The latest ruling by the Federal Trade Commission governing the 'Disposal of Consumer Report Information and Records,' also known as the Disposal Rule, came into effect on June 1, 2005, amending the Fair and Accurate Credit Transaction Act (FACTA) of 2003.
Intended to help combat the series of identity theft cases lately occurring in U.S. courts, the Disposal Rule requires that when any individual or company with "consumer information for a business purpose" disposes of such data, they do so in a way that prevents unauthorized persons from accessing and thereby misusing it. The FTC expects almost all businesses, from consumer reporting agencies to automobile dealers or attorneys, to be affected.
So what does that mean for your business? First, know exactly what the rule covers. "Consumer information" covers any details that could identify an individual, such as social security number, phone number, physical or e-mail address; in other words, information drawn or extrapolated from a consumer report. On the other hand, "information that does not identify individuals, such as aggregate information or blind data, is not covered by the definition of consumer information," according to supplemental information on the rule provided by the FTC.
If you have this data or regularly gather such information, you likely will also dispose of it at some point. That's where the law comes into the picture. When disposing of such data -- either by discarding it or by selling, donating, or transferring the medium in which the consumer information is stored -- FACTA says companies must take "reasonable measures" to protect it. Whether a company's disposal methods are "reasonable" depends on, among other things, how sensitive the information is, the nature and size of the company's operations, and the cost of various disposal methods.
Taking cues from the application of other security-related laws, lawyers and industry experts alike expect the courts' interpretation of the above phrases to be strict and advise companies to play it safe.
Companies caught for noncompliance could face an array of costs. Civil action suits could result in damage compensation, attorney fees, and even civil penalties of up to $1,000 per person affected, which swiftly add up when you consider that a single computer might contain 20,000 such violations. But the real burden of a lawsuit, according to Jeff Zellmer, vice president of sales for QSGI, a data-security firm based in Eagan, Minn., is that the FTC may require the company to perform a full IT security audit for several years thereafter, incurring staffing and other costs.
To comply with the Disposal Rule, companies should take a number of steps: