Ohio Valley Goodwill Industrial Services Visit the Goodwill website Packaging Assembly and Fulfillment Document Management and Imaging Document Management and Imaging Janitorial Services Business Partnerships and Development Return to the IS front page Document Destruction Return to the front page Contact Goodwill Industrial Services
Click here for the
latest news &
events!


Under Construction

Goodwill's Document Destruction Services
A Service You Need -- A Name You Can Trust

Half of your documents could be destroyed, but which half?"AAA” Certified by the National Association for Information Destruction (NAID), Goodwill’s Document Destruction Services helps to protect people from identity theft and businesses from legal risks under current laws by shredding sensitive and confidential documents.

AAA certified

When Goodwill’s Document Destruction Services shreds your confidential and sensitive documents, you receive three critical benefits:

  1. Completely worry-free document destruction
  2. Competitive pricing
  3. The satisfaction of knowing the shredding of your documents provides training and jobs for people with disabilities and barriers to employment.

Call us to help with your document destruction needs, and please tell a friend about Goodwill’s shredding service! The more paper we have to shred the more people with disabilities we can employ!

Document Destruction

 Goodwill complies with: HIPPA

The Health Insurance Portability and Accountability Act of 1996 governs personal information and prevents abuses of personal health information, including unauthorized access. Any organization or individual who retains or collects health information must comply with HIPPA requirements. The act requires improved efficiency in healthcare delivery by standardizing electronic data interchanges.

The act further requires that standards be set and enforced for the protection of confidentiality and the security of personal health information. Healthcare organizations must have documented policies defining the security measures that have been instituted to prevent unauthorized access to personal health information.

Personal health information can include such items as medical history, notes, appointment memos, phone messages, x-rays, claims forms, insurance information, prescription information, diagnosis and more,

Healthcare organizations must take action to ensure compliance with HIPPA guidelines. The penalties enforced on company's violating HIPPA are severe. Each health organization failing to comply can be fined up to $100 per violation and up to $25,000 per year for all violations of a given standard. That is for EACH violation. A lost or misplaced list of patients, for instance, could be thousands of names long and could result in hundreds of thousands of dollars in penalties.

Criminal penalties also apply to anyone releasing or receiving protected health information without the proper approvals. These penalties can include a prison term for one to five years and fines ranging from $50,000 to $100,000. Anyone releasing protected health information for money or to cause someone harm intentionally could be fined up to $250,000 and be imprisoned for up to ten years.

 Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act was enacted in 1999. Also known as the Financial Services Modernization Act, GLB requires financial institutions to provide a privacy notice to their customers and restricts what non-public personal information they share about customers to third parties.

Financial institutions are also required to provide security and integrity of customers' non-public information by way of physical and electronic means. This act gives authority to eight federal agencies and the states to administer and enforce its provisions.

There are three important components to the privacy requirements: the Financial Privacy Rule, the Pretexting Rule, and the Safeguards Rule. The Financial Privacy Rule and the Pretexting Provisions are mainly outside the scope of information security professionals' responsibilities. However, the Safeguards Rule mandates that financial institutions protect customer information from unauthorized use and is the portion of the Gramm-Leach-Bliley Act that mainly impacts the information management industry.

The Safeguards Rule, which became effective on May 2003, requires all financial institutions to design, implement and maintain safeguards to protect customer information. Financial institutions are required to create a written information security plan that describes how they protect customer information. The scope of the organization's security plan may be dependant upon its overall size. Each financial institution's plan must:
  • Designate at least one employee to coordinate the safeguards and bear responsibility for compliance
  • Identify internal and external risks to the security, confidentiality, and integrity of customer information among all relevant areas of operations, including: employee training and management; information systems, processing, storage and disposal; response, prevention, and detection of threats and attacks
  • Design, implement, and regularly test or monitor safeguards that control and limit risks to information
  • Select and contract with service providers that are capable of performing up to the same standards.
What Industries Are Affected?

The Gramm-Leach-Bliley Act regulates financial institutions, which are defined as "businesses significantly engaged in providing financial products and/or service." Examples are banks, insurance companies, lenders, credit card firms, accountants, financial planners, etc. Basically, an organization that maintains personal information regarding its customers is affected. Key executives within an organization can also be held accountable for noncompliance.

Penalties for Violation Are Strict

The Gramm-Leach-Bliley Act calls for civil and criminal penalties for noncompliance. This includes fines and even imprisonment, such as the following:
  • Civil penalties for businesses can include fines up to $100,000 for each violation.
  • Officers and directors can be held personally liable for a civil penalty for up to $10,000 per violation.
  • Criminal penalties may include up to five years in prison.
Compliance With the Act

When developing an information security plan, an organization should measure how this impacts employee training, internal information systems, and managing system failures. To help comply, organizations should consider implementing the following:
  • Thorough background checks of employees who will be handling information
  • Signed agreements from all employees stating that they will follow the confidentiality and security procedures addressed in the information security plan
  • Outsourcing document management, destruction and data protection to a secure provider, and locking rooms and file cabinets for any records that are stored in-house
  • Password protection on computers, changing them periodically.
  • Limit access to customer information only to authorized users.
  • To maintain security throughout the life cycle of an organization's information, all documents should be securely stored in a location that is locked when unattended. This location should be protected against destruction and natural physical damage. Any electronic customer information should be accessible via a password and contain strict security protections.
  • In addition, it is important to keep secure backup media and archived data. When the information has reached the end of its life cycle, it must be destroyed in a secure manner. At the end of its life cycle, all documents and media containing NPI should be effectively destroyed, including computers, diskettes, magnetic tapes and hard drives.
This information is to provide clarity and should not be construed as legal advice.

 Sarbanes-Oxley

This piece of legislation was signed into law on July 30, 2002. The spirit of the law was to focus on the failure of public accountants to detect fraud during the auditing of corporate books and to detect corporate officers and directors when manipulating financial data to deceive auditors.

The act serves to make a corporation and its officers more responsible for the accuracy of its financial reporting. The legislation created a new oversight board for accounting firms auditing publicly traded companies. Every public company in America faces higher standards of behavior in light of Sarbanes-Oxley.

The Public Company Oversight Board, established under Sarbanes-Oxley, requires auditors to maintain seven years of audit papers. Relevant documents to be retained include: financial statements and records, either paper or electronic, that may contain information related to or derived from an audit.

These new standards have made a serious impact on the methods and on the length of time a company must retain its records. Sarbanes-Oxley addresses the need to clearly define retention and destruction policies for all types of company documents generated in the corporate governance and auditing process.

The Sarbanes-Oxley Act includes stiff penalties for improper company reporting, corporate disclosure and auditing practices including record keeping. In addition, corporate executives are held personally accountable with CEOs and CFOs certifying the accuracy of financial statements. Corporations must carefully retain records in case they are demanded for government investigation, litigation or audit. The knowing and willful destruction of key documents is punishable by fines of up to $5 million and prison terms up to 10 years. Destroying documents to impede a federal investigation and/or altering documents is also punishable by prison terms up to 30 years.

 The Fair and Accurate Credit Transactions Act

The Fair and Accurate Credit Transactions Act is a federal law designed to minimize the risk of identity theft and consumer fraud by enforcing the proper destruction of consumer information. The Disposal Rule, under FACTA, is targeted towards businesses that utilize consumer information. It states, "any person who maintains or otherwise possesses consumer information for a business purpose is required to dispose of discarded consumer information, whether in electronic or paper form."

Penalties can vary and include: civil liability, class action lawsuits, Federal enforcement with penalties up to $2,500 for each violation, and state enforcement allowing consumers to recover up to $1,000 for each negligent action.

The FACTA Disposal Rule mandates that companies properly dispose of their confidential information in the following ways: burning, pulverizing or shredding items that contain consumer information and erasure of electronic media. Entering into a contract with a third party whose core competency is information destruction has been the most common, cost effective alternative.






-->