26 Sep 2022

Disposal of 'Personal' Information

Scott Zucker

Founding Partner

A regular concern for self-storage operators is managing personal information discovered in a storage unit as a result of a lien enforcement action or tenant abandonment.

Although not consistently defined in the industry, a common definition of personal information is as follows: “Personal information” means information about a person that readily identifies that person or is closely associated with that person. “Personal information” includes, but is not limited to, social security numbers, credit or debit card information, bank account numbers, medical information or passport information.

So, what is an operator to do when it discovers such personal information in a tenant’s unit?

The answer may depend on the applicable state law. For example, under the state lien law for Maine, the statute provides as follows: “When the operator has a reasonable belief that the leased space contains personal information relating to clients, customers or others with whom the occupant does business, the operator may not hold a lien sale of the personal information and may destroy the personal information without liability to any person.” Similarly, the state lien law for Arkansas provides as follows: “If the operator has a reasonable belief that the leased self-service storage space contains personal information relating to clients, customers, or others with whom the occupant does business, the operator may after an occupant is in default for a period of more than forty-five (45) days inspect the contents of a leased self-service storage space to investigate for the presence of personal information without any liability to the occupant or any other person who claims an interest in the personal information. The operator: (1) Shall not sell the personal information [under the statute]; (2) Shall destroy the personal information. An operator who complies with [this section] is not liable to the occupant or any other person who claims an interest in the personal information.”

Given the increased attention to identity theft, fraud and other privacy issues, self storage facilities need to review or develop policies to ensure the actual destruction of discarded records, particularly when the facility operator is aware of the existence of the records and when those records contain sensitive information. If a facility operator is left with a delinquent unit and there are personal records discovered in the unit, especially records associated with third parties (clients, patients, applicants, customers), it is probably a good idea for the operator to properly dispose of those records if they cannot otherwise be returned to the tenant. Given the risk of identity theft, it is always better to be safe than sorry.

In the past, the practice known as “dumpster diving” has provided identity thieves with a wealth of personal data. Irresponsible information disposal by businesses has been cited in numerous instances of fraud. The standard for proper disposal is that any person must dispose of such private information by taking reasonable measures to protect against the unauthorized access to or use of the information in connection with its disposal. A company may either perform such eradication measures itself or, “after due diligence,” may enter into a contract with a third party already engaged in the business of record destruction to perform such services. In making a determination of whether a particular company is suitable to perform the record destruction, due diligence takes into consideration a variety of information. In most instances, properly disposing of private information means shredding or burning paper records or wiping computers clean of such data. As to paper shredding, the best way for companies to comply is to hire an outside shredding company to do the shredding. As for electronic data, there are numerous companies that now manage the proper and environmentally safe destruction of computer files.

Certain federal laws, as well as some recently enacted state self storage laws, impose liability on companies for the mishandling of information which leads to identity theft. If a situation arises, a company must be able to demonstrate what the company did to destroy the information. As long as the company made a good faith effort to dispose of the private information, it is unlikely there will be any liability. However, liability for negligent violation can include the actual damages incurred by the affected individual plus costs of the action, including attorneys’ fees. In addition, certain federal rules provide for administrative enforcement, which could include federal fines of up to $2,500.00 per violation. Punitive damages are also available.

Privacy rights are increasingly becoming a significant concern to consumers and business operators and the self storage business is not immune from the liability risks that accompany access to personal data as part of that business. As such, it is up to operators to remain aware of the laws of their State that impact their businesses and use discretion when deciding how best to deal with the storage and disposal of records that may expose their customers and innocent third parties to the risk of identity theft.

This article was originally published in Self Storage Legal Monthly Minute by Scott Zucker, September 2022