The “FACT Act” Disposal Rule – requiring employers to destroy or erase consumer information before discarding documents and equipment that contain the information – takes effect June 1, 2005.
The Rule, promulgated by the Federal Trade Commission on November 24, 2004, requires that “persons” (using the term loosely to include individuals and businesses) who maintain or possess consumer information for business purposes properly dispose of such information.
It is important to note that the Rule does not require that any particular record be kept or disposed of – it says only that, if and when records containing consumer information are disposed of, they must be disposed of in a manner set forth in the Rule.
“Consumer information” is any record about an individual, regardless of form, that is a “consumer report” or “derived from a consumer report” as that term is used in the Fair Credit Reporting Act. This would include individually identifiable information obtained in a background or credit check.
“Proper disposal” means “taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” For example, an employee’s credit report should not be tossed in the wastebasket, and an old computer containing consumer information should not be sold or donated to charity unless the hard drive has been purged.
The Rule does not require any specific method of destruction, but it requires some method that results in information “that cannot practicably be read or reconstructed” and provides some examples:
- Implementing (if not already in place) a policy of burning, pulverizing, shredding, or otherwise obliterating paper records, as well as a policy of obliterating such records that are maintained electronically.
- Monitoring compliance with such policies.
- Entering into a contractual relationship with a third-party document- or data-destruction company, and monitoring its compliance.
It is also important to note that “disposal” includes, not only “the discarding or abandonment of consumer information,” but also “the sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored.”
As a practical matter, this Rule will cover most employers, provided that they obtain consumer information on applicants and employees. The Rule defines “consumer information” as “any record about an individual . . . that is a consumer report or is derived from a consumer report.” It does not include aggregate or other data that does not contain individually identifiable information.
The Rule was implemented to protect individuals against identity theft and related misuse of consumer information. Several states, including California, already have similar rules in place.
Persons already covered by the Gramm-Leach-Bliley Act (generally, providers of financial services) and the FTC’s Standards for Safeguarding Customer Information will have relatively minimal additional compliance obligations.
If you have questions about compliance with the FACT Act disposal requirements, contact the Constangy attorney of your choice.
CONSTANGY, BROOKS & SMITH, LLC