Beginning today, a new federal rule will require businesses and
individuals to take appropriate measures to dispose of sensitive information
derived from consumer reports. Any business or individual who uses a consumer
report for a business purpose is subject to the requirements of the Disposal
Rule, a part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA),
which calls for the proper disposal of information in consumer reports and records
to protect against “unauthorized access to or use of the information.”
The standard for the proper disposal of information derived from a
consumer report is flexible, and allows the
organizations and individuals covered by the Rule to determine what measures
are reasonable based on the sensitivity of the information, the costs and
benefits of different disposal methods, and changes in technology. Although the
Disposal Rule applies to consumer reports and the information derived from
consumer reports, the FTC encourages those who dispose of any records
containing a consumer’s personal or financial information to take similar
protective measures.
The Rule applies to people and both large and small organizations that
use consumer reports, including: consumer reporting companies; lenders;
insurers; employers; landlords; government agencies; mortgage brokers, car
dealers; attorneys; private investigators; debt collectors; individuals who
pull consumer reports on prospective home employees, such as nannies or contractors;
and entities that maintain information in consumer reports as part of their
role as a service provider to other organizations covered by the Rule.
The Disposal Rule applies to consumer reports or information derived
from consumer reports. The Fair Credit Reporting Act defines the term consumer
report to include information obtained from a consumer reporting company that
is used – or expected to be used – in establishing a consumer’s eligibility for
credit, employment, or insurance, among other purposes. Examples of consumer
reports include credit reports, credit scores, reports businesses or
individuals receive with information relating to employment background, check
writing history, insurance claims, residential or tenant history, or medical history.
The Rule requires disposal practices that are reasonable and appropriate
to prevent the unauthorized access to – or use of – information in a consumer
report. For example, reasonable measures for disposing of consumer report
information could include establishing and complying with policies to: burn,
pulverize, or shred papers containing consumer report information so that the
information cannot be read or reconstructed; destroy or erase electronic files
or media containing consumer report information so that the information cannot
be read or reconstructed; or conduct due diligence and hire a document
destruction contractor to dispose of material specifically identified as
consumer report information consistent with the Rule. Due diligence could include:
reviewing an independent audit of a disposal company’s operations and/or its
compliance with the Rule; obtaining information about the disposal company from
several references; requiring that the disposal company be certified by a
recognized trade association; or reviewing and evaluating the disposal
company’s information security policies or procedures.
Financial institutions that are subject to both the
Disposal Rule and the Gramm-Leach-Bliley (GLB) Safeguards Rule, which requires
institutions to take steps to protect sensitive customer information, should
incorporate practices dealing with the proper disposal of consumer information
into the information security program that the Safeguards Rule requires. Information is
available at www.ftc.gov/privacy/privacyinitiatives/safeguards.html.
FACTA directed the FTC, the Federal Reserve Board, the
Office of the Comptroller of the Currency, the Federal Deposit Insurance
Corporation, the Office of Thrift Supervision, the National Credit Union
Administration, and the Securities and Exchange Commission to adopt comparable
and consistent rules regarding the disposal of sensitive consumer report
information. The FTC’s Disposal Rule became effective
The FTC has issued a new publication, “New Rule Seeks to Protect Privacy by Requiring Proper Disposal of
Sensitive Consumer Information,” available at www.ftc.gov/bcp/conline/pubs/alerts/disposalalrt.htm,
to educate businesses about the new requirements.
The FTC works for the consumer to prevent fraudulent, deceptive, and
unfair business practices in the marketplace and to provide information to help
consumers spot, stop, and avoid them. To file a complaint in English or Spanish
(bilingual counselors are available to take complaints), or to get free
information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP
(1-877-382-4357), or use the complaint form at http://www.ftc.gov.
The FTC enters Internet, telemarketing, identity theft, and other fraud-related
complaints into Consumer Sentinel, a secure, online database available to
hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
Media
Contact:
Jen
Schwartzman
Office of Public Affairs
202-326-2674
Staff
Contact:
Katherine
Armstrong
Bureau of Consumer Protection
202-326-3250
http://www.ftc.gov/opa/2005/06/disposal.shtm