Regulatory issues Various regulations must be taken into consideration also. For example, Sarbanes-Oxley addresses the destruction of business records and documents and turns intentional document destruction into a process that must be carefully monitored. If the process is not followed, executives can find themselves under indictment. Having formally documented data retention and policies are a requirement.
SoX raises the legal stakes for destruction of corporate documents and includes numerous provisions that create and enhance criminal penalties for corporate fraud and obstruction of justice. SoX section 1102 makes it a crime, punishable by fine and imprisonment for up to 20 years, to corruptly alter, destroy, mutilate or conceal a record, document or other object with the intent to impair the object's integrity or availability or use in an official proceeding or to obstruct or impede an official proceeding. SoX section 802 states that "whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both."
Another relevant regulation around disposal is the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Enacted in June 2005 requires businesses and individuals to take appropriate measures to dispose of sensitive information derived from consumer reports. Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule, a part of FACTA that calls for the proper disposal of information in consumer reports and records to protect against unauthorized access to or use of the information.
The Rule applies to people and both large and small organizations that use consumer reports, including: consumer reporting companies, lenders, insurers; employers; landlords; government agencies; mortgage brokers, car dealers; attorneys; private investigators; debt collectors; individuals who pull consumer reports on prospective home employees, such as nannies or contractors; and entities that maintain information in consumer reports as part of their role as a service provider to other organizations covered by the rule.
A benefit of having a formal document destruction process and using product such as the Media Disposal Toolkit is that since you are doing document destruction properly, your organization does not have to worry about every new regulation, as such practices are likely compliant with whatever new regulation comes out.