Shred it, burn it, erase it, or face the consequences
Nearly 10 million people were victims of identity theft last year, according to the Federal Trade Commission (FTC). To curb this problem, the FTC, as part of its jurisdiction under the Fair and Accurate Credit Transactions Act (FACTA), recently issued a new rule on the proper storage and disposal of consumer information.
Effective June 1, every business, regardless of size, is required to destroy any consumer credit information it has obtained from credit reports or employee background reports under the new Rule.
The Rule applies not only to paper records, but also to information found on computers and other electronic media, such as CD-ROMs, PDAs and floppy disks. The Rule does not mandate specific methods of disposal, but leaves it within the discretion of individual companies to determine appropriate disposal methods.
Who is covered?
The disposal Rule provides that: “Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”
The Rule sweeps broadly and will apply to a range of businesses. The Rule defines a “person” as someone “who maintains … consumer information for a business purpose.” This is an extraordinarily broad definition, which in turn leads to the Rule being applicable to a number of businesses. According to the FTC, “entities across almost every industry could potentially be subject to the rule.” In addition to consumer reporting agencies and lenders, the Rule could affect employers, insurers, landlords, law firms, mortgage brokers, automobile dealers and utility companies, among others. In short, if you are in business and are the recipient of any consumer information, the Rule applies to you.
What must be destroyed and how?
The type of consumer information that must be destroyed includes “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report.”
The FTC has stated that the Rule does not apply to information unless it mentions particular consumers and contains personal identifiers, such as Social Security numbers.
The Rule also applies to “compilations” of consumer information. While the term “compilations” is not defined, the Rule does not apply to “information that does not identify individuals, such as aggregate information or blind data.” In sum, large lists that include consumer names would be included, while marketing data that is not individual specific is not.
Under the Rule, disposal includes “discarding or abandonment of consumer information” or “the sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored.” This term, too, was given a very broad definition, placing the burden on individual companies to determine what disposal methods are appropriate to comply with the Rule.
For those businesses to which the Rule applies, the FTC has made clear that the compliance with the Rule is “likely to require elements such as the establishment of policies and procedures governing disposal, as well as appropriate employee training.” Thus, businesses must take affirmative steps to establish internal policies to comply with the Rule, educate employees of such policies, and properly dispose of all covered information.
Special consideration must also be given to consumer information stored on computers, as the Rule applies with equal weight to such records. The Rule requires companies to destroy or completely erase electronic media. In addition to hard drives, CD-ROMs and floppy disks, information contained in PDAs, such as Palm Pilots, is also covered. Electronic media may be destroyed by simply smashing the equipment, or it may be “wiped” from the machine as well.
Penalties for noncompliance
For those businesses that do not comply with the Rule, the penalties can be severe. Penalties for “willful noncompliance” with the Rule include actual damages, or damages of not less than $100 and not more than $1,000 per violation, plus costs of the action, including attorney fees. Punitive damages are also available.
Individuals and companies that are found negligent for failing to comply with the Rule would be liable to each affected consumer. In addition, the Rule provides for administrative enforcement, which could include federal fines of up to $2,500 per violation and/ or state fines of up to $1,000 per violation. Businesses could also be subject to class actions.
Given the reliance placed on credit reports and employee background checks, a great number of businesses will have to comply with FACTA. For most businesses, simple vigilance and a paper shredder will avoid any potential liability.
When in doubt, businesses should dispose of information as soon as there is no longer a business need for it, but it is important that documents related to “reasonably anticipated litigation or government investigation” are not destroyed. You should contact your legal counsel with any questions or concerns you may have.
Jason Eckerly is an associate with the TC law offices of Dingeman, Dancer & Christopherson, PLC. His practice focuses on commercial litigation and business transactions; 929-0500 or firstname.lastname@example.org.
This article is for informational purposes only. It is not intended to give legal advice for particular situations or subjects.BN