Introduction: An Easy-to-Read Guide to Understanding NAID and FACTA Compliance
Shredding documents is an important part of making sure a business stays in compliance with regulations that are put in place to protect confidential consumer information. If a business is found to be in violation of these regulations they can be fined up to $500 and $500,000 per event well as being responsible for paying damages and restitutions to any of their customers whose information was compromised.
In this whitepaper, we will seek to inform the reader about the important pieces of legislation and the organizations that set document destruction guidelines and regulations for businesses in the United States. The two main focuses of this document will be on The National Association for Information Destruction (NAID) and The Fair and Accurate Transitions Act (FACTA) and the respective roles they both play in regards to the safe and ethical disposal of consumers’ private financial information.
What is FACTA?
FACTA was a piece of legislation that was passed in 1970 that amended the Fair Credit Reporting Act (FCRA) and established regulations to help protect consumers from their data being taken and their identity being stolen. It established important tenements such as Red Flag Rules, the right to access an annual free credit report, and the proper disposal requirements of sensitive information.
What is the NAID?
The NAID is the international governing organization for companies like FileShred who provide document destruction services. Their job is to set standards for the ethical and responsible handling of consumer information while promoting the industry as a whole. They offer voluntary certifications for their members to show that their document destruction procedures are in line with the highest possible standards.
Becoming FACTA Compliant
There are several requirements for making sure a document destruction business is in full compliance with FACTA.
The biggest change that came with the Fair and Accurate Transactions Act was the implementation of “Red Flag Rules.” These rules force financial institutions to develop an Identity Theft Prevention Program that is designed to help prevent and detect practices and patterns that could lead to identity theft. These programs should be able to identify and detect red flags as they happen, as well as being able to respond to any suspicious activity as quickly as possible. It is also required that organizations provide training to staff members about Red Flag Rules and the best practices associated with them. Institutions are required to regularly update their program as identity theft threats change and evolve.
FACTA established that every consumer is entitled to one free credit report per year from one of the three national credit reporting companies.
Alerts & Monitoring
In order to let consumers have more control over their own information, FACTA allows the creation of systems that can be set up to distribute personal alerts in regards to a consumer’s credit history.
Last, but certainly not least, FACTA sets rules on how to properly dispose of classified consumer information. According to a press release from the FTC,
“The Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to: burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed; destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed; or conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include: reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule; obtaining information about the disposal company from several references; requiring that the disposal company be certified by a recognized trade association; or reviewing and evaluating the disposal company’s information security policies or procedures.”
When conducting an audit, NAID’s AAA Certification inspectors closely monitor a number of different aspects of a data destruction company’s operations in regards to:
- Employee Requirements
- Operational Security
- Endorsements & The Destruction Process
- Company Assurances
If you’d like to view the extensive and lengthy requirements that must be met for each category, you may do so by viewing page 31 of this document that outlines the certification program in greater detail.
Ensuring Information Destruction is Fully FACTA Compliant
While the majority of FACTA only applies to financial institutions and creditors, the proper disposal of sensitive and confidential information is best left to a commercial document destruction service provider that can be sure to meet the standards outlined in the rules above.
NAID AAA Certification Provides Extra Protection for Your Business
By making sure that your document destruction is handled by an NAID AAA Certified vendor, you ensure the compliance of their services and gain further peace of mind with an official stamp of approval from a third-party expert.
The NAID and FACTA are both important to maintaining consumer privacy and security. While The NAID sets standards and offers certifications regarding the responsible disposal and destruction of client and consumer information, FACTA ensures that financial institutions take measures to protect a consumer’s identity and give them greater control over their own information. If you are a financial institution, it’s important that you are in compliance with FACTA regulations and make sure that the company that handles your document destruction is NAID AAA Certified. By doing so you protect yourself, your customers, and your bottom dollar and avoid expensive fines or penalties that come from the improper destruction of private information.
For more information, visit: