(A) When a business disposes of a business record that contains personal identifying information of a customer of a business, the business shall modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.
(B) A business is considered to comply with subsection (A) if it contracts with a person engaged in the business of disposing of records for the modification of personal identifying information on behalf of the business in accordance with subsection (A).
(C) This section does not apply to:
(1) a bank or financial institution that is subject to and in compliance with the privacy and security provision of the Gramm-Leach-Bliley Act;
(2) a health insurer that is subject to and in compliance with the standards for privacy of individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996; or
(3) a consumer credit-reporting agency that is subject to and in compliance with the federal Fair Credit Reporting Act.
HISTORY: 2008 Act No. 190, Section 2, eff December 31, 2008.