FTC Consumer Information Disposal Rule
On June 1, 2005, a Federal Trade Commission (“FTC”) Rule became effective requiring businesses and individuals to implement reasonable measures when disposing of consumer information obtained from consumer reports. The Rule, enacted under the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”), is designed to reduce the risk of consumer fraud due to the improper disposal of sensitive consumer information.
Under the Rule, “consumer reports” are defined to include information “provided by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.” “Consumer information” is any record about an individual that is, or is derived from, a consumer report, including compilations of such records. Information obtained directly from an individual does not constitute “consumer information” under the Rule. When businesses use consumer information, for example, to determine employment eligibility or to establish a consumer’s eligibility for credit, they are subject to the Rule.
A business or individual that collects consumer information must utilize “reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” The FTC did not mandate a timeframe for businesses to dispose of consumer information. The FTC also did not specifically state what disposal measures must be taken but instead imposed a flexible “reasonableness” standard to account for the “sensitivity of the consumer information, the nature and size of the entity’s operations, the costs and benefits of different disposal methods, and relevant technological changes.” While there are no specific disposal requirements, the Rule does provide several examples of ways to dispose of consumer information, including burning, pulverizing or shredding of papers containing consumer information, the destruction or erasure of electronic media so that the information cannot be read or reconstructed, and the hiring of a disposal contractor after conducting due diligence on the contractor’s operations. The FTC also noted that “reasonable measures” would likely include the establishment of policies and procedures for disposal and employee training.
Failure to comply with the Rule can result in significant liability. Fines can be assessed up to $2,500 per violation.
Please contact us if you would like further information regarding the FTC’s regulation, development of policies and procedures for disposal of documents containing consumer information, or other issues concerning compliance with this new requirement.