior to disposal, and requiring that doors to medical records departments (or to file cabinets housing such records) remain locked, and limiting which personnel are authorized to have the key or passcode. We intend this to be a common sense, scalable, standard.
This is the only place paper shredding is mentioned in the text of the law.
HIPAA also establishes penalties for willful or accidental release of PHI:
(a) OFFENSE. — A person who knowingly and in violation of this part —
- uses or causes to be used a unique health identifier;
- obtains individually identifiable health information relating to an individual; or
- discloses individually identifiable health information to another person,
shall be punished as provided in subsection (b).
(b) PENALTIES. — A person described in subsection (a) shall —
- be fined not more than $50,000, imprisoned not more than 1 year, or both;
- if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
- if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.”
GLBA (Gramm-Leach-Bliley Act)
THE GRAMM-LEACH-BLILEY ACT
Summary: Any business providing financial services is required to ensure the security and confidentiality of customer personal information. The FTC suggests businesses “shred or recycle customer information recorded on paper and store it in a secure area until a recycling service picks it up.”
Below is text from a Federal Trade Commission series of publications called Facts for Businesses. This publication is titled “Financial Institutions and Customer Data: Complying with the Safeguards Rule”. Only sections that pertain to the privacy of printed records have been included. The full text of the document can be found athttp://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm.
Financial Institutions and Customer Data: Complying with the Safeguards Rule
Many financial institutions collect personal information from their customers, such as their names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. The Gramm-Leach-Bliley (GLB) Act requires financial institutions to ensure the security and confidentiality of this type of information. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) has issued the Safeguards Rule. This Rule requires financial institutions under FTC jurisdiction to secure customer records and information.
Who Must Comply
The Safeguards Rule applies to businesses, regardless of size, that are “significantly engaged” in providing financial products or services to consumers. This includes check-cashing businesses, data processors, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, courier services, and retailers that issue credit cards to consumers.
How to Comply
The Safeguards Rule requires financial institutions to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the financial institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles.
When a firm implements safeguards, the Safeguards Rule requires it to consider all areas of its operation, including three areas that are particularly important to information security:employee management and training; information systems; and managing system failures.
Information systems include network and software design, and information processing, storage, transmission, retrieval, and disposal. Here are some suggestions on how to maintain security throughout the life cycle of customer information — that is, from data entry to data disposal:
- Store records in a secure area. Make sure only authorized employees have access to the area.
- Dispose of customer information in a secure manner. For example:
- hire or designate a records retention manager to supervise the disposal of records containing nonpublic personal information;
- shred or recycle customer information recorded on paper and store it in a secure area until a recycling service picks it up;
- erase all data when disposing of computers, diskettes, magnetic tapes, hard drives, or any other electronic media that contains customer information;
- promptly dispose of outdated customer information.
FACTA (Fair and Accurate Transaction Act)
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)
What is FACTA?
FACTA is the Fair and Accurate Credit Transaction Act. Passed by Congress in 2003, it is one of several recent laws (including HIPAA for the healthcare industry and Gramm-Leach-Bliley for the financial services industry) that seeks to protect businesses and consumers from fraud and identity theft. The USAToday article referred to a new section (section 216) that requires any person who maintains consumer information to dispose of it properly.
Who does it affect?
The law affects any person or business that possesses consumer information. This includes consumer reporting agencies, lenders, employers, landlords, government agencies, mortgage brokers, and automobile dealers — just to name a few. The law applies to any business over which the FTC has jurisdiction. The FTC’s jurisdiction does not extend to several areas of the banking and finance industry, but the financial services industry has its own law called the Gramm-Leach-Bliley Act that has very similar requirements.
What exactly is this consumer information?
Consumer information is any record about an individual, whether in paper, electronic, or other form that is contained in a credit report and can identify the individual. Examples of identifying information include social security numbers, driver’s license numbers, phone numbers, physical addresses, and email addresses. This information could be on a mortgage application, an insurance policy, a loan scoring sheet — anything that could be found in a credit report. Aggregate information (without identifiers) is not affected by the rule.
What do I have to do?
You have to take reasonable measures to protect the information from unauthorized access or use once you have disposed of it. Disposal is defined as the “discarding or abandonment of consumer information” as well as the sale of any medium (computer equipment) on which that information is stored. So before you toss that old computer that has customer records on it, you have to erase or destroy the hard drive.
Do I have to shred everything?
Nope. The law says you just have to take a “reasonable measure” to destroy anything that could identify an individual and might contain information in a credit report. Shredding is one method — you could also take it out back, throw gasoline on it and toss a match (though you might want to check with your local fire department before doing this).
For other business information, we ask a simple question: would we want a competitor to see this? If not, it gets shredded. See our “Why Shred?” page for what the law says about trash being private.
What exactly is a “reasonable measure”?
For paper, the FTC uses the example of shredding, burning, or pulverizing paper to prevent its use. This could mean purchasing a small office shredder or burning it in your fireplace at home — either one would work. Another example is hiring an outside firm that specializes in records destruction. For electronic media, they recommend destruction or erasure. In addition to the actual destruction, the FTC said that reasonable measures are likely to require establishing policies and procedures for destroying information, and training employees on what needs to be done.
Can I contract with an outside firm to do my destruction?
Yes, in fact the rule specifically mentions contracting with a document destruction business as “reasonable measure”. But you have to perform some due diligence on the outside firm to make sure they do what they say they do. This due diligence could include reviewing an independent audit of the disposal company’s operations, obtaining information about the disposal company from several independent references, and requiring the company to be certified by a recognized trade association or similar third party. Note that Tri-State Shred has the highest certificate rating possible from the National Association for Information Destruction.
What happens if I don’t?
Violations of FACTA and its parent, the Fair and Accurate Credit Reporting Act, carry penalties of actual damages plus statutory damages up to $1,000 per customer for willful violations (with no cap on class-action damages), punitive damages, attorneys’ fees, and civil penalties.