Effective June 1:  FTC Rule Requires Proper Disposal of
Information from Consumer Reports

Effective June 1, 2005 new Federal Trade Commission (FTC) regulations under the Fair and Accurate Credit Transactions Act (FACTA) require all employers to take "reasonable measures" to properly dispose of documents that contain consumer information possessed for a business purpose.

The intent behind the legislation is to address the problem of identity theft. Statistics show that identity theft is the fastest-growing crime in the United States. Personal information, such as credit information or social security numbers, has been stolen from trash bins and other trash containers.

Regulations Allow For Flexibility

The new regulations specifically state that, "any person that maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with the disposal."

Consumer information includes any record about an individual whether in electronic, paper or other form that is a consumer report or any compilation of such information

For example, if you obtain a consumer report on a job applicant, your company must destroy the consumer report when disposing of it.

Under the regulations, the "reasonable measures" standard is meant to be flexible. The regulations do not mandate specific procedures for discarding the information. The FTC wanted to give businesses, especially small businesses, the leeway to make decisions that would fit their particular business needs.

To determine if a company is taking reasonable measures, the FTC indicated that it anticipated businesses would consider the sensitivity of the information, the costs and benefits of different disposal methods, relevant technological changes, and the nature and size of the entity's operations.

This rule applies to the physical discard of consumer information as well as data stored on a computer that is to be donated or transferred to another party.

The following are some examples given by the regulations:

• Burning, pulverising, or shredding of papers containing consumer information so that the information cannot practically be read or reconstructed.

• Destroying or erasing electronic media containing consumer information so that the information cannot practically be read or reconstructed.

Shredding is probably the most popular method of disposal. Many shredding services will provide the employer a certificate stating that the employer has disposed of information in a manner that is compliant with FACTA.

Again, however, it is up to the individual business to make its own decision as to how to properly dispose of the information. It is critical, however, that the business ensures that no one can read or gain access to or use of the information from the consumer report when it is disposed of.

Stiff Penalties for Failure to Properly Dispose

Under the regulations, an aggrieved party can recover actual damages and attorneys' fees from his or her employer for all damages incurred from identity theft. An employer can also be liable for statutory damages of up to $1,000 per employee. In addition, the FTC can fine an employer up to $2,500 for each violation. States can further fine employers up to $1,000 for each violation.

Recommendations for Employers:

The following are some suggestions from the FTC:

1. Implement policies requiring the burning, pulverizing, or shredding of consumer information so that information cannot be read or reconstructed, and monitor compliance with such policies;
2. Implement and monitor compliance with a similar policy addressing the destruction or erasure of electronic media containing consumer information; or
3. Contract with a party who in effect engages in the business of properly disposing of consumer information.

If your company decides to contract with a third-party for disposal, the FTC recommends that you undertake due diligence before selecting a vendor. There have been reported instances of so-called document disposal companies actually being fronts for people who then took the documents and illegally used the consumer information from them, instead of properly disposing of them. Due-diligence would include checking references, requiring the company to be certified by a recognized trade association, and reviewing an independent audit of the disposal company's operations

Employers should immediately take the following steps:

• Institute office wide process for separating print and other media containing consumer information from regular office trash.

• Determine which method of disposal best fits your business needs. Purchase a shredder or research vendors that can properly dispose of the documents for you. Talk to your computer services technicians about the best method for disposing of electronic information.

• Inform all employees who handle consumer information of the new regulations and the need to comply.