FACTA Disposal Rule Goes into Effect June 1
Beginning today, a
new federal rule will require businesses and individuals to take
appropriate measures to dispose of sensitive information derived from
consumer reports. Any business or individual who uses a consumer report
for a business purpose is subject to the requirements of the Disposal
Rule, a part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA),
which calls for the proper disposal of information in consumer reports and
records to protect against “unauthorized access to or use of the
information.”
The standard
for the proper disposal of information derived from a consumer report is
flexible, and allows the organizations and individuals covered by the Rule
to determine what measures are reasonable based on the sensitivity of the
information, the costs and benefits of different disposal methods, and
changes in technology. Although the Disposal Rule applies to consumer
reports and the information derived from consumer reports, the FTC
encourages those who dispose of any records containing a consumer’s
personal or financial information to take similar protective measures.
The Rule applies to people
and both large and small organizations that use consumer reports,
including: consumer reporting companies; lenders; insurers; employers;
landlords; government agencies; mortgage brokers, car dealers; attorneys;
private investigators; debt collectors; individuals who pull consumer
reports on prospective home employees, such as nannies or contractors; and
entities that maintain information in consumer reports as part of their
role as a service provider to other organizations covered by the Rule.
The Disposal Rule applies to consumer reports or information derived from
consumer reports. The Fair Credit Reporting Act defines the term consumer
report to include information obtained from a consumer reporting company
that is used – or expected to be used – in establishing a consumer’s
eligibility for credit, employment, or insurance, among other purposes.
Examples of consumer reports include credit reports, credit scores,
reports businesses or individuals receive with information relating to
employment background, check writing history, insurance claims,
residential or tenant history, or medical history.
The Rule requires disposal practices that are reasonable and appropriate
to prevent the unauthorized access to – or use of – information in a
consumer report. For example, reasonable measures for disposing of
consumer report information could include establishing and complying with
policies to: burn, pulverize, or shred papers containing consumer report
information so that the information cannot be read or reconstructed;
destroy or erase electronic files or media containing consumer report
information so that the information cannot be read or reconstructed; or
conduct due diligence and hire a document destruction contractor to
dispose of material specifically identified as consumer report information
consistent with the Rule. Due diligence could include: reviewing an
independent audit of a disposal company’s operations and/or its compliance
with the Rule; obtaining information about the disposal company from
several references; requiring that the disposal company be certified by a
recognized trade association; or reviewing and evaluating the disposal
company’s information security policies or procedures.
Financial institutions
that are subject to both the Disposal Rule and the Gramm-Leach-Bliley (GLB)
Safeguards Rule, which requires institutions to take steps to protect
sensitive customer information, should incorporate practices dealing with
the proper disposal of consumer information into the information security
program that the Safeguards Rule requires. Information is available at
www.ftc.gov/privacy/privacyinitiatives/safeguards.html.
FACTA directed the FTC,
the Federal Reserve Board, the Office of the Comptroller of the Currency,
the Federal Deposit Insurance Corporation, the Office of Thrift
Supervision, the National Credit Union Administration, and the Securities
and Exchange Commission to adopt comparable and consistent rules regarding
the disposal of sensitive consumer report information. The FTC’s Disposal
Rule became effective June 1, 2005. It was published in the Federal
Register on November 24, 2004 [69 Fed Reg 68690], and is available at
www.ftc.gov/os/2004/11/041118disposalfrn.pdf.
The FTC has issued a new
publication, “New Rule Seeks to Protect Privacy by Requiring
Proper Disposal of Sensitive Consumer Information,” available at
www.ftc.gov/bcp/conline/pubs/alerts/disposalalrt.htm, to educate
businesses about the new requirements.
The FTC works for the
consumer to prevent fraudulent, deceptive, and unfair business practices
in the marketplace and to provide information to help consumers spot,
stop, and avoid them. To file a complaint in English or Spanish (bilingual
counselors are available to take complaints), or to get free information
on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP
(1-877-382-4357), or use the complaint form at
http://www.ftc.gov.
The FTC enters Internet, telemarketing, identity theft, and other
fraud-related complaints into Consumer Sentinel, a secure, online database
available to hundreds of civil and criminal law enforcement agencies in
the U.S. and abroad.
[back to top]
The source of this document is found here:
http://www.ftc.gov/opa/2005/06/disposal.htm. BackgroundsUSA makes every
effort to keep this document up-to-date, and current with present
legislative changes, but in the event that a discrepancy exists, the
parent document to be found at the URL listed above is to be considered
the prevailing document in the event of any kind of dispute that is
directly or indirectly related to FACTA.
|