New rule as of June 1
On June 1, 2005, the Federal Trade Commission’s (FTC) "Disposal Rule" went into effect thereby requiring virtually every business and private employer in the U.S. to dispose of sensitive personal and financial information in a certain manner. Enacted in furtherance of the Fair and Accurate Credit Transaction Act (FACT Act) of 2003, the Disposal Rule is another federal regulation geared towards curbing consumer fraud and identity theft.
The Disposal Rule requires any person or company that possesses or maintains "any record of any individual, whether in paper, electronic, or other form that is a consumer report (also known as a credit report) or is derived from a consumer report" to take "reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal."
In essence, in order to comply with the Disposal Rule, your company must take the steps necessary to ensure that sensitive information is destroyed in a way that prevents someone from deciphering and identifying information including Social Security Numbers, driver’s license numbers, phone numbers, addresses, and e-mail addresses.
What does this mean? Fortunately, the rule provides some guidance and recommends that compliance of the rule can be achieved by (1) implementing policies and procedures that require shredding or other forms of destruction of documents and electronic media containing consumer information and, thereafter, monitoring compliance of the policy and procedures; or (2) contracting with a third-party to properly dispose of consumer information and thereafter monitoring the third-party’s performance.
"Consumer reports" are defined to include credit reports, credit scores, and reports which businesses and individuals receive that contain information relating to employment background, check writing history, insurance claims, residential or tenant history, or medical history. However, it is important to note that compliance with the Disposal Rule cannot be avoided simply because an employer may not know for certain that the consumer information came from a consumer report. The FTC has stated that an entity or person will typically know, or, at least, should know, when they possess sensitive personal information and thus, knowledge is not an element or a prerequisite to the duty to comply with the Disposal Rule. Accordingly, your company should comply with the Disposal Rule even if there is only a slight chance that your company may have sensitive consumer information on its books and records.
Who must comply with the rule?
The Disposal Rule applies to all employers, including persons who only employ people in their home such as nannies, gardeners, housekeepers, and so forth. Thus, every employer, whether an employer of one or 5,000 employees, must comply with the Disposal Rule and dispose of employee information in a responsible manner.
What should you have done by June 1, 2005?
To be in compliance, you should have adopted and implemented your own document destruction policies, and/or contracted with and begun services with a document shredding company or other data destruction company to do so.
Why is compliance important?
Not only will you provide your employees and customers with the peace of mind that you are doing what you can to protect their confidential and personal information, thereby helping them fight against consumer fraud and identity theft, but you will also be protecting yourself and/or your company from liability. The liability exposure to your company can be substantial since the rule allows victims to recover actual damages by way of a private cause of action. Federal and state authorities may also bring legal enforcement actions. In addition to possibly exposing itself to private liability, your company can be subject to penalties for violating the rule. Specifically, the rule itself provides that a violator may be required to compensate any aggrieved party for actual damages, statutory damages up to $1,000 in punitive damages per violation, attorneys’ fees, and civil penalties up to $2,500. These penalties can add up quickly, since routine failure to provide safeguards and disposal mechanisms can subject employers and businesses to a class action suit. In such instances, the total penalties your company can face will be great since the rule does not provide a cap on the penalties and each individual violation results in a penalty. Given this possible exposure to substantial liability, it is certainly in your company’s best interest to assure that it is, and remains, in compliance with the Disposal Rule.
What should you do from here?
Immediately implement a policy for document and data destruction if you haven’t already done so.
Seek further guidance to ensure that the policy your company has or implements meets all the published criteria and to ensure that your company continues to remain in compliance.
If your company is a financial institution, incorporate your disposal rule with your Gramm-Leach-Bliley safeguards in a manner that enables your company to continue to protect sensitive customer information.
FTC Helpline 1-877-FTC-HELP (1-877-382-4357).
The final rule, which was published on November 24, 2004, at the Federal Register, 69 Fed. Reg. 68690 can be found at www.ftc.gov/os/2004/11/041118disposalfrn.pdf
Additional assistance and guidance may be found at the following: