Grand Valley firm offers help in complying with records destruction law

A Grand Valley company offers assistance and services to help businesses comply with a new state law governing the destruction of data containing personally identifying information.

Colorado Document Security can provide a 14-minute DVD on employee information disposal training as well as answer questions. The company also can help businesses develop written policies and employee training for document destruction.

Colorado Document Security offers onsite document destruction services in four states with a fleet of five trucks, in turn helping customers meet state and federal requirements while providing court-defensible risk mitigation.

Colorado Document Security maintains certification from the National Association for Information Destruction as well as professional liability insurance coverage for data breaches.

Scott Fasken, founder and vice president of the company, said any shredding company can turn large pieces of paper into small pieces of paper. His firm focuses on making sure customers comply with the law.

In Colorado, a newly enacted state law expands the definition of personal identifying information, refines data breach notification requirements and requires businesses to develop and maintain written policies for the destruction of paper or electronic records containing personal identifying information.

Personal information includes names as well as Social Security, driver’s license and passport numbers.  Personal information also includes emails combined with passwords or other security measures and debit and credit card numbers combined with access codes and passwords.

The new law also requires businesses to take measures to protect personal identifying information shared with third party service providers by requiring them to implement and maintain security procedures, including written policies and employee training.

To comply with the new law, businesses must develop written policies for document destruction, put those policies into place, perform due diligence with vendors who handle personal identifying information and design data breach notification policies so people who could be affected by a breach are notified within 30 days.

When it comes to performing due diligence in hiring a document destruction company, Fasken said businesses owners and managers should look for what he called the three-legged stool of security: on-site shredding, certification from a recognized trade group and professional liability insurance.