Federal and Massachusetts regulations that require the secure destruction of sensitive documents. Non-compliance can result in significant fines, lawsuits, and reputational damage.
Businesses and organizations are required by multiple federal and state laws to securely destroy sensitive information when it is no longer needed. Simply tossing documents in the trash or recycling bin is not compliant. Working with a NAID AAA Certified shredding provider like Valley Green Shredding ensures you meet these requirements and can prove it with a documented chain of custody.
Any person or business that uses consumer reports or information derived from consumer reports. This includes employers who run background checks, landlords, creditors, insurance companies, and any business that collects personal financial information.
Reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal. Documents must be burned, pulverized, or shredded so they cannot be practicably read or reconstructed. Electronic media must be destroyed or erased.
Credit reports, credit applications, account statements, insurance claims, tax returns with financial data, background check results, and any records containing consumer report information.
Penalties: Federal and state enforcement actions. Consumers can sue for actual damages or statutory damages up to $1,000 per violation. Class action suits can reach millions of dollars.
Healthcare providers, health plans, healthcare clearinghouses, and their business associates. This includes hospitals, physician offices, dental practices, pharmacies, insurance companies, billing services, IT contractors, and shredding companies that handle PHI.
Covered entities must implement policies and procedures for the proper disposal of Protected Health Information (PHI). Paper records must be shredded or otherwise destroyed so that PHI is rendered unreadable, indecipherable, and cannot be reconstructed. Business Associate Agreements are required with any vendor handling PHI.
Patient records, medical charts, lab results, billing statements, insurance forms, prescription records, appointment schedules with patient names, EOBs (Explanation of Benefits), and any document containing individually identifiable health information.
Penalties: Civil penalties range from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation category. Criminal penalties can reach $250,000 and up to 10 years imprisonment for knowing misuse.
Financial institutions including banks, credit unions, securities firms, insurance companies, mortgage brokers, tax preparers, financial advisors, debt collectors, real estate settlement services, and any company significantly engaged in financial activities.
The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program that includes the proper disposal of customer information. Institutions must ensure the security and confidentiality of customer records throughout their lifecycle, including destruction.
Account numbers, account balances, transaction histories, loan applications, credit card information, Social Security numbers, income and employment data, tax returns, and any nonpublic personal information collected from customers.
Penalties: Fines up to $100,000 per violation for the institution. Officers and directors face fines up to $10,000 per violation and up to 5 years imprisonment.
All publicly traded companies in the United States, their management, and their public accounting firms. Also applies to wholly-owned subsidiaries and foreign companies listed on U.S. stock exchanges. Private companies may also be subject to certain provisions through contracts or industry standards.
SOX requires companies to retain certain business records for specified periods (typically 5–7 years) and establishes criminal penalties for the destruction, alteration, or falsification of records with intent to obstruct an investigation. Companies must have formal document retention and destruction policies with clear schedules.
Financial statements, audit work papers, correspondence, communications, accounting records, emails related to financial matters, and any documents relevant to federal investigations or bankruptcy proceedings.
Penalties: Destroying, altering, or concealing documents to obstruct an investigation carries fines and up to 20 years imprisonment under Section 802. Audit record violations carry up to 10 years imprisonment.
Any educational institution that receives federal funding, including public schools (K-12), colleges, universities, and vocational schools. This covers virtually all public educational institutions and most private universities in the United States.
Schools must protect the privacy of student education records. When records are no longer needed or when retention periods expire, they must be disposed of in a manner that prevents unauthorized disclosure. Shredding is the recommended method for paper records containing personally identifiable student information.
Student transcripts, enrollment records, financial aid applications, disciplinary records, grade reports, attendance records, special education records (IEPs), counselor notes, and any records directly related to a student that are maintained by the institution.
Penalties: Loss of all federal funding. The Department of Education can investigate complaints and require corrective action. Institutions may also face civil liability under state laws for unauthorized disclosure of student records.
Any person or business that owns, licenses, stores, or maintains personal information about a Massachusetts resident, regardless of where the business is located. This is one of the most far-reaching state data protection regulations in the country and applies to businesses of all sizes, including sole proprietors.
Organizations must develop, implement, and maintain a comprehensive Written Information Security Program (WISP) that includes secure disposal procedures. Paper documents containing personal information must be shredded, burned, or pulverized. Electronic records must be destroyed or erased so they cannot be read or reconstructed. Third-party service providers handling personal information must be contractually required to maintain safeguards.
Any document containing a Massachusetts resident's first and last name (or first initial and last name) in combination with a Social Security number, driver's license number, state ID number, financial account number, or credit/debit card number. This includes employee records, customer files, applications, and any HR or payroll documents.
Penalties: The Massachusetts Attorney General can enforce violations with fines up to $5,000 per violation (each record counts as a separate violation). Data breaches require notification to affected individuals and the AG's office. Businesses also face private lawsuits under Chapter 93A (consumer protection), which allows treble damages and attorney's fees.
Federal agencies and any organization that handles federal information or contracts with the government. Widely adopted as a best-practice standard by private sector organizations, particularly in healthcare, finance, and defense. Many compliance frameworks reference NIST 800-88 as the benchmark for media destruction.
NIST 800-88 defines three levels of media sanitization: Clear (logical techniques), Purge (physical or logical methods for overwriting), and Destroy (physical destruction rendering recovery infeasible). For hard drives and SSDs, destruction typically means shredding, disintegration, or incineration. The standard requires verification and documentation of destruction.
Hard disk drives (HDDs), solid-state drives (SSDs), magnetic tapes, optical media (CDs, DVDs, Blu-ray), USB flash drives, memory cards, mobile devices, copier/printer hard drives, and any electronic media that stores data. Valley Green Shredding provides hard drive and SSD destruction that meets NIST Destroy standards.
Penalties: While NIST 800-88 itself is a guideline rather than a law, failure to follow it can result in loss of government contracts, security clearance revocation, and non-compliance with regulations (HIPAA, GLBA, etc.) that reference NIST standards. Federal agencies face audit findings and corrective action requirements.