§140.150. Disposal of Records


Latest version.
  • a)         When disposing of records that contain personal information, including, but not limited to, social security numbers, driver's license numbers or non-driver identification card numbers, financial account numbers or codes, debit card numbers or codes, automated teller machine card numbers or codes, electronic serial numbers, or personal identification numbers, a debt settlement provider shall take all reasonable measures necessary to protect against unauthorized access to or use of the records.

     

    b)         Licensees must implement policies and procedures to implement this Section and the measures that may be taken to comply with this Section include the following:

     

    1)         implementing and monitoring compliance with policies and procedures that require the burning, pulverizing or shredding of paper documents containing personal information so that the personal information cannot practicably be read or reconstructed (for example, licensees must have a paper shredder at the licensed location or other location accessible to the licensee or contract with a third party to provide destruction or disposal of personal information);

     

    2)         implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the personal information cannot practicably be read or reconstructed (for example, licensees must have the technological resources to destroy or erase electronic or other nonpaper media or contract with a third party to provide destruction or erasure of electronic or other nonpaper media);

     

    3)         a licensee may enter into a written contract with a third party engaged in the business of record destruction to dispose of records containing personal information.

     

(Source:  Added at 35 Ill. Reg. 6350, effective March 29, 2011)