What You Need to Know about Disposing of Consumer Information
By: HARLEIGH E. BROWN
On December 18, 2007, the Federal Trade Commission (FTC) announced that it had settled its first case brought pursuant to the Disposal Rule—formally, the Disposal of Consumer Report Information and Records Rule, 16 C.F.R. Part 682, promulgated in 2005, of the Fair and Accurate Credit Transactions Act of 2003, Pub L. 108-159, 117 Stat. 1952. The Disposal Rule requires businesses and individuals that obtain consumer information for a business purpose to properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.
What Information is Subject to the Disposal Rule?
“Consumer information” is broadly defined to include “any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report.” 16 C.F.R. Part 682.1(b). The definition of consumer information also includes compilations of such records. “Consumer report” has the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681, and includes information obtained from a consumer reporting company and any reports received by an individual or business containing information related to an individual’s employment background, check-writing history, insurance claims, residential or tenant history, or medical history.
What are the Consequences of Noncompliance with the Disposal Rule?
According to the FTC’s complaint, an Illinois-based company failed to provide reasonable and appropriate security for consumers’ personal information when it disposed of records containing consumers’ personal information in and around an unsecured dumpster located near its office. (Copies of the FTC’s complaint and the press release announcing the case’s settlement can be found on the FTC’s Web site at www.ftc.gov.)
Under the terms of the settlement, the company alleged to be in violation agreed to the following:
- To pay a $50,000 civil penalty,
- To comply in the future with the Disposal, Safeguards and Privacy Rules, which are the Standards for Safeguarding Consumer Information Rule, 16 CFR part 314, and the Privacy of Consumer Financial Information Rule, 16 CFR part 313, respectively,
- To conduct biennial assessments of its security standards for a period of 10 years, using an independent third-party, and
- To submit to compliance monitoring by the FTC.
In the press release announcing the settlement, FTC Chairman Deborah Platt Majoras said, “[e]very business, whether large or small, must take reasonable and appropriate measures to protect sensitive consumer information, from acquisition to disposal. This agency will continue to prosecute companies that fail to fulfill their legal responsibility to protect consumers’ personal information.”
What Measures Should a Company Take to Comply with the Disposal Rule?
In determining whether measures to protect against unauthorized access to or use of consumer information are reasonable under the Disposal Rule, the FTC has stated that it expects businesses to consider the following:
- The sensitivity of the consumer information,
- The nature and size of the entity’s operations,
- The costs and benefits of the different disposal methods, and
- Relevant technological changes.
The Commission has also noted that reasonable measures are likely to include the establishment of policies and procedures governing disposal, as well as employee training. (The initial notice of proposed rulemaking and the Disposal Rule were published in the Federal Register on April 20, 2004. 69 FR 21387.)
The Disposal Rule itself also provides examples of reasonable measures, including implementing and monitoring compliance with policies and procedures that require the destruction of consumer information stored in a paper or electronic format and/or entering into a contract with a third-party engaged in the business of record destruction, after having conducted appropriate due diligence regarding the operations of such company.
The FTC has begun to enforce the Disposal Rule. This rule requires businesses or individuals that collect “consumer information” for a business purpose to dispose of such information in a safe and appropriate manner. Therefore, it is critical that such businesses and individuals establish appropriate record retention and destruction policies and implement procedures to ensure compliance with the Disposal Rule. Knowledgeable legal counsel can play an important role in assisting individuals and businesses in drafting and auditing such policies and procedures. If you would like assistance with reviewing your company’s policies and procedures, please call Harleigh Brown of Fredrikson & Byron at 612.492.7302.
To protect consumer information, the FTC expects businesses to consider the sensitivity of such information, the nature and size of the entity’s operations, the costs and benefits of different disposal methods, and relevant technological changes.