Management company threw old leases with Soc numbers into dumpster

[80111john]

Colorado.

I just threw some trash into the dumpster at my apartment complex. Saw stacks of documents on top of dumpster including multiple banker's boxes with more documents in them. I looked at them and realized they were originals of tenant leases from the last 2 years or so. I never had a paper lease here so no chance my info is in there.

They include personal identifying information including Social Security numbers.

1. Is the management company liable for negligence here?

2. Am I liable for examining documents surrendered into a dumpster on private property? I am a resident of the complex.

3. Should I do something here or just pull trash over the docs and move on with my life?

Thanks,

John

 

[LdiJ]

Colorado.

I just threw some trash into the dumpster at my apartment complex. Saw stacks of documents on top of dumpster including multiple banker's boxes with more documents in them. I looked at them and realized they were originals of tenant leases from the last 2 years or so. I never had a paper lease here so no chance my info is in there.

They include personal identifying information including Social Security numbers.

1. Is the management company liable for negligence here?

2. Am I liable for examining documents surrendered into a dumpster on private property? I am a resident of the complex.

3. Should I do something here or just pull trash over the docs and move on with my life?

Thanks,

John

I would call the police (non-emergency number) and discuss the matter with them. Its a serious breach of confidence for them to do that. I do not know whether the police will do anything about it or not, but I do know that businesses around the country of gotten into a great deal of trouble for doing similar things.

If the police are not interested, you might consider contacting the local news as well.

 

[Zigner]

I would call the police (non-emergency number) and discuss the matter with them. Its a serious breach of confidence for them to do that. I do not know whether the police will do anything about it or not, but I do know that businesses around the country of gotten into a great deal of trouble for doing similar things.

If the police are not interested, you might consider contacting the local news as well.

And not a word about letting the management company know?

 

[adjusterjack]

1. Is the management company liable for negligence here?

Maybe.

2. Am I liable for examining documents surrendered into a dumpster on private property? I am a resident of the complex.

You gonna tell anybody you did it?

3. Should I just pull trash over the docs and move on with my life?

That's a good idea.

 

[Taxing Matters]

Colorado.

1. Is the management company liable for negligence here?

If the information is obtained by someone and used to harm the persons whose SSNs were exposed, then the company may be deemed negligent and therefore liable for that harm. If nothing ever comes of it, then the management company will not be liable for anything.

2. Am I liable for examining documents surrendered into a dumpster on private property? I am a resident of the complex.

No. But should you take the documents or misuse any information you saw in the documents you could face criminal or civil legal action.

3. Should I do something here or just pull trash over the docs and move on with my life?

I suggest notifying the management company of what you saw and remind them of the potential risks involved. It’s up to them to decide what to do from there.

Contacting the police will do no good. What the management company has done is not a crime and is therefore not the concern of the police. There is nothing that the police can do about this.

I doubt that the Denver area media will care much about this. Moreover, publicizing what has been done only puts those documents at even more risk that someone would take them and misuse them. Thus, I do not recommend that idea.

 

[quincy]

Following is a link to the National Conference of State Legislatures on state disposal laws as they relate to personal and confidential information. The disposal laws in Colorado cover both government agencies and businesses.

http://www.ncsl.org/research/telecommunications-and-information-technology/data-disposal-laws.aspx

And here is a link to the FTC on disposing of consumers personal information:

https://www.ftc.gov/tips-advice/business-center/guidance/disposing-consumer-report-information-rule-tells-how

In Detroit, there was an improper disposal of health clinic records discovered in a dumpster by a Detroit resident. The story was covered by the local news outlets. Improper disposal of confidential information by an area business is as important as any data breach by any entity. Local news organizations will generally be interested in covering such a story as it directly affects their news audience.

 

[LdiJ]

And not a word about letting the management company know?

They are the ones who threw the stuff in the dumpster in the first place. Therefore I am pretty sure they already know.

 

[quincy]

They are the ones who threw the stuff in the dumpster in the first place. Therefore I am pretty sure they already know.

... or management might have given instructions to someone to dispose of the records properly and they have no idea their instructions were not followed ....

 

[LdiJ]

... or management might have given instructions to someone to dispose of the records properly and they have no idea their instructions were not followed ....

That is possible, but most on site management consists of just a handful of people in an office in the clubhouse. Now, if those handful of people work for a larger company that manages lots of complexes then by all means, contact the company headquarters and mention it to them.

 

[Taxing Matters]

The disposal laws in Colorado cover both government agencies and businesses.

True, but Colorado law only requires that the business have a policy for destruction of records with certain confidential information in them. “Each public and private entity in the state that uses documents during the course of business that contain personal identifying information shall develop a policy for the destruction or proper disposal of paper documents containing personal identifying information.” CRS § 6-1-713(1). The problem here is that the state statute does not set out any specific minimum requirements for document destruction. So, if the policy of the business is that it will destroy records by dumping them in the trash, that would appear to meet the requirements of the state law. The business had a policy; just not a very good one. The failure to have a policy would subject the business to a penalty imposed by the Attorney General though I have not yet seen any cases of that. Certainly what the business has done here is poor business practice and may expose the business to liability should someone misuse the information in those records, but it is not a crime.

 

[quincy]

True, but Colorado law only requires that the business have a policy for destruction of records with certain confidential information in them. “Each public and private entity in the state that uses documents during the course of business that contain personal identifying information shall develop a policy for the destruction or proper disposal of paper documents containing personal identifying information.” CRS § 6-1-713(1). The problem here is that the state statute does not set out any specific minimum requirements for document destruction. So, if the policy of the business is that it will destroy records by dumping them in the trash, that would appear to meet the requirements of the state law. The business had a policy; just not a very good one. The failure to have a policy would subject the business to a penalty imposed by the Attorney General though I have not yet seen any cases of that. Certainly what the business has done here is poor business practice and may expose the business to liability should someone misuse the information in those records, but it is not a crime.

When there is no specific state (or business) policy, states (and businesses) refer to federal requirements. See the FTC link I provided earlier, for example, that shows how records (including records generated by landlords) must be disposed of.

For a recent well-publicized case, look at Safeway and the $10 million they were fined for improper disposal of pharmacy records.

 

[Zigner]

They are the ones who threw the stuff in the dumpster in the first place. Therefore I am pretty sure they already know.

Nobody ever's made a mistake?

 

[Taxing Matters]

When there is no specific state (or business) policy, states (and businesses) refer to federal requirements. See the FTC link I provided earlier, for example, that shows how records (including records generated by landlords) must be disposed of.

The FTC rule applies if the records disposed of are “consumer reports” or information obtained from such reports. Very generally, a consumer report is a report that the business obtains about the consumer from a consumer reporting agency, e.g. a credit bureau. So if the information disposed of is, for example, from credit reports the FTC rule certainly applies and the management company would run the risk of enforcement action by the FTC. I admit I didn’t think about the information in the dumpster possibly being credit reports that the management company ran on prospective tenants. To the extent that kind of information was trashed it would seem to be a clear violation of the FTC rule. While not a crime, the management company could nevertheless be subject to a significant civil fine from the FTC. But if these were records of information that the management company got directly from the renters, the FTC rule does not cover that.

For a recent well-publicized case, look at Safeway and the $10 million they were fined for improper disposal of pharmacy records.

That case involved disposal of protected health information (PHI) by a covered entity (a pharmacy) which is regulated by the federal Health Insurance and Portability and Accountability Act (HIPAA) and, in the Safeway case, the California Confidentiality of Medical Information Act. The management company here is not a covered entity for HIPAA purposes and of course the California wouldn’t apply here in any case. It does illustrate, though, that were a privacy law does apply a business who fails to comply with that law may face serious penalties.

What all this points out is that the laws relating to privacy of information and disposal of it are a patchwork of laws that, for the most part, target very specific industries or types of information. In my experience many Americans think far more of their information is protected by such laws than is really case, giving them a false sense of security. It is precisely because a lot of situations are simply not addressed in federal and state laws that individuals need to be proactive about the security of their information and ask businesses that seek personal information about what the business’ privacy policy is, how their information will be used and shared by the business, etc. IMO many Americans part with personal information much too easily; they ought to be reading privacy policies carefully and, where there is no policy or the policy isn't clear, they ought to be asking questions about the privacy of their information. You are the most important protector of your own information, after all.

 

[quincy]

Most landlords run credit checks on prospective tenants, and rental applications often note the social security numbers and banking information of tenants. The FTC Rules apply.

The laws Safeway violated were many, but the violations all resulted from the improper disposal of private and confidential material.

I agree that many people are not aware of the extent to which their personal information is used and abused. The various and assorted privacy protection laws can do nothing to prevent confidential material from being disclosed or disposed of improperly (or having databases hacked), but knowledge of the sizeable fines that can be assessed against violators is sure to make those in control of confidential material more careful when handling it.

I think a call to management, to the police and to the local media are all good steps for 80111john to take - and he should take these steps before the waste removal trucks visit the apartment complex.

 

[Taxing Matters]

I agree that many people are not aware of the extent to which their personal information is used and abused. The various and assorted privacy protection laws can do nothing to prevent confidential material from being disclosed or disposed of improperly (or having databases hacked), but knowledge of the sizeable fines that can be assessed against violators is sure to make those in control of confidential material more careful when handling it.

The flip side of this is that unfortunately many small to medium sized businesses are not very aware of the privacy laws that do apply to them nor aware of even the general negligence liability risk they have in failing to have a sound privacy protection system and to ensure that system is followed. Consumers trust businesses to protect their information, but in too many instances the businesses just haven’t really given that issue much serious thought. I agree that news like the Safeway fines and other instances of enforcement action and successful lawsuits can help to alert businesses of their need to implement a sound privacy policy but so far I've not seen a huge shift in awareness among smaller businesses on that front.