Article: Disposal Rule - Identity theft adds to businesses' regulatory burden

September 2005

Identity theft adds to businesses' regulatory burden

The FTC’s new Disposal Rule requires businesses to properly dispose of individuals’ credit, financial and other information

In an effort to protect the privacy of consumer information and reduce the risk of fraud and identity theft, the Federal Trade Commission has issued the “Disposal Rule,” which requires businesses to take appropriate measures to dispose of sensitive information derived from consumer reports.

Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule, which went into effect June 1, 2005. The Rule requires the proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.”

According to the FTC, the standard for the “proper disposal” of information derived from a consumer report is flexible and allows the parties covered by the Rule to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology. Although the Rule applies to consumer reports and the information derived from consumer reports, the FTC encourages those who dispose of any records containing a consumer’s personal or financial information to take similar protective measures.

Who must comply? The Disposal Rule applies to people and both large and small organizations that use consumer reports. Among those who must comply with the Rule are:

consumer reporting companies
lenders
insurers
employers
landlords
government agencies
mortgage brokers
automobile dealers
attorneys
private investigators
debt collectors
individuals who obtain a credit report on prospective nannies, contractors or tenants
entities that maintain information in consumer reports as part of their role as service providers to organizations covered by the Rule.

What does the Disposal Rule cover? The Disposal Rule applies to consumer reports or information derived from consumer reports. The Fair Credit Reporting Act defines the term “consumer report” to include information obtained from a consumer reporting company that is used – or expected to be used – in establishing a consumer’s eligibility for credit, employment, insurance and certain other purposes. Credit reports and credit scores are consumer reports, as are reports containing information relating to employment background, check-writing history, insurance claims, residential or tenant history, or medical history.

What is ‘proper’ disposal? The Disposal Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to:

burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;
destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed; and
conduct due diligence and hire a document destruction contractor to dispose of material identified as consumer report information consistent with the Rule.

“Due diligence” could include: reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule; obtaining information about the disposal company from several references; requiring that the disposal company be certified by a recognized trade association; and/or reviewing and evaluating the disposal company’s information security policies or procedures.

Recommendations. Failure to obey the Disposal Rule could result in penalties for rules violations and damages owed to aggrieved consumers. Any person or organization that possesses consumer information should:

document sound security policies and procedures governing the disposal of consumer information;
educate employees on proper disposal procedures and practices;
when using outside companies to dispose of consumer information, select the disposal company with care and document that a rigorous review of the company’s credentials was performed prior to hiring them; and
closely monitor compliance (both internally and by third-party service providers) and make changes to established procedures when necessary.

Based in Mesa, Arizona, and serving closely held businesses in the East Valley, the Phoenix area and throughout Arizona, Schmidt Westergard & Company, PLLC, is an independent full-service tax, audit, accounting and business advisory firm focusing on the middle market.