Effective June 1, 2005, a new federal rule requires employers to take appropriate measures to dispose of sensitive information derived from consumer reports. The purpose of this new “Disposal Rule” is to reduce the risk of consumer fraud and identity theft created by the improper disposal of consumer information.
Any employer using a consumer report for a business purpose is subject to the requirements of the “Disposal Rule,” which was issued on November 18, 2004 by the Federal Trade Commission. 29 C.F.R. §§ 682.1 et seq. This Disposal Rule is one of several requirements mandated by the Fair & Accurate Credit Transactions Act (FACTA) which was enacted in December 2003.
The Disposal Rule broadly covers “any record about an individual, whether in paper, electronic, or other form that is a consumer report or is derived from a consumer report” and requires employers possessing or maintaining such information to take “reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” 29 C.F.R. §§ 682.1(b), 682.3 (a). The Fair Credit Reporting Act defines the term ‘consumer report’ to include information obtained from a consumer reporting company that is used – or expected to be used – in establishing a consumer’s eligibility for credit, employment, or insurance, among other purposes. Examples of consumer reports include credit reports, credit scores, and reports that businesses or individuals receive containing information relating to employment background, check-writing history, insurance claims, residential or tenant history, or medical history.
The Disposal Rule does not require specific practices or timetables for disposal. Employers must use their discretion to establish and comply with reasonable and appropriate policies and practices to prevent the unauthorized access to, or use of, information in a consumer report. The Disposal Rule sets forth the following examples of reasonable measures for disposing of consumer report information. These examples, however, are not exclusive or exhaustive methods for compliance:
1. Implement and monitor compliance with policies to burn or shred papers containing consumer report information so that the information cannot be read or reconstructed;
2. Implement and monitor compliance with policies to destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
3. Hire a document destruction contractor to dispose of materials containing consumer report information – after conducting due diligence to confirm that the contractor complies with proper disposal requirements.
Liability for non-compliance with this rule can include actual damages or statutory damages up to $1,000, punitive damages, and attorneys’ fees and costs. If the Federal Trade Commission files an enforcement suit, the employer could be subject to additional civil penalties of up to $10,000 for each violation.
Employers obtaining records that qualify as a consumer report are advised to immediately implement a document destruction policy, if they have not already done so, and regularly monitor compliance with the requirements of the Disposal Rule. Any such document destruction policy should not only comply with the requirements of the Disposal Rule, but also satisfy the various document retention legal requirements that may be impacted.