In December 2003 the Fair and Accurate Credit Transactions Act was passed (“FACTA”). FACTA is a federal law designed to minimize the risk of identity theft and consumer fraud created by improper disposal of consumer information. Under FACTA, the Federal Trade Commission (FTC) was charged with the development of rules to implement the policies set forth in FACTA. The FTC issued its Disposal Rules in November 2004, and these rules went into effect on June 1, 2005. The following is a summary of the Disposal Rules and what action entities covered by the rules must take in order to be considered in compliance.
The scope of the Disposal Rules is quite broad. The Disposal Rules apply to any person that, for a business purpose, maintains or otherwise possesses consumer information. The Disposal Rules define consumer information to mean “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. Consumer information also means a compilation of such records. Consumer information does not include information that does not identify individuals, such as aggregate information or blind data.”
Dispose, disposing or disposal means the discarding or abandonment of consumer information or the sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored. Of particular concern to small businesses is the willingness to donate paper to charitable organizations, including schools, for reuse where the paper has confidential information already printed on one side. Similarly, donating old computers, where confidential information is still accessible on the hard drive, could unwittingly create liability for the company.
If you or your company does any credit checks or background checks on prospective employees, or if you utilize any consumer information, taken from any type of consumer report, you or your company falls under the Disposal Rules. Any information taken from any type of a consumer report is covered under the Disposal Rules.
The standard under the Disposal Rules is that any person must properly dispose of such consumer information by taking reasonable measures to protect against the unauthorized access to or use of the information in connection with its disposal.
A company may either perform such eradication measures itself or, “after due diligence,” may enter into a contract with a third party already engaged in the business of record destruction to perform such services. In making a determination of whether a particular company was suitable to perform the record destruction, due diligence could take into consideration a variety of information. You could review that company’s independent audit of operations and/or compliance with the federal rules regarding record destruction, obtain several references for other reliable sources, confirm that a trade association has certified the records destruction program of that company, personally review and evaluate the company’s information security policies and procedures, or take other appropriate steps to determine the competency and integrity of the potential disposal company.
In most instances, properly disposing of consumer information means shredding, pulverizing or burning paper records containing information reports or the credit reports themselves, or wiping computers clean of such data.
As to paper shredding, the best way for larger companies to comply with the Disposal Rules is to hire an outside shredding company to do the shredding. This way, as long as the information is identified as affected by the FACTA rules, and this information nonetheless is disclosed after leaving your company’s premises, it is the shredding company’s responsibility. A sole proprietor or small company can use a paper shredder purchased from any local store and do the shredding of the consumer information themselves.
As for electronic data, sole proprietors and small companies can buy a software utility to clean the computer’s hard drive of all consumer information. In larger companies it should be the responsibility of the Information Technology department to dispose of the consumer information.
If in doubt as to whether the consumer information you are disposing comes under the Disposal Rules, it is always better to follow the Disposal Rules. The Disposal Rules allow companies to be held liable if the mishandling of the consumer information leads to identity theft. If a situation arises, a company must be able to demonstrate what the company did to destroy the information. As long as the company made a good faith effort to dispose of the consumer information, there is unlikely to be any liability.
A willful violation of the Disposal Rules can result in actual damages, or damages of not less than $100.00 and not more than $1,000.00 per violation, plus costs of the action, including attorneys’ fees. Punitive damages are also available. Liability for negligent violation is limited to actual damages of the affected consumer plus costs of the action, including attorneys’ fees. In addition, the Disposal Rules provide for administrative enforcement, which could include federal fines of up to $2,500.00 per violation.
The Disposal Rules also subject companies to class action lawsuits. However, the real financial loss to a company can come from the damage done to the company’s reputation. There is a great deal of bad publicity associated with theft of consumer information. Eventual financial losses to a company due to a damaged reputation can be enormous. One only needs to look at ChoicePoint’s woes due to the consumer data theft from their company, to understand the full extent of possible losses.
The Disposal Rules do not change any existing law or requirement to maintain or destroy any records. The Disposal Rules just require the disposal of the records to be done properly. Every company should have retention schedules that mandate when their records need to be securely destroyed. Moreover, every company should have training programs that provides information to their employees which stresses the importance of proper information destruction and increases compliance with federal laws and regulations.