The Fair and Accurate Credit Transaction Act (FACTA), affecting virtually every person and business in the United States, is designed to reduce the risk of consumer fraud and identity theft. The law is expansive in scope, covering 19 issues, most of which focus on ensuring proper credit reporting.
One provision in particular, however, is devoted solely to the proper disposal of consumer information. Irresponsible information disposal has been cited in numerous fraud cases. Identity thieves frequently collect a wealth of personal data by rooting through the trash – an activity commonly referred to as ‘dumpster diving.’
When FACTA become law in December of 2003, Congress mandated that the Federal Trade Commission (FTC) develop a disposal rule. The FTC codified its final rule in November of 2004. It defines consumer information as “a variety of personal identifiers beyond simply a person’s name…, including, but not limited to a social security number, driver’s license number, phone number, physical address, and e-mail address.”
Taking effect on June 1, 2005, the FTC’s FACTA disposal rule mandates that “any person who maintains or otherwise possesses consumer information for a business purpose” must properly destroy the discarded information. An organization must “dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal”.
Reasonable measures as defined by FACTA are “burning, pulverizing, or shredding of papers containing consumer information” or entering into “a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule”.
Failure to comply with the FACTA law can result in substantial civil liability. Victims are entitled to recover their actual damages sustained as a result of a disposal rule violation and may also seek statutory damages of up to $1000 per violation – class action lawsuits could be in the millions of dollars in statutory damages. Furthermore, federal and state authorities may bring legal enforcement actions for each violation of the rule.
Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule, a part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which calls for the proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.”
The Rule applies to people and both large and small organizations that use consumer reports, including: consumer reporting companies; lenders; insurers; employers; landlords; government agencies; mortgage brokers, car dealers; attorneys; private investigators; debt collectors; individuals who pull consumer reports on prospective home employees, such as nannies or contractors; and entities that maintain information in consumer reports as part of their role as a service provider to other organizations covered by the Rule.
The Disposal Rule applies to consumer reports or information derived from consumer reports. The Fair Credit Reporting Act defines the term consumer report to include information obtained from a consumer reporting company that is used – or expected to be used – in establishing a consumer’s eligibility for credit, employment, or insurance, among other purposes. Examples of consumer reports include credit reports, credit scores, reports businesses or individuals receive with information relating to employment background, check writing history, insurance claims, residential or tenant history, or medical history.
The Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to: burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed; destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed; or conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include: reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule; obtaining information about the disposal company from several references; requiring that the disposal company be certified by a recognized trade association; or reviewing and evaluating the disposal company’s information security policies or procedures.