Document Destruction and Privacy Protections

By Elizabette Cohen

E-mail Story
Print Story
JUNE 2005 - CPAs have a legal obligation to have client records properly destroyed, or they may find themselves in direct violation of the 1974 Federal Privacy Act. An on-site document destruction company to destroy end-of-retention files can supply effective legal protection by providing a notarized document-destruction certificate that proves a third party shredded the files on-site. This certificate states where, when, and who shredded the stated files. The company is in compliance with all identity-theft laws and acts by properly disposing of end-of-retention files and possessing proof thereof.

A third-party document-destruction company also facilitates better use of file space because less space is required for unneeded records. It also limits exposure to the new Federal Rule 26 concerning electronic discovery, which requires an entity to produce all records requested within 85 days of a discovery request or risk summary finding against the individual or business. Legally disposing of end-of-retention records decreases the time and effort needed to search for files.

Outsourcing document-destruction also saves time and money because the individual or company no longer needs to own or lease, and then maintain, a consumer shredder designed to handle only a few sheets of paper at a time. Commercial shredders easily handle thick files, metal clips, and staples. A typical drawer of files weighs approximately 60 pounds. A commercial shredder can shred 30 to 50 such storage boxes per hour.

Finally, 17 trees are saved for every ton of paper that is shredded and recycled, so using a commercial shredder also helps the environment because all shred is recycled rather than used as landfill.

Other Privacy Legislation

CPAs must also comply with the Gramm-Leach-Bliley Act of 1999. There is an implied contract between an accountant and client whenever the CPA asks for personal and financial information, and the information must be protected.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), which is primarily geared toward medical doctors’ protecting their patients’ medical history and information, can apply to CPAs as well. For example, many CPA client records include extensive information about hospitalizations and medical expenses. Any personal medical information in a client’s record must be destroyed before discarding. There is also an implied contract between employers and their past and present employees that requires the accountant to protect any employee information, personal and medical.

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) requires all businesses to protect consumer information and to properly dispose of it in order to prevent identity theft. FACTA takes effect as of June 2005, with a maximum $2,500 federal fine and $1,000 state fine per violation, plus attorneys’ fees. If information falls into the wrong hands, the employer is potentially liable.

Dr. Elizabette Cohen is president of A+ Secure Shredding Services, Inc. She can be reached at (718) 747-3358.




















The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices