Morrison & Foerster : Legal Updates & News : Legal Updates : Businesses Required to Dispose of Consumer Information

For more information on this legal update, please contact:

New York
Miriam Wugmeister

Washington D.C.
Richard Fischer
Oliver Ireland
Charles Kennedy

California
Christine Lyon
Scott Silverman
Joseph Gabai
Mark Gillett

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Print page

Email page

			Related Practices: Advice, Counseling and Training Employment and Labor Financial Services Law Financial Services Litigation Litigation Privacy and Data Security

Businesses Required to Dispose of Consumer Information

May 2005

Businesses should evaluate whether the manner in which they dispose of consumer information is appropriate. Specifically, a new federal requirement governing proper disposal of consumer information, established under the Fair Credit Reporting Act ("FCRA"), as amended by the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"), and implementing regulations, suggests that businesses should examine whether their policies and procedures are sufficient.[1] The FTC and the Banking Agencies have issued final rules implementing this FCRA requirement. These rules are effective June 1, 2005, for those subject to the FTC’s enforcement authority, and July 1, 2005, for those subject to the Banking Agencies’ enforcement authority.

The new FCRA requirement applies to "Consumer Information," which is defined as any record, or compilation of records, about an individual in paper, electronic, or other form that is a consumer report or is derived from a consumer report. "Consumer Report," as defined under the FCRA, means any communication (written, oral, or other) of any information by a consumer reporting agency bearing on a consumer’s creditworthiness, character, general reputation, personal characteristics, or mode of living, which is used or expected to be used in connection with determining the consumer’s eligibility for credit or insurance or for employment purposes. Consumer Information does not include information that does not identify an individual, such as aggregate information or blind data. That means that any organization that runs background checks on its employees or customers likely will have to comply with these new rules.

The FTC’s rule will require businesses to properly dispose of Consumer Information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. The FTC’s rule provides examples of reasonable measures that an organization can take to protect information when it is being disposed of, such as requiring the burning, pulverizing, or shredding of papers containing Consumer Information, and requiring the destruction or erasure of electronic media containing Consumer Information so that the information cannot practicably be read or reconstructed.

In addition, the Banking Agencies’ rules, which amend the Banking Agencies’ Interagency Guidelines Establishing Security Standards ("Guidelines"), promulgated pursuant to the Gramm-Leach-Bliley Act, and the Banking Agencies’ regulations implementing the FCRA, will require a financial institution covered by the Guidelines to implement controls designed to ensure the proper disposal of Consumer Information and customer information in accordance with the existing standards set forth in the Guidelines. The amendments to the Guidelines generally require a financial institution to properly dispose of Consumer Information derived from a consumer report, in a manner consistent with the financial institution’s existing obligations under the Guidelines to properly dispose of customer information.

The obligation to dispose of Consumer Information extends to third-party service providers who dispose of Consumer Information on behalf of a business. Thus, a business cannot "outsource" its obligations under the new regulations and must ensure that a third-party disposal company agrees to follow the FCRA requirement.

The FCRA imposes penalties for failure to comply with the statute’s requirements, including this new disposal requirement. A business that fails to comply with the disposal requirement may be subject to civil liability for willful noncompliance or negligent noncompliance, which could result in the recovery of actual damages (up to $1,000 per violation), punitive damages, and court costs and attorney fees. In addition, a business that fails to comply with the disposal requirement may be subject to administrative enforcement, including fines of up to $2,500 per violation where the FTC is responsible for enforcement.

Practical Suggestions:

Given that these rules go into effect in a few weeks, businesses that handle Consumer Information should:

Review their policies and procedures with respect to record retention and deletion to determine if there are provisions establishing that Consumer Information be disposed of in a manner consistent with the new regulations;
If the business does not have a record retention and deletion policy, consider promulgating such a policy;
Once a record retention and deletion policy is in place, which complies with the new regulations, train employees to ensure that they are aware of and will follow the policy; and
Implement a periodic audit system to ensure that employees or service providers are abiding by the policy.

Footnotes:

[1] The FCRA, as amended by the FACT Act, required certain federal agencies, including the Federal Trade Commission ("FTC") and the federal banking agencies ("Banking Agencies"), to promulgate regulations with respect to the entities subject to their respective enforcement authority requiring "any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business to properly dispose of any such information or compilation."