Ladies and gentlemen: Start your paper shredders.
On June 1, 2005, the FTC's rule on the proper storage and disposal of certain "consumer information" goes into effect. This rule was issued by the FTC as part of its jurisdiction under the Fair And Accurate Credit Transactions Act or FACTA.
The Basic FACTA
The FTC's latest FACTA rule requires any business "that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose" to "properly dispose of such information or compilation." Both FACTA and the new rule are supposed to cut down on the incidences of identity theft by, among other methods, restricting the ability of thieves to go "dumpster diving" for valuable consumer information contained in discarded business records.
If this is beginning to sound like one more confusing government regulation, you're right. But it also be beneficial to consumers, assuming businesses learn how--and try--to comply.
One of the keys to understanding the new FACTA rule is to understand the meaning of the term "consumer information." Consumer information means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report.
What this "legal word play" really means is that if your business has or obtains any consumer credit reports, employee background reports or similar reports that have been prepared by an outside agency or company, then the FACTA disposal rules apply to those records.
But before you breathe a sigh of relief, remember that FACTA also covers any of your own company's records that are "derived" from a consumer credit report or employee background report. So if your company copies, uses or incorporates any information from a consumer credit report or employee background report that you obtained from an outside agency, then that report is also subject to FACTA disposal rules.
This "information derived from" rule apparently has no limit and can raise some interesting problems for businesses that handle a large amount of consumer information received from a variety of sources. As even the FTC acknowledges, businesses may not always know whether the information they receive was derived from a consumer report.
But, even if you don't know whether any information in one of your records was derived from a consumer report, FACTA will still hold your business responsible for proper storage and disposal of that record.
Given the confusing situation regarding which business records are covered by FACTA, perhaps the safest policy for businesses to adopt is to consider all their records containing consumer information to be part of their safe storage and disposal policy, even if not all their records technically fall under the definition of consumer information as defined by FACTA.
The Basic FACTA About Disposal
Presumably, most businesses are already properly storing their valuable business records. In fact, certain states, such as Georgia and Wisconsin, already have laws that require the proper disposal of records containing consumer information.
As to disposal, another key to FACTA compliance is to understand what constitutes "disposal" of any consumer information covered by FACTA.
In the good news/bad news department, the FACTA rule does not mandate specific disposal measures, and the proper disposal method can depend on the size and resources of the business.
For example, the FTC apparently approves of small businesses disposing of their paper records by using a paper shredder and disposing of their electronically stored records at almost no cost by simply smashing the material with a hammer.
Leaving aside the safety considerations of using legions of employees wielding hammers, sledgehammers and other heavy implements of destruction to smash CD-ROMs and hard drives, the FTC also indicates that it may be more appropriate for a business to engage in electronic wiping as opposed to "smashing" the electronic data contained on the hard drive of a computer.
The Basic FACTA About Reasonable Measures
We already know that both smashing and wiping can be reasonable measures of disposal of electronic data under certain circumstances. But what constitutes "reasonable measures" regarding the disposal of other data?
Again, the FTC provides no hard and fast rules. It does, however, indicate that "reasonable measures are very likely to require elements such as the establishment of policies and procedures governing disposal, as well as appropriate employee training."
Obviously, every business that may be subject to the new FACTA rules should develop its own internal policy regarding proper record keeping and disposal and may decide, as a result, to purchase a bevy of paper shredders and even a more limited supply of hammers (and, of course, safety goggles!).
Some businesses may opt to use the services of an outside document shredding company to help establish appropriate policies and to actually dispose of their paper records and other information.
If a business decides to outsource the disposal, then the business is still on the hook. The FACTA rules require the business to "take reasonable steps to select and retain a service provider that is capable of properly disposing of the consumer information at issue; notify the service provider such information is consumer information; and enter into a contract that requires the service provider to dispose of such information in accordance with the Rule."
In other words, even if a business outsources the disposal of its records, it has to be sure that it obtains a written contract with the disposal company that acknowledges that all the documents may contain consumer information and that the disposal company agrees to follow all of the FACTA rules.
The Basic FACTA About Liability
Now we get to the important part. Why should your business care about complying with the FACTA disposal rules?
FACTA disposal rules apply to any business that directly or indirectly has or uses "consumer information" regardless of the business' size or number of employees. Because FACTA can apply to every business, every business should want to keep its records safe and dispose of them properly. Just to add an extra incentive to insure compliance, FACTA provides for a range of civil liabilities and penalties for noncompliance.
For example, a business that fails to comply with the FACTA rules can be liable for actual damages in a civil lawsuit brought by anyone whose identity is stolen as a result. And, for those businesses that love the thought of being a defendant in a class action lawsuit, FACTA allows class action lawsuits to be filed.
In order to be sure you'll comply with FACTA, prior to the new law's implementation on June 1, 2005, every business owner should ask themselves the following questions:
1. Is my business subject to the FACTA disposal rules? (Hint: The answer is either yes or, to be prudent, "I don't know, so to be on the safe side, I'll pretend I am.")
2. What are my current record storage and disposal policies and practices?
3. What do I need to change in my business's policies and practices to start complying with FACTA?
4. If I outsource the disposal function, how do I know the disposal contract and contractor are FACTA compliant?
To help you answer these and other questions, the FTC has the final version of its FACTA disposal rule posted online.