Volume 4, Issue 4
May 23, 2005
On November 18, 2004, the Federal Trade Commission ("FTC") issued its final rule regarding the proper disposal of consumer report information and records under the Fair and Accurate Credit Transactions Act of 2003 ("FACTA") and the Fair Credit Reporting Act ("FCRA"). This rule will become effective on June 1, 2005. Any business that possesses consumer information is covered by the rule, including employers.
FACTA requires that "any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose[,] properly dispose of any such information or compilation."
Consumer information consists of any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. A consumer report is any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit, character, general reputation, or personal characteristics which is obtained for a fee and used as a factor in establishing the consumer's eligibility for credit or insurance, employment purposes, or any other permissible purpose authorized by the FCRA. Information that does not identify individuals, such as aggregate or blind data, is not covered by the rule. In the employment context, typical examples of consumer reports are background checks performed by third parties and employee misconduct investigations undertaken by third party investigators.
The new FTC rule provides that any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. The rule does not require that the information be disposed of by a given time, or set forth any restrictions on maintaining such information. It merely requires that reasonable measures be taken to protect against unauthorized access to or use of consumer information in connection with its disposal.
The rule provides the following examples of "reasonable measures:"
- Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.
- Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed.
- After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule. In this context, due diligence could include reviewing an independent audit of the disposal company's operations and/or its compliance with this rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company's information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company.
- For persons or entities who maintain or otherwise possess consumer information through their provision of services directly to a person subject to this part, implementing and monitoring compliance with policies and procedures that protect against unauthorized or unintentional disposal of consumer information, and disposing of such information in accordance with examples (b)(1) and (2) of this section.
- For persons subject to the Gramm-Leach-Bliley Act, 15 U.S.C. 6081 et seq., and the Federal Trade Commission's Standards for Safeguarding Customer Information, 16 CFR part 314 ("Safeguards Rule"), incorporating the proper disposal of consumer information as required by this rule into the information security program required by the Safeguards Rule.¹
As the rule becomes effective on June 1, 2005, it is important for employers to implement a policy for the destruction of consumer information by that date. Please feel free to contact the offices of Kamer Zucker & Abbott if you have any questions.
Employer Report articles are for general information only; they are not intended and should not be construed to be legal advice. Reading or replying to such articles does not establish an attorney-client relationship. In addition, because the subject matters and applicable laws discussed in Employer Report articles are often in a state of change and not always applicable to every type of business entity or organization, readers should consult with counsel before making decisions based on the same.