FTC "Disposal Rule" Regarding Consumer Reports
Effective June 1, 2005 the FTCs new "Disposal Rule" requires businesses to "properly dispose" of consumer reports when discarding such information.
Below are key points about the Rule, and attached is a business alert published by the FTC. More info is available at ftc.gov under Fair Credit Reporting Act (see FACT Act Disposal Rule).
NOTE: The Rule DOES NOT impose obligations regarding how long such information must be maintained or whether/when it must be destroyed. To the contrary, the Rule and the statute which is implemented (the Fair and Accurate Credit Transactions Act) explicitly state that "nothing in this [rule / section] shall be construed: (a) to require a person to maintain or destroy any record pertaining to a consumer that is not imposed under other law; or (b) to alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record." The Rule also DOES NOT require a business to use a disposal company, but that approach is one option among others described as reasonable if consumer information is discarded (see examples discussed below).
The Rule (16 CFR Part 682) governs "consumer information" a term which means a consumer report (as defined in the FCRA), a record derived from a consumer report, or a compilation of such information whether in paper, electronic, or other form. Background reports purchased by employers from consumer reporting agencies fall within this definition.
The essence of the Rule is a one-sentence, reasonableness standard as follows:
"Standard. Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal." 16 CFR Section 682.3(a).
Examples. After stating the above standard, the Rule gives examples which are "illustrative only and are not exclusive or exhaustive methods for complying with this rule." 16 CFR 682.3(b). The three examples most relevant for employers provide as follows:
"(1) implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.
(2) implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed.
(3) after due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule. In this context, due diligence could include reviewing an independent audit of the disposal company's operations and/or its compliance with this rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company's information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company."
The FTC has stated that the Rule is intended to be flexible and non-costly, especially for small businesses.
Bottom line for employers: If the company intends to dispose of consumer reports (i.e. discard or abandon them) or intends to sell, donate, or transfer any material (including computer equipment) which contains such information, the company should at least adopt one of the examples listed above and should consider additional measures to enhance the security of the disposal process. Potential remedies for violations of the FCRA include civil penalties up to $2500 per violation and civil suits for damages and, in some cases, punitive damages.