informa

The Right Way to Throw It Away

A look at the FTC's guidelines on how to keep (and toss) sensitive customer information

Do you have a duty to dispose of physical records? How about electronic records? Some recent high-profile lawsuits have involved electronic discovery requests and the failure of companies to preserve records – or, in some cases, the failure to properly destroy records.

The reality is that in many instances, companies are faced with competing laws, policies, and interests when it comes to the retention or destruction of records. What is clear is that some companies and individuals have a legal obligation to destroy certain types of records that leave their possession – and can be held liable for failing to do so.

In my last column I discussed how the Texas Attorney General is enforcing state laws requiring the destruction of consumer records against five companies that failed to properly dispose of records. (See Putting Security in the Trash.)

Now let's talk about a federal law aimed at protecting the privacy of consumer information by ensuring the destruction of consumer data. In 2005, the Federal Trade Commission (FTC) enacted the Disposal Rule. That Rule is part of the Fair and Accurate Credit Transactions Act (FACTA) of 2003, which updates portions of the Fair Credit Reporting Act (FCRA). Both laws regulate the handling of consumer data.

As of June 1, 2005, any business, large or small, that uses consumer reports is required to "properly dispose of consumer reports" and the information derived from them, using "reasonable measures." The Disposal Rule applies to any company that handles consumer information, including consumer reporting agencies, lenders, insurers, employers, landlords, mortgage brokers, car dealers, and other businesses.

A "consumer report" is defined as:

    any written, oral or other communication of any information by a consumer reporting agency that bears upon a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living, which is used or expected to be used... as a factor in establishing the consumer’s eligibility for credit or insurance to be used primarily for personal, family, or household purposes or employment purposes; or any other permissible purpose.

The law applies to both physical and electronic records in any format, so it deals with erasing electronic data as well as disposing of paper records.

"Disposal" includes not only the discarding or abandoning of consumer information, but also the selling, donating, or transferring of any medium that stores the consumer data, including computer equipment.

To comply with the rule, your company must take "reasonable measures," implementing and monitoring policies and procedures that require the "burning, pulverizing, and shredding of papers containing consumer information, and the destruction or erasure of electronic media containing consumer information so the information cannot practicably be read or reconstructed."

Failure to comply with this rule can open a company to civil liability from both the FTC and the state attorney generals. Specifically, a violator may face statutory damages of up to $1,000 per violation, plus attorneys’ fees, and civil penalties of up to $2,500.

The FTC has enforced this law in at least one instance. "The Matter of Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens" involved allegations of a company discarding information in an unsecured dumpster in violation of the Disposal Rule.

In the settlement, the company agreed to establish and maintain a comprehensive information security program, obtain an audit every two years for the next 20 years, anc commit no future violations of the Safeguards Rule and Privacy Rule, as well as the FTC’s Disposal Rule.

Unfortunately, the Disposal Rule leaves us with many unanswered procedural and policy-level questions. What does a company need to do when it returns a computer or hard drive that has crashed, but contains consumer report information? Should consumer report data be mobile? What are the implications of using third parties to conduct investigations involving consumer reports on a company’s liability?

The best strategy for large companies is to have a Chief Privacy Officer, whose job is to safeguard all personally identifiable information at all data touch points. However, every company can mitigate these risks by developing a plan for document and data destruction, conducting an assessment to identify the risks, implementing the plan and employee education, and auditing to ensure the Disposal Rule is being followed.

For more information on the Disposal Rule, see the FTC Website.

— Dr. Chris Pierson is an attorney with the law firm of Lewis and Roca LLP. Special to Dark Reading

Editors' Choice
Elizabeth Montalbano, Contributor, Dark Reading