Since June 1, 2005, companies are required to properly dispose of consumer information derived from consumer reports to comply with new obligations under the regulations that implements the Fair and Accurate Credit Transaction Act of 2003 (the "FACT Act"). The purpose of the Rule is to reduce the risk of identity theft and other harm from improper disposal of a consumer report, or records derived from a consumer report. The Rule applies to any entity over which the FTC has jurisdiction that, for a business purpose, maintains or possesses such consumer report information.

Executive summary

Section 216 of FACTA requires that any entity that possesses or maintains "consumer information" or any compilation of information derived from consumer reports to properly dispose of any such information or compilation. The new rule, published as 16 CFR Part 682, defines the requirements for the proper disposal of these records.

The Rule requires the covered entities to take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. The standard for disposal is flexible to allow companies to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and relevant changes in technology over time. The Rule includes specific examples of appropriate measures that would satisfy its disposal standard.

What is protected?

The rule protects "consumer information": any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report or is a compilation of such records.

A “consumer report” is any written, oral or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living, which is used as a factor in establishing the consumer’s eligibility for credit or insurance, employment, or any other permissible purposes authorized under the Fair Credit Reporting Act, for example, in connection with an investment or a business transaction.

Information that does not identify an individuals, such as aggregate data or blind data, is not covered by the new disposal rule.

Who is affected?

The Rule applies to any entity that maintains or possesses consumer information derived from consumer reports for a business purpose. In addition to consumer reporting agencies, these would include, for example, lenders or investors, insurers, employers, landlords, government agencies, mortgage brokers, automobile dealers, and other businesses that use consumer reports.

When does the Rule apply?

The new rule requires companies to take reasonable measures to protect consumer information in connection with the disposal of records.

"Disposal" includes:

• Discarding or abandonment of consumer information
• Sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored

Reasonable disposal measures are required

The Rule requires entities that possess or maintain consumer information to take "reasonable measures" to properly dispose of such information, in order to protect the information from unauthorized access or use after its disposal.

The Rule does not define “reasonable”, but allows entities to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and relevant changes in technology over time. The Rule provides several examples of what would constitute "reasonable measures.” These examples are illustrative and intended as guidance only.

1. Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers so that the information cannot practicably be read or reconstructed;

2. Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media so that the information cannot practicably be read or reconstructed;

3. Using the services of a third party who is engaged in the business of record destruction, in order to dispose of the material, provided that the company

a. Conducts due diligence, which would include:

• Reviewing an independent audit of the disposal company's operations or its compliance with the Rule;
• Obtaining information about the disposal company from several reference or reliable sources;
• Requiring that the disposal company be certified by a recognized trade association or similar third party;
• Reviewing and evaluating the disposal company's information security policies or procedures;
• Taking other appropriate measures to determine the competency and integrity of the potential disposal company

b. Notifies the service provider that the information is “consumer information” protected under this Rule

c. Enters into a contract that requires the service provider to dispose of the information in accordance with the Rule

d. Monitors compliance with the contract

Service providers are covered as well. Along with the record holder, they bear responsibility for proper disposal of the protected information that they maintain or possess. They must implement and monitor compliance with policies and procedures that protected against unauthorized or unintentional disposal of consumer information. The Rule suggests that these entities should use, for example, the measures listed in #1 and #2 above.

Entities subject to the Gramm Leach Bliley Act are exempt from this Rule, and must, instead comply with the Security Safeguards that were enacted under the GLBA.