What FACTA's Latest Disposal Rule Means for Businesses
BY Matthew Phan
The latest ruling by the Federal Trade Commission governing the 'Disposal of Consumer Report Information and Records,' also known as the Disposal Rule, came into effect on June 1, 2005, amending the Fair and Accurate Credit Transaction Act (FACTA) of 2003.
Intended to help combat the series of identity theft cases lately occurring in U.S. courts, the Disposal Rule requires that when any individual or company with "consumer information for a business purpose" disposes of such data, they do so in a way that prevents unauthorized persons from accessing and thereby misusing it. The FTC expects almost all businesses, from consumer reporting agencies to automobile dealers or attorneys, to be affected.
So what does that mean for your business? First, know exactly what the rule covers.
"Consumer information" covers any details that could identify an individual, such as social security number, phone number, physical or e-mail address; in other words, information drawn or extrapolated from a consumer report. On the other hand, "information that does not identify individuals, such as aggregate information or blind data, is not covered by the definition of consumer information," according to supplemental information on the rule provided by the FTC.
If you have this data or regularly gather such information, you likely will also dispose of it at some point. That's where the law comes into the picture. When disposing of such data -- either by discarding it or by selling, donating, or transferring the medium in which the consumer information is stored -- FACTA says companies must take "reasonable measures" to protect it. Whether a company's disposal methods are "reasonable" depends on, among other things, how sensitive the information is, the nature and size of the company's operations, and the cost of various disposal methods.
Taking cues from the application of other security-related laws, lawyers and industry experts alike expect the courts' interpretation of the above phrases to be strict and advise companies to play it safe.
Companies caught for noncompliance could face an array of costs. Civil action suits could result in damage compensation, attorney fees, and even civil penalties of up to $1,000 per person affected, which swiftly add up when you consider that a single computer might contain 20,000 such violations. But the real burden of a lawsuit, according to Jeff Zellmer, vice president of sales for QSGI, a data-security firm based in Eagan, Minn., is that the FTC may require the company to perform a full IT security audit for several years thereafter, incurring staffing and other costs.
To comply with the Disposal Rule, companies should take a number of steps:
Take an audit: Determine where consumer information may reside. "You need to know whether the records are physical or electronic, as well as who has access to it physically," says Steven Hastert, vice president of operations at DataGuard USA, a data security firm based in Denver, Colo., asserting that 70% of fraud in the U.S. remains internal. Potential culprits are often in the human resource, marketing, and accounting departments.
Define a disposal strategy: According to FACTA, paper documents ought to be shredded, while electronic data must either be erased or the hardware containing the data destroyed. Various methods exist for the lattermost option -- while the most common is to use an industrial shredder, some drive screwdrivers through their hard drives or throw them in salt water.
Zellmer himself advocates using erasure software to perform a three-time overwrite of hard drives, which would comply with U.S. Department of Defense 5220.22-M standards. Reformatting the hard drive is insufficient, because it merely removes the pointers that indicate where the data resides in the drive but does not remove the data itself, Zellmer says. A one-time overwrite similarly leaves traces of data that an expert can retrieve.
Depending on the size of the hard drive, erasure may cost two to three times more per drive than industrial shredding. Still, Zellmer argues, shredding produces industrial waste, which costs money to dispose of, while erasure may allow the company to recoup costs by donating, reselling, or trading-in the hard-drive.
Document the process: While Hastert feels that physically destroying the drive is more secure, he and Zellmer agree that the most important safeguard is to document the disposal process.
"Instead of letting vendors pick up the PCs and then not knowing what happens to them, you want comprehensive, unimpeachable documentation," Zellmer says. He believes the company should then keep the disposal records for seven years, mirroring the length of time companies must store audit documents under Sarbanes-Oxley, as good business practice. Hastert echoes, "It's always good to have something in hand when the FTC commissioner calls you up."