September 28, 2005
Author: , Esq.
Overview
On December 4, 2003, the Fair and Accurate Credit Transactions Act of 2003, Pub L. 108-159, 117 Stat. 1952 (“FACT Act”) was signed into law. The FACT Act amends the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 et seq., by requiring that “any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose to properly dispose of any such information or compilation.”1 Regulations were added, effective June 1, 2005, to assist businesses in complying with the record disposal rule imposed by the FACT Act.
Purpose
As set forth in the regulations, the purpose of § 216 of the FACT Act is to “reduce the risk of consumer fraud and related harms, including identity theft, created by improper disposal of consumer information.” 2
Who is Effected
Any business, regardless of industry, that obtains a consumer report, or information derived from a consumer report, will be subject to the record disposal rule imposed by the FACT Act.3 Among the entities that possess or maintain consumer information for a business purpose are consumer reporting agencies, as well as landlords, government agencies, mortgage brokers, automobile dealers, utility companies, telecommunication companies, employers, and other users of consumer reports. 4
Consumer Information
The FACT Act refers to disposing of information “derived from consumer reports.” The phrase “derived from consumer reports”5 covers all information about a consumer that is derived from any consumer report(s), including information taken from a consumer report, information that results from manipulation of information taken from a consumer report, and information combined with other types of information.6 The Federal Trade Commission (“FTC”) believes that there are various personal identifiers beyond a person’s name that would bring information within the scope of § 216 of the FACT Act, “including but not limited to, a social security number, driver’s license number, phone number, physical address, and e-mail address.” 7
“[I]information that does not identify individuals, such as aggregate information or blind data,” is excluded.8
Proper Disposal of Consumer Information
The standard for proper disposal is a “reasonable measures” standard. Specifically, any person that maintains or possesses consumer information is required to “take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”9 This is a flexible standard that does not require “covered persons to ensure perfect destruction of consumer information in every instance.”10 The FTC expects that in taking “reasonable measures,” entities covered by § 216 of the FACT Act will “consider the sensitivity of the consumer information, the nature and size of the entity’s operations, the costs and benefits of different disposal methods, and relevant technological changes.”11 The FTC has also stated that “reasonable measures” are likely to include establishment of policies and procedures for disposal, as well as proper employee training.12
In order to provide additional guidance, the regulations also list examples of disposal measures that would be reasonable under § 216 of the FACT Act including:
(1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practically be read or reconstructed.13
(2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practically be read or reconstructed.14
(3) After due diligence, entering and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule.15
These examples are “illustrative only and are not exclusive or exhaustive,” because they cannot take into account the unique circumstances of a particular entity.16 As the regulations do not mandate specific disposal measures, an entity may determine the most appropriate method of disposal. For instance, a small entity could purchase a paper shredder to dispose of paper records. Or, if a small entity has consumer information stored on computer discs or hard drives, disposal of such electronic media could be accomplished by smashing the material with a hammer or overwriting or “wiping” the data prior to disposal.17
Although the regulations address the methods for disposing of consumer information, they fail to provide guidance on when and how often to dispose of such information.
Penalties
Any person who willfully fails to comply with the FACT Act with respect to any consumer is liable to that consumer for actual damages sustained by the consumer as a result of the failure up to $1,000 per affected consumer.18 The FTC is authorized to seek up to $2,500 in civil penalties in the event of a knowing violation (a pattern or practice of similar violations).19
Relation to Other Laws
A financial institution subject to the FTC’s Gramm-Leach Bliley Safeguard Rule, must comply with the information security program required by those regulations, as well as the record disposal regulations imposed by the FACT Act.20
The record disposal regulations imposed by the FACT Act do not interfere with the recordkeeping requirements imposed by laws such as Title VII of the Civil Rights Act and the Americans with Disabilities Act.
Practical Impact on Businesses
Based upon the individual characteristics of the business, the business will have to choose the appropriate methods for disposing of paper records and electronic records containing consumer information. The disposal methods used will vary depending on the nature, size, and financial status of the business.
In order to comply with the law and its regulations, businesses will have to establish policies and procedures for disposal of consumer information. It may also be necessary for businesses to revise their current document retention policies.
Businesses will need to provide employees with training on what types of records constitute consumer information, when to dispose of such information, and the proper methods of disposing of such information.
The FACT Act record disposal regulations became effective June 1, 2005. As such, businesses must begin taking the appropriate steps necessary to ensure they are in compliance with the law.
End Notes
- FACT Act § 216, 15 U.S.C. § 1681w(a)(1).
- 16 C.F.R. § 682.2(a).
- 16 C.F.R. § 682.2(b).
- Disposal of Consumer Report Information and Records, 69 Fed. Reg. 68690-01 (Nov. 24, 2004) (codified at 16 C.F.R., pt. 682).
- FACT Act § 216, 15 U.S.C. § 1681w(a)(1).
- Disposal of Consumer Report Information and Records, 69 Fed. Reg. 68690-01 (Nov. 24, 2004) (codified at 16 C.F.R., pt. 682).
- Id.
- 16 C.F.R. § 682.1(b).
- 16 C.F. R. § 682.3(a).
- Disposal of Consumer Report Information and Records, 69 Fed. Reg. 68690-01 (Nov. 24, 2004) (codified at 16 C.F.R., pt. 682).
- Id.
- Id.
- 16 C.F.R. § 682.3(b)(1).
- 16 C.F. R. § 682.3(b)(2).
- 16 C.F.R. § 682.3(b)(3).
- 16 C.F.R. § 682.3(b).
- Disposal of Consumer Report Information and Records, 69 Fed. Reg. 68690-01 (Nov. 24, 2004) (codified at 16 C.F.R., pt. 682).
- 15 U.S.C. § 1681n(a).
- 15 U.S.C. § 1681s(a)(2)(A).
- 16 C.F.R. § 682.3(b)(5).