Employment + Labor, Financial Services, Litigation, Privacy + Data Security, and Finance
Businesses should evaluate whether the manner in which they dispose of consumer information is appropriate. Specifically, a new federal requirement governing proper disposal of consumer information, established under the Fair Credit Reporting Act ("FCRA"), as amended by the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"), and implementing regulations, suggests that businesses should examine whether their policies and procedures are sufficient. The FTC and the Banking Agencies have issued final rules implementing this FCRA requirement. These rules are effective June 1, 2005, for those subject to the FTC’s enforcement authority, and July 1, 2005, for those subject to the Banking Agencies’ enforcement authority.
The new FCRA requirement applies to "Consumer Information," which is defined as any record, or compilation of records, about an individual in paper, electronic, or other form that is a consumer report or is derived from a consumer report. "Consumer Report," as defined under the FCRA, means any communication (written, oral, or other) of any information by a consumer reporting agency bearing on a consumer’s creditworthiness, character, general reputation, personal characteristics, or mode of living, which is used or expected to be used in connection with determining the consumer’s eligibility for credit or insurance or for employment purposes. Consumer Information does not include information that does not identify an individual, such as aggregate information or blind data. That means that any organization that runs background checks on its employees or customers likely will have to comply with these new rules.
The FTC’s rule will require businesses to properly dispose of Consumer Information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. The FTC’s rule provides examples of reasonable measures that an organization can take to protect information when it is being disposed of, such as requiring the burning, pulverizing, or shredding of papers containing Consumer Information, and requiring the destruction or erasure of electronic media containing Consumer Information so that the information cannot practicably be read or reconstructed.
In addition, the Banking Agencies’ rules, which amend the Banking Agencies’ Interagency Guidelines Establishing Security Standards ("Guidelines"), promulgated pursuant to the Gramm-Leach-Bliley Act, and the Banking Agencies’ regulations implementing the FCRA, will require a financial institution covered by the Guidelines to implement controls designed to ensure the proper disposal of Consumer Information and customer information in accordance with the existing standards set forth in the Guidelines. The amendments to the Guidelines generally require a financial institution to properly dispose of Consumer Information derived from a consumer report, in a manner consistent with the financial institution’s existing obligations under the Guidelines to properly dispose of customer information.
The obligation to dispose of Consumer Information extends to third-party service providers who dispose of Consumer Information on behalf of a business. Thus, a business cannot "outsource" its obligations under the new regulations and must ensure that a third-party disposal company agrees to follow the FCRA requirement.
The FCRA imposes penalties for failure to comply with the statute’s requirements, including this new disposal requirement. A business that fails to comply with the disposal requirement may be subject to civil liability for willful noncompliance or negligent noncompliance, which could result in the recovery of actual damages (up to $1,000 per violation), punitive damages, and court costs and attorney fees. In addition, a business that fails to comply with the disposal requirement may be subject to administrative enforcement, including fines of up to $2,500 per violation where the FTC is responsible for enforcement.
Given that these rules go into effect in a few weeks, businesses that handle Consumer Information should:
©1996-2019 Morrison & Foerster LLP. All rights reserved.