Business Advice Daily

Reprint and Repost Policy

by Don V. Kelly

Thanks to the ever-growing problem of identity theft, businesses now have increased duties with respect to the disposal of “consumer information.” Fair and Accurate Credit Transaction Act (“FACTA”), FACTA appears as an amendment to the Fair Credit Reporting Act. One provision of FACTA required certain federal agencies to develop rules regarding how businesses dispose of consumer information. This past July the Federal Trade Commission’s rules implementing this provision went into effect. The rules require that any person that maintains or otherwise possesses consumer information for a business purpose, properly dispose of that information.

Note the following key points about the law.

* The law only applies when a business disposes of consumer information. The law does not require businesses to maintain or to dispose of such information.

* The law applies to all businesses regardless of size. Lending institutions are clearly the primary target of the new law. Again, however, the law applies to all businesses. Also significantly affected will be mortgage brokers, automobile dealers, landlords, employers, insurers and waste disposal companies.

* “Consumer information” is any information that is, or derived from, a consumer report, i.e., any personal information obtained to evaluate credit or insurance worthiness. Even if your business did not obtain such information directly, your business must comply with the law.

* Information that does not identify individuals, such as aggregate information and blind data, is not deemed “consumer information.”

* No disposal methods are specified. Instead, the rule requires “reasonable measures to protect against unauthorized access to or use of the information.” For large companies, this will no doubt require the establishment of formal disposal policies and procedures, as well appropriate employee training.

* In the case of computer embedded information, the FTC has indicated that smashing or wiping the computer hard drive may be required. (Note: Before smashing any hard drive, care should be taken so that occupational and environmental considerations are taken care of. Computer components are notorious for being filled with toxic materials.) In the case of documentary information, such materials will need to be shredded or destroyed.

* “Disposing” or “disposal” is defined as the discarding or abandonment of consumer information. “Disposal” also means the “sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored.” Accordingly, any business seeking to donate computer equipment must abide the new law.

* If you use a disposal service to dispose of consumer information, the disposal service will also be subject to the law’s requirements. Additionally, you will need to ensure the disposal service is using reasonable disposal measures.

* Thankfully, the new law does not impose any specific reporting, record keeping or disclosure requirements.

Bookmark to: