Greenberg Traurig, LLP
 
PUBLICATIONS
ALERTS
2005
2004
2003
2002
2001
2000
1999
1998
1997
1996
1995

 

 

GT Alert

New FTC Rule Requires Proper Disposal of Consumer Information

June 2005

Click for information on Adobe Acrobat.  View or download the PDF version of this Alert.


Effective June 1, 2005, any person or entity who maintains or otherwise possesses “consumer information” for a business purpose must comply with the Federal Trade Commission’s (“FTC”) new “Disposal Rule.” The Disposal Rule requires that the “consumer information” be properly disposed of to protect against unauthorized access to or use of the information, in a further effort to combat identity theft and other forms of consumer fraud.

"The Disposal Rule requires that the “consumer information” be properly disposed of to protect against unauthorized access to or use of the information, in a further effort to combat identity theft and other forms of consumer fraud."

The FTC implemented the Disposal Rule to comply with the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”). The FACT Act requires that the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, Securities and Exchange Commission, and FTC coordinate efforts in adopting consistent and comparable rules governing the proper disposal of consumer report information and records.

The FACT Act amends the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq., by imposing a new “disposal requirement.” The FACT Act and the FTC’s Disposal Rule do not create any new reporting or record keeping obligations, nor do they create any new obligation to either maintain or destroy any consumer records. Rather, they apply solely to the disposal of the covered information when a decision has been made to dispose of it.

What is “consumer information”?

The “consumer information” protected by the Disclosure Rule is defined as “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report.” It also includes compilations of such records, but does not include information that does not identify individuals, e.g., blind data or aggregated information. Precisely what pieces of information do and do not identify individuals is not subject to a rigid definition, however. Identifying information could include such data as a person’s name, social security number, driver’s license number, phone number, physical address, and email address. However, depending upon the specific circumstances, some data that standing alone would not identify an individual could identify her when present in combination with other data, and in that case the combined data would be protected “consumer information.”

To whom does the Disposal Rule apply?

"... the Disposal Rule applies to consumer reporting agencies, lenders, insurers, employers, landlords, utility companies, telecommunications companies, government agencies, mortgage brokers, automobile dealers, private investigators, and other users of consumer reports."

The FTC’s Disposal Rule applies to all persons and entities over whom the FTC has jurisdiction, regardless of company size or industry, and will be enforced by the FTC. To the extent that these persons and entities maintain or otherwise possess “consumer information” for a business purpose, they must comply with the new Disposal Rule. The FTC construes the phrase “for a business purpose” very broadly to include all business reasons for which a person may possess or maintain “consumer information,” and in essence covers anyone possessing such information other than the individual consumer who possesses her own credit report or file information. For example, the Disposal Rule applies to consumer reporting agencies, lenders, insurers, employers, landlords, utility companies, telecommunications companies, government agencies, mortgage brokers, automobile dealers, private investigators, and other users of consumer reports.

What are “reasonable measures” for disposal?

Covered persons and entities are required to “take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” “Disposal” includes discarding or abandoning the “consumer information,” as well as the sale, donation, or transfer of any medium (including computer equipment) that contains “consumer information.” In determining what constitutes a “reasonable measure,” the FTC advises covered persons and entities to consider: (1) the sensitivity of the “consumer information” involved; (2) the nature and size of the entity’s operations; (3) the costs and benefits of different disposal methods; and (4) relevant technological changes. In assessing whether disposal methods are reasonable, the FTC advises that the sensitivity of the specific consumer information at issue should be considered. Disposal methods that are reasonable for one type of information may not be reasonable under different circumstances with more sensitive consumer information. Burning, pulverizing, or shredding papers containing “consumer information” so that the information cannot as a practical matter be read or reconstructed are examples offered by the FTC as reasonable methods of disposal.

"The FTC anticipates that “reasonable measures” will very likely require the presence or establishment of policies and procedures governing disposal of “consumer information,” as well as appropriate employee training."

The FTC anticipates that “reasonable measures” will very likely require the presence or establishment of policies and procedures governing disposal of “consumer information,” as well as appropriate employee training. Therefore, in addition to ensuring that it has appropriate disposal methods in place, a covered entity should implement, to the extent they do not already exist, specific policies and procedures governing the disposal of “consumer information.” In addition, covered entities must monitor compliance with these policies and ensure that all employees are aware of and adequately trained with respect to these policies. The FTC believes that many businesses, large and small, already have adequate programs in place that comply with the Disposal Rule, simply due to sound business practices or in compliance with other legal requirements.

In light of this flexible “reasonable measures” standard and the factors identified by the FTC in assessing what is reasonable, it is clear that the FTC does not anticipate that the same disposal methods will necessarily be applicable for both large and small businesses. The FTC notes that, for example, shredding or burning paper records containing “consumer information” will generally be appropriate and should not impose an undue burden on small businesses. Larger businesses, however, may want to hire a document disposal service to handle disposal. With respect to “consumer information” stored on electronic media, the FTC suggests that a small business might reasonably dispose of that information by simply smashing computer discs with a hammer. The FTC further notes that in some circumstances appropriate disposal may also be accomplished through overwriting or “wiping” the electronic data prior to disposal of a hard drive or other storage media. However, whether “wiping” as opposed to the destruction of electronic media is reasonable, as well as the adequacy of the wiping technology used, will depend on the specific circumstances.

Some may think that the FTC’s Disposal Rule does not provide enough guidance as to what constitutes acceptable disposal because the FTC describes its “reasonable measures” standard as a flexible one. The disposal examples offered by the FTC are expressly stated to be “illustrative only,” and are not “safe harbors” nor are they the exclusive or exhaustive methods for complying with the Disposal Rule. The FTC notes that there are “few foolproof methods of records destruction” and advises that each person or entity covered by the Disposal Rule “must consider their own unique circumstances.” The flexibility of the FTC’s “reasonable measures” standard reflects the FTC’s view that there is not a “one size fits all” approach.

If a record owner uses a third party for disposal of documents and records, the record owner is expected to: (1) take reasonable steps to ensure that the third party is capable of properly disposing of “consumer information”; (2) notify the third party that it is receiving “consumer information”; and (3) enter into a contract with the third party that requires it to dispose of the “consumer information” in a way that complies with the Disposal Rule.

The Disposal Rule versus the Gramm-Leach-Bliley Act’s Safeguards Rule

The Disposal Rule does overlap somewhat with the FTC’s “Safeguards Rule” that applies to financial institutions pursuant to the Gramm-Leach-Bliley Act (“GLBA”), but the two rules are largely intended to cover different sets of entities. For purposes of this Alert, it is sufficient to be aware that the definitions of “customer information” protected by the Safeguards Rule and “consumer information” protected by the Disposal Rule are not identical. Two examples of the differing scopes are offered by the FTC: (1) a consumer rejected for a loan from a financial institution because of information in her credit report is not considered a “customer” under the GLBA so the Safeguards Rule would not apply to disposal of her credit report, but her credit report would be “consumer information” covered by the Disposal Rule; and (2) credit reports obtained by employers about current or prospective employees are not “customer information” under the GLBA but are “consumer information” covered by the Disposal Rule.

“I didn’t know” is not an acceptable excuse

Finally, it is important to note that knowledge that one possesses “consumer information” is not a prerequisite to the duty to comply with the Disposal Rule. However, the FTC believes that in most cases covered entities will or should know if they possess “consumer information.” With respect to credit reports, because they may be used only for the specific purpose for which they were obtained, the obtaining person or entity should clearly know that they possess a credit report. In situations where “consumer information” is transferred to a service provider or shared between affiliates pursuant to legally permissible methods, the FTC expects that the recipients of the information will know when they are receiving “consumer information.” The FTC offers as an example of a “reasonable measure” identifying “consumer information” as such when transferring it to a service provider or affiliate. Entities that possess “consumer information” should clearly identify it as such when transferring it to another entity and call the recipient’s attention to the need to comply with the Disposal Rule when disposing of the information.

 

This Alert was written by Ruth Bahe-Jachna in the Chicago office. Please contact Ms. Bahe-Jachna at 312.456.8400 or your Greenberg Traurig liaison if you have any questions regarding the subject matter of this Alert.

© 2005 Greenberg Traurig


Additional Information:

For more information, please review our Litigation Practice description, or feel free to contact one of our attorneys.


This GT ALERT is issued for informational purposes only and is not intended to be construed or used as general legal advice. Greenberg Traurig attorneys provide practical, result-oriented strategies and solutions tailored to meet our clients’ individual legal needs.