As part of an ongoing effort to combat identity theft and other forms of consumer fraud, the US Congress passed The Fair and Accurate Credit Transactions Act of 2003 ("FACTA") in December of 2003. FACTA called for the Federal Trade Commission ("FTC") and other federal agencies to issue rules to govern the disposal of consumer credit information.
The FTC's final rule, which will become effective June 1, 2005, creates new and broader responsibilities for companies that use or handle consumer credit information. It is important to understand the obligations the new rule may create for your business and the penalties for non-compliance.
The FTC's new rule implemented to support FACTA is intended to reduce the risk of consumer fraud and related harms, including identity theft, created by improper disposal of consumer information. Under the new rule, any person who maintains or handles consumer information for a business purpose must properly dispose of the information by taking reasonable measures to protect against the unauthorized access to or use of the information.
"As with any law, the key to understanding the obligations it imposes is found in the definitions of the key terms," said Orietta Murdock, Senior HR Generalist, G&A Partners, a Houston-based Administrative and HR Services company that helps its clients understand and comply with state and federal regulations like this one. "In this case, it is important to understand what constitutes a person, what is included in consumer information, what constitutes disposal, and what are considered reasonable measures."
What is a person?
The FTC rule covers "any person that possesses or maintains consumer information other than an individual consumer who has obtained his or her own consumer report of file disclosure."
"Because it is impossible to identify every industry that may handle consumer information, businesses across almost every industry are potentially subject to the rule," said Murdock.
Some examples include consumer reporting agencies, lenders, insurers, employers, landlords, government agencies, mortgage brokers, automobile dealers, utility companies, telecommunications companies, and others. Records management and disposal industries, together with the record owner, also bear responsibility for proper disposal of consumer information they maintain or handle for their clients.
What is consumer information?
Under the new FTC rule, consumer information is defined as "any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report." This would include "information that results in whole or in part from manipulation of information taken from a consumer report, and information that has been combined with other types of information."
"The rule is limited to information that identifies particular individuals, however this could clearly include personal identifiers beyond simply a person's name," said Murdock. "In fact, one could argue that an individual's social security number, driver's license number, phone number, physical address, e-mail address, or any combination of these could be more damaging if they were to fall into the wrong hands."
What constitutes disposal?
Given that every business that touches consumer information will soon be responsible for properly disposing it, a reasonable question is "what constitutes disposal?"
In addition to the routine disposal or destruction of consumer records or information, the rule also includes in its definition of disposal the "abandonment of consumer information" as well as the "sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored."
"Businesses not only have to consider implementing document retention and destruction policies, but also policies and procedures to determine how they will dispose of computer equipment or other media where an employee's, customer's, or client's consumer information may be stored," said Murdock.
The FTC does not specify a particular disposal method, so it will most likely depend on a company's resources. And in fact, the FTC suggests that smaller companies could dispose of paper records using an inexpensive paper shredder and dispose of electronic media "at almost no cost by simply smashing the material with a hammer."
Finally, the rule also requires companies to protect against unauthorized access to or use of consumer information in connection with its disposal both during and after the disposal process.
"Essentially, businesses not only have to consider their processes and procedures, but also the personnel they employ to implement them," said Murdock. "Employers can not risk having a less-than-honorable employee responsible for the disposal of consumer information if there is a chance he or she would allow the information to be used improperly."
What are reasonable measures?
In addition to knowing who and what are governed by the new FTC rule, companies must also understand what are considered to be reasonable measures.
The FTC intentionally left the language of the rule vague, recognizing that "there are few foolproof methods of records destruction and that entities covered by the Rule must consider their own unique circumstances when determining how best to comply with the Rule."
"Rather than impose strict guidelines, the FTC offers some examples of accepted methods of document destruction, including burning or shredding of papers and destroying or erasing electronic media," said Murdock.
Since many businesses hire service companies to assist with the disposal of documents, some of which may include consumer information, the FTC offers that the record owner must "take reasonable steps to select and retain a service provider that is capable of properly disposing of the consumer information at issue; notify the service provider that such information is consumer information; and enter into a contract that requires the service provider to dispose of such information in accordance with this Rule."
Failure to Comply
"Companies that fail to comply with the FTC's new rule, whether willfully or negligently, could be subject to fines or penalties," said Murdock. "As a matter of sound business practice, businesses should put in place policies and procedures to govern how they will dispose of documents and train their employees to properly handle and dispose of consumer information."
For more information about FACTA and the FTC's rule governing the disposal of consumer information or for assistance in developing company policies and procedures, feel free to contact Orietta Murdock at 713.784.1811, or via email at omurdock@gnapartners.com.
