| Document
Destruction and Privacy Protections
By
Elizabette Cohen
JUNE 2005
- CPAs have a legal obligation to have client records properly
destroyed, or they may find themselves in direct violation
of the 1974 Federal Privacy Act. An on-site document destruction
company to destroy end-of-retention files can supply effective
legal protection by providing a notarized document-destruction
certificate that proves a third party shredded the files on-site.
This certificate states where, when, and who shredded the
stated files. The company is in compliance with all identity-theft
laws and acts by properly disposing of end-of-retention files
and possessing proof thereof.
A third-party
document-destruction company also facilitates better use
of file space because less space is required for unneeded
records. It also limits exposure to the new Federal Rule
26 concerning electronic discovery, which requires an entity
to produce all records requested within 85 days of a discovery
request or risk summary finding against the individual or
business. Legally disposing of end-of-retention records
decreases the time and effort needed to search for files.
Outsourcing
document-destruction also saves time and money because the
individual or company no longer needs to own or lease, and
then maintain, a consumer shredder designed to handle only
a few sheets of paper at a time. Commercial shredders easily
handle thick files, metal clips, and staples. A typical
drawer of files weighs approximately 60 pounds. A commercial
shredder can shred 30 to 50 such storage boxes per hour.
Finally,
17 trees are saved for every ton of paper that is shredded
and recycled, so using a commercial shredder also helps
the environment because all shred is recycled rather than
used as landfill.
Other
Privacy Legislation
CPAs
must also comply with the Gramm-Leach-Bliley Act of 1999.
There is an implied contract between an accountant and client
whenever the CPA asks for personal and financial information,
and the information must be protected.
The
Health Insurance Portability and Accountability Act of 1996
(HIPAA), which is primarily geared toward medical doctors’
protecting their patients’ medical history and information,
can apply to CPAs as well. For example, many CPA client
records include extensive information about hospitalizations
and medical expenses. Any personal medical information in
a client’s record must be destroyed before discarding.
There is also an implied contract between employers and
their past and present employees that requires the accountant
to protect any employee information, personal and medical.
The
Fair and Accurate Credit Transactions Act of 2003 (FACTA)
requires all businesses to protect consumer information
and to properly dispose of it in order to prevent identity
theft. FACTA takes effect as of June 2005, with a maximum
$2,500 federal fine and $1,000 state fine per violation,
plus attorneys’ fees. If information falls into the
wrong hands, the employer is potentially liable.
Dr.
Elizabette Cohen is president of A+ Secure Shredding
Services, Inc. She can be reached at (718) 747-3358. |