FTC Attempts to Curb “Dumpster Diving” with New Rule on Disposal of Confidential Personal Information

By Robert A. Blackstone and Rebecca Shapiro Cohen
[June 2005]

In the midst of mounting concerns over consumer privacy and identity theft, a new Federal Trade Commission (FTC) rule dealing with the proper disposal of certain kinds of confidential, personal information went into effect on June 1, 2005. Any business organization that ever disposes of what is usually confidential personal information about employees, applicants, customers, etc. should be aware of the requirements of this new FTC rule. Although this rule does not require businesses to retain or dispose of such information, it does provide suggested procedures to follow when disposal does occur, such as “burning, pulverizing, or shredding.”

The new rule applies to the destruction of “Consumer Information,” defined as “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. Consumer information also means a compilation of such records. Consumer information does not include information that does not identify individuals, such as aggregate information or blind data.” 16 C.F.R. 682.1(b).

The term “Consumer Report” has the same definition found in the Fair Credit Reporting Act (FCRA), and generally refers to background and credit information about individuals:

‘Consumer report’ means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for — (a) credit or insurance to be used primarily for personal, family, or household purposes; (b) employment purposes; or (c) any other purpose authorized under section 1681b of this title. 15 U.S.C. § 1681 (d)(1).

The new rule does not obligate covered entities to maintain Consumer Information for a specified period of time, or require the disposal of Consumer Information at a certain time or in a specific manner. It does require that any “person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” 16 C.F.R. 683.3(a) (emphasis added). The term “dispose” is defined to include both “(1) the discarding or abandonment of consumer information; or (2) the sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored.” 16 C.F.R. 682.1(c). Accordingly, the new rule specifically applies to the disposal of computer equipment on which Consumer Information is or was stored. Businesses should therefore ensure that all Consumer Information is removed from discarded or donated computers with hard drives prior to disposal.

What are “Reasonable Measures”?

While the new FTC rule does not specify which methods of disposal will meet the “reasonable measures” standard, it does provide helpful examples, including:

(1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.

(2) Implementing and monitoring compliance with policies and procedure that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed.

(3) After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule…16 C.F.R. 682.3(b).

Where applicable, the “reasonable measures” standard also is satisfied by compliance with the Gramm-Leach-Bliley Act or the FTC’s Standards for Safeguarding Customer Information (“Safeguards Rule”). 16 C.F.R. 682.3(b)(5). Businesses already subject to other specific state or federal obligations concerning the disposal of “Consumer Information” presumably also will meet the “reasonable measures” standard.

The same is true for employers subject to state laws governing the disposal of confidential personnel information, such as the requirement under Washington law that employers destroy “personal financial and health information and personal identification numbers issued by government entities” (a broader definition then covered by the new FTC rule) when “disposing of records [they] will no longer retain.” RCW 19.215 et seq.

Further examples of “reasonable measures,” as well as more detailed information about the new rule, can be found at the FTC’s website: http://www.ftc.gov/opa/2004/11/factadisposal.htm.

Impact of the New Rule/Penalties

The new FTC rule will impact numerous businesses, including employers, lenders, landlords, insurers, and mortgage brokers, to name a few. Employers, for example, are now required to take “reasonable measures” to properly destroy applicant information obtained from a “consumer report,” even for applicants who are not ultimately offered employment or hired. Although the new FTC rule does not require the disposal of such information, when “Consumer Information” is destroyed, proper precautions must be in place.

Contact Information

Robert A. Blackstone Seattle, Washington (206) 622-3150 bobblackstone@dwt.com

This Advisory is a publication of the Privacy and Security Group of Davis Wright Tremaine LLP. Our purpose in publishing this Advisory is to inform our clients and friends of recent privacy and security developments. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.

Copyright © 2005, Davis Wright Tremaine LLP.

return to Advisory Bulletins main page