The Federal Trade Commission (FTC) estimates that twenty-four million Americans have experienced identity theft. To combat identity theft, President Bush signed the Fair and Accurate Credit Transactions Act of 2003 (FACTA) on December 4, 2003. This act requires the FTC and other federal agencies to issue regulations requiring any person who maintains or otherwise possesses consumer information derived from consumer reports to properly dispose of such information. The final FTC disposal rule, 16 C.F.R. Part 682, became effective on June 1, 2005.
These new rules apply to everyone, except the individual consumer who obtains her/his own consumer report. Lenders, landlords, insurers, mortgage brokers, and automobile dealers are covered. Any employer - regardless of industry or size - that possesses or maintains consumer information for a business purpose is covered by these rules.
The expansive definition of “consumer information” used in the Fair Credit Reporting Act (FCRA) applies to these new disposal rules. That is, any written or oral summary of someone’s general reputation, character, credit-worthiness, credit standing, personal characteristics, or lifestyle prepared or collected by a consumer reporting agency constitutes “consumer information.” Accordingly, any record about an individual, whether in paper, electronic, or other form, that qualifies as a consumer report under FCRA (or is derived from a consumer report), must be properly discarded. Note, however, that an employer’s own searches for background information on applicants or employees are not covered by FCRA. In general, employers and others covered by FACTA must now take all reasonable measures to protect against unauthorized access to, or use of, consumer information during or in connection with its disposal.
Some industries already follow similar disposal rules. Title V of the Gramm-Leach-Bliley Act requires financial institutions to take precautions to protect customer information. HIPAA obliges health care plans and providers to guard against unauthorized disclosure of personal information. State laws may address this issue. Under a 2003 California law, employers and others must disclose security breaches involving the personal data of any California resident; other states are considering similar laws. Additionally, a range of personal information laws remain in effect, each with their own particular record retention requirements (e.g., I-9 forms, payroll information).
Whereas the proposed FTC disposal rule would have covered any information that identified particular individuals, the final rule is narrower, expressly excluding aggregate information and blind data. 16 C.F.R. § 682.1(b). Neither the proposed nor the final rule specifies its own record retention period prior to disposal.
The FTC’s interpretative guidance contains interesting, even amusing, descriptions of reasonable disposal measures. Paper records, for example, may be shredded, burned, or pulverized as long as they cannot practicably be read or reconstructed. The FTC suggests that a paper shredder can be purchased for a little as $25. For the sale, donation, transfer, or other disposal of computer discs and hard drives with stored consumer information, the FTC recommends destruction or erasure by (1) “simply smashing the material with a hammer” and (2) overwriting or “wiping” data prior to disposal. Wiping tools, the FTC adds, “are widely available for under $25” or as free downloads on the Internet.
The final rule provides illustrative examples of “reasonable” disposal methods that, the FTC warns, are not safe harbors. Employers must determine “reasonableness” using four factors: (1) the sensitivity of the consumer information, (2) the nature and size of the company, (3) the costs and benefits of different disposal methods, and (4) technological changes.
What actions should employers take under this new final disposal rule?
· Establish security policies and procedures governing the disposal of consumer information.
· Educate and train their employees regularly on proper disposal procedures.
· Update and monitor compliance with their information security and disposal programs on a periodic basis.
· Carefully select outside companies for disposal contracts to ensure they are reputable and competent, and then monitor these companies’ compliance with those contracts.
Personal information may even be stolen by a company’s own employees. At one company, a computer assistance employee sold the passwords and access codes of 30,000 individuals to identity thieves. Employers should seriously consider whether they must acquire consumer information, and if so, they must limit access to those who absolutely need the data. On top of these dangers, some identity thieves have embedded employees within a company for the express purpose of stealing consumer information. Fortunately, employers can fight back with defenses such as background checks, heightened security, frequent employee monitoring and training and nondisclosure agreements prohibiting the misuse of confidential information for employees allowed internal access to such information.
Identity theft is the fastest-growing crime in the United States. Identity thieves will do anything to gain access to confidential personal information, so employers who acquire such information must carefully protect it. Merely enacting data security policies and procedures is not enough to avoid liability; employers must also enforce such policies through outside audits and continuing compliance checks.