Effective June 1, 2005 — Employers Must Comply With FTC Rule on Disposal of Consumer Report Information and Records

The Rule, 16 CFR Part 682, implements Section 216 of the Fair and Accurate Credit Transaction Act of 2003. It is designed to reduce the risk of consumer fraud and related harms, including identity theft, created by improper disposal of consumer information. It applies to every person over which the Federal Trade Commission has jurisdiction, that, for a business purpose, maintains or otherwise possesses consumer information. Thus any company, regardless of industry or size, that possesses or maintains consumer information for a business purpose is subject to the Rule. Obvious examples are consumer reporting agencies, lenders, insurers, employers, landlords, government agencies, mortgage bankers, automobile dealers and other users of consumer reports.

“Consumer information” is defined as any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. It also includes a compilation of such information. It does not include information that does not identify individuals, such as aggregate information or blind data.

The Rule defines “disposing” or “disposal” to include the discarding or abandonment of consumer information, as well as the sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored. Taking a flexible approach, the Rule does not mandate any specific disposal measures, but cites as examples: shredding or burning of paper records and smashing, overwriting or “wiping” of electronic media, such as computer disks or hard drives.

The Rule requires that “any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. Illustrative non-exclusive examples include implementing and monitoring compliance with policies and procedures that require:

1. Burning, pulverizing or shredding of paper containing consumer information;
2. Destruction or erasure of electronic media;
3. After due diligence, entering into a contract with a party engaged in the business of record destruction for the disposal of material, specifically identified as consumer information, in a manner consistent with the Rule.

Persons subject to the Gramm-Leach-Bliley Act, 15 U.S.C. § 6081, et. seq., and the Federal Trade Commission’s Standards for Safeguarding Consumer Information 16 C.F.R. Part 314 (the “Safeguard Rule”) must incorporate the proper disposal of consumer information as required by the Rule into the information security program required by the Safeguard Rule.