FTC Issues Rule Regarding Disposal of Consumer Information

The Fair and Accurate Credit Transactions Act of 2003, Pub L. 108-159 (“FACTA” or “Act”) was signed into law on December 4, 2003.  In part, the Act amends the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. 1681 et seq., by imposing a new requirement on persons who possess or maintain, for a business purpose, consumer information derived from consumer reports, to discourage fraud, invasion of privacy and identify theft. 

The FTC rule implementing the Act requires that any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose, must take certain steps when it decides to dispose of such information.  The rule will cover many types of businesses.  For example, the preamble to the rule identifies lenders, insurers, employers, landlords, government agencies, mortgage brokers, and automobile dealers as businesses which may be subject to the rule.  The rule is found at 16 C.F.R. § 682, and becomes effective June 1, 2005. 

The rule itself does not require the creation, maintenance or destruction of any document or record.  Instead, the rule requires that persons and entities over which the FTC has jurisdiction which maintain or otherwise possess consumer information for a business purpose properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information being disposed.  The rule also includes several examples of what the FTC believes constitute reasonable measures to protect consumer information in connection with its disposal.  These examples are intended to provide covered entities with guidance on how to comply with the rule but are not intended to be safe harbors or exclusive methods for complying with the rule.

Unless otherwise stated, terms used in the disposal rule have the same meaning as set forth in the FCRA.  The term “consumer report” has the same meaning as the term “consumer report” elsewhere in the FCRA.

“Consumer information” means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report.  Consumer information also means a compilation of such records.  Employee background check information might also be covered.  Consumer information does not include information that does not identify individuals, such as aggregate information or blind data.  The preamble to the rule points out that information which may identify a particular individual goes beyond the person’s name, and may include social security number, driver’s license number, phone number, physical address, and an email address.  The preamble also notes that other data elements not inherently identifying may, in combination with other information, identify particular individuals.   

“Dispose,” “Disposing,” or “Disposal” means:

            (1)       the discarding or abandonment of consumer information, or

            (2)     the sale, donation, or transfer of any medium, including computer equipment, upon   which consumer information is stored.

As noted above, the rule is designed to reduce the risk of consumer fraud and related harms, including identity theft, created by improper disposal of consumer information.

Under the rule, any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.

The rule provides the following examples, which are illustrative only and are not exclusive or exhaustive methods for complying with the rule.

           (1)        Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.

            (2)        Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed.

            (3)        After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule.  In this context, due diligence could include reviewing an independent audit of the disposal company’s operations and/or its compliance with this rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company’s information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company.

           (4)        For persons or entities who maintain or otherwise possess consumer information through their provision of services directly to a person subject to the rule implementing and monitoring compliance with policies and procedures that protect against unauthorized or unintentional disposal of consumer information, and disposing of such information in accordance with examples (1) and (2) above.

           (5)        For persons subject to the Gramm-Leach-Bliley Act, 15 U.S.C. 6081 et seq., and the Federal Trade Commission’s Standards for Safeguarding Customer Information, 16 CFR Part 314 (“Safeguards Rule”), incorporating the proper disposal of consumer information as required by this rule into the information security program required by the Safeguards Rule.

As mentioned, the rule does not require a person to maintain or destroy any record pertaining to a consumer that is not imposed under other law; nor does it alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record. 

Businesses have six months after the effective date of the rule to come into compliance.   Penalties for willful noncompliance include actual damages or statutory damages between $100.00 and $1,000.00 per violation, plus costs including attorneys’ fees.  In some circumstances punitive damages may be available.  Additionally, administrative fines between $1,000.00 and $2,500.00 per violation might be imposed.  It is not unreasonable to think that violations of the rule could lead to class action claims.  For example, one discarded computer hard-drive could contain consumer information concerning tens of thousands of people.

Businesses are well advised to become familiar with the rule, identify any consumer information which they possess, and take great care when disposing of such information.

Michael Lied is a member of the Labor & Employment Group at Howard & Howard. He  represents employers in a wide variety of employment, labor and immigration matters. For more information, please  contact Michael Lied at (309) 672-1483 or email mrl@h2law.com

Copyright 2005 Howard & Howard Attorneys, P.C. This publication is intended to provide information only and does not constitute legal advice.