|
FTC Business Alert
Disposing of Consumer Report Information? New Rule Tells
How
In an effort to protect the privacy of consumer information
and reduce the risk of fraud and identity theft, a new federal
rule is requiring businesses to take appropriate measures
to dispose of sensitive information derived from consumer
reports.
Any business or individual who uses a consumer report for
a business purpose is subject to the requirements of the Disposal
Rule. The Disposal Rule requires the proper disposal of information
in consumer reports and records to protect against “unauthorized
access to or use of the information.” The Federal Trade Commission,
the nation’s consumer protection agency, enforces the Disposal
Rule.
According to the FTC, the standard
for the proper disposal of information derived from a consumer
report is flexible, and allows the organizations and individuals
covered by the Rule to determine what measures are reasonable
based on the sensitivity of the information, the costs and
benefits of different disposal methods, and changes in technology.
Although the Disposal Rule applies to consumer reports and
the information derived from consumer reports, the FTC encourages
those who dispose of any records containing a consumer’s personal
or financial information to take similar protective measures.
Who must comply?
The Disposal Rule applies to people and both large and small
organizations that use consumer reports. Among those who must
comply with the Disposal Rule are:
• Consumer reporting companies
• Lenders
• Insurers
• Employers
• Landlords
• Government agencies
• Mortgage brokers
• Automobile dealers
• Attorneys or private investigators
• Debt collectors
• Individuals who obtain a credit report on prospective nannies,
contractors, or tenants
• Entities that maintain information in consumer reports as
part of their role as service providers to other organizations
covered by the Rule
What information does the
Disposal Rule cover?
The Disposal Rule applies to consumer reports or information
derived from consumer reports. The Fair Credit Reporting Act
defines the term consumer report to include information obtained
from a consumer reporting company that is used – or expected
to be used – in establishing a consumer’s eligibility for
credit, employment, or insurance, among other purposes. Credit
reports and credit scores are consumer reports. So are reports
businesses or individuals receive with information relating
to employment background, check writing history, insurance
claims, residential or tenant history, or medical history.
What is ‘proper’ disposal
?
The Disposal Rule requires disposal practices that are reasonable
and appropriate to prevent the unauthorized access to – or
use of – information in a consumer report. For example, reasonable
measures for disposing of consumer report information could
include establishing and complying with policies to:
• burn, pulverize, or shred papers containing consumer report
information so that the information cannot be read or reconstructed;
• destroy or erase electronic files or media containing consumer
report information so that the information cannot be read
or reconstructed;
• conduct due diligence and hire a document destruction contractor
to dispose of material specifically identified as consumer
report information consistent with the Rule.
Due diligence could include:
~ Reviewing an independent audit of a disposal company’s operations
and/or its compliance with the Disposal Rule;
~ Obtaining information about the disposal company from several
references;
~ Requiring that the disposal company be certified by a recognized
trade
association;
~ Reviewing and evaluating the disposal company’s information
security policies or procedures.
The FTC says that financial institutions that are subject
to both the Disposal Rule and the Gramm-Leach-Bliley (GLB)
Safeguards Rule should incorporate practices dealing with
the proper disposal of consumer information into the information
security program that the Safeguards Rule requires (ftc.gov/privacy/privacyinitiatives/safeguards.html).
The Fair and Accurate Credit
Transactions Act, which was enacted in 2003, directed the
FTC, the Federal Reserve Board, the Office of the Comptroller
of the Currency, the Federal Deposit Insurance Corporation,
the Office of Thrift Supervision, the National Credit Union
Administration, and the Securities and Exchange Commission
to adopt comparable and consistent rules regarding the disposal
of sensitive consumer report information. The FTC’s Disposal
Rule became effective June 1, 2005. It was published in the
Federal Register on November 24, 2004 [69 Fed. Reg. 68,690],
and is available at ftc.gov/os/2004/11/041118disposalfrn.pdf.
The FTC works for the consumer
to prevent fraudulent, deceptive and unfair business practices
in the marketplace and to provide information to help consumers
spot, stop, and avoid them. To file a complaint or to get
free information on consumer issues, visit www.ftc.gov
or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261.
The FTC enters Internet, telemarketing, identity theft, and
other fraud-related complaints into Consumer Sentinel, a secure,
online
database available to hundreds of civil and criminal law enforcement
agencies in the U.S. and abroad.
|
