Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

The Right Way to Throw It Away

A look at the FTC's guidelines on how to keep (and toss) sensitive customer information

Do you have a duty to dispose of physical records? How about electronic records? Some recent high-profile lawsuits have involved electronic discovery requests and the failure of companies to preserve records – or, in some cases, the failure to properly destroy records.

The reality is that in many instances, companies are faced with competing laws, policies, and interests when it comes to the retention or destruction of records. What is clear is that some companies and individuals have a legal obligation to destroy certain types of records that leave their possession – and can be held liable for failing to do so.

In my last column I discussed how the Texas Attorney General is enforcing state laws requiring the destruction of consumer records against five companies that failed to properly dispose of records. (See Putting Security in the Trash.)

Now let's talk about a federal law aimed at protecting the privacy of consumer information by ensuring the destruction of consumer data. In 2005, the Federal Trade Commission (FTC) enacted the Disposal Rule. That Rule is part of the Fair and Accurate Credit Transactions Act (FACTA) of 2003, which updates portions of the Fair Credit Reporting Act (FCRA). Both laws regulate the handling of consumer data.

As of June 1, 2005, any business, large or small, that uses consumer reports is required to "properly dispose of consumer reports" and the information derived from them, using "reasonable measures." The Disposal Rule applies to any company that handles consumer information, including consumer reporting agencies, lenders, insurers, employers, landlords, mortgage brokers, car dealers, and other businesses.

A "consumer report" is defined as:

    any written, oral or other communication of any information by a consumer reporting agency that bears upon a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living, which is used or expected to be used... as a factor in establishing the consumer’s eligibility for credit or insurance to be used primarily for personal, family, or household purposes or employment purposes; or any other permissible purpose.

The law applies to both physical and electronic records in any format, so it deals with erasing electronic data as well as disposing of paper records.

"Disposal" includes not only the discarding or abandoning of consumer information, but also the selling, donating, or transferring of any medium that stores the consumer data, including computer equipment.

To comply with the rule, your company must take "reasonable measures," implementing and monitoring policies and procedures that require the "burning, pulverizing, and shredding of papers containing consumer information, and the destruction or erasure of electronic media containing consumer information so the information cannot practicably be read or reconstructed."

Failure to comply with this rule can open a company to civil liability from both the FTC and the state attorney generals. Specifically, a violator may face statutory damages of up to $1,000 per violation, plus attorneys’ fees, and civil penalties of up to $2,500.

The FTC has enforced this law in at least one instance. "The Matter of Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens" involved allegations of a company discarding information in an unsecured dumpster in violation of the Disposal Rule.

In the settlement, the company agreed to establish and maintain a comprehensive information security program, obtain an audit every two years for the next 20 years, anc commit no future violations of the Safeguards Rule and Privacy Rule, as well as the FTC’s Disposal Rule.

Unfortunately, the Disposal Rule leaves us with many unanswered procedural and policy-level questions. What does a company need to do when it returns a computer or hard drive that has crashed, but contains consumer report information? Should consumer report data be mobile? What are the implications of using third parties to conduct investigations involving consumer reports on a company’s liability?

The best strategy for large companies is to have a Chief Privacy Officer, whose job is to safeguard all personally identifiable information at all data touch points. However, every company can mitigate these risks by developing a plan for document and data destruction, conducting an assessment to identify the risks, implementing the plan and employee education, and auditing to ensure the Disposal Rule is being followed.

For more information on the Disposal Rule, see the FTC Website.

— Dr. Chris Pierson is an attorney with the law firm of Lewis and Roca LLP. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34682
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.