Many states have laws regulating how a holder of data must dispose of personal information. Such laws protect data if the holder decides it no longer wants to maintain that data.
There are generally two types of data destruction laws: those that specifically enumerate how the data must be destroyed and those that mandate the use of a disposal system that meets a reasonableness standard. Some states include both types, though most choose only one. States that fall into the first category typically use some variation of the following regulation: “Businesses must take all reasonable steps to destroy records by shredding, erasing, or otherwise modifying the personal information to make it unreadable or undecipherable.” Note that the statute defines how the records must be destroyed and what the final outcome of the process must yield. States that have passed this type of law include:
- Arkansas
- California
- Georgia
- Indiana
- Kansas
- Massachusetts
- Michigan
- Montana
- Nevada
- New Jersey
- New York
- Oregon
- Rhode Island
- Texas
- Vermont
The second type of data destruction law provides that: “businesses shall maintain reasonable security procedures and practices appropriate to the nature of the information to protect from unauthorized access, destruction, use, modification, or disclosure.” States that adopted this form of a records destruction law are:
- Arkansas
- Colorado
- Illinois*
- Maryland
- Nevada
- North Carolina
- Oregon
- Utah
- Washington
If your business operates in one or more of the above states, you should ensure that you are properly destroying any unneeded data. Improper destruction of records could lead to liability, unnecessary expense, and wasted time. More and more states are adopting and enforcing these laws you do not want to be caught unaware.
* Applies only to state agencies.