Privacy and Information Security Group News
FTC Issues Final Ruling
The Federal Trade Commission has recently issued a final ruling (the “Disposal Rule”) which implements a new requirement imposed by the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act” or “Act”). The Act significantly amended the Fair Credit Reporting Act (“FCRA”), and includes a provision with respect to disposal of consumer report information and records that affects businesses in a broad array of industries.
Many of the amendments to the FCRA are in response to the escalation of consumer fraud and identity theft. In an attempt to further limit access to personal information of consumers, the FACT Act imposes a new requirement on persons who possess or maintain for a business purpose consumer information derived from consumer reports. The Act requires that any person in possession of consumer information properly dispose of any such information, and directs the FTC to issue a rule that provides guidance for compliance with this requirement.
The FTC’s response is called the Disposal Rule. It is effective June 1, 2005 and applies to “any person that, for a business purpose, maintains or otherwise possesses consumer information, or any compilation of consumer information.” The breadth of companies to which the Disposal Rule is applicable is greater than that of the Gramm-Leach-Bliley Act (GLB Act). The GLB Act’s applicability is limited to providers of financial services, as that term is defined in the GLB Act, while the Disposal Rule applies to the universe of companies that have employees, since any such company maintains consumer information on each of their employees. It is likely that such information has been derived from a consumer report on such employee. Those companies that are already subject to the requirements of the GLB Act and the GLBA Safeguards Rule (which covers records disposal) should have minimal additional cost of compliance. However, it must be noted that the scope of customer information covered by the Safeguards Rule is different from the scope of consumer information covered by the Disposal Rule.
“Consumer Information” includes any record about an individual in any form that is a consumer report or is derived from a consumer report, and includes a compilation of such records. This does not include information that does not identify an individual, such as aggregate information or blind data. The Safeguards Rule defines “Customer Information” as any record containing nonpublic personal information, without reference to its source, which the FTC believes is a narrower definition than that included in the Disposal Rule. However, the FTC believes the substantive requirements of the two Rules for disposal of customer information are consistent, by incorporating flexible, risk-based standards that require reasonable measures to protect against unauthorized access. Furthermore, for those organizations subject to the Safeguards Rule, incorporation of the requirements of the Disposal Rule into their information security programs constitutes compliance with the Disposal Rule.
The Disposal Rule requires that persons must dispose of consumer information by taking “reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal,” and includes five examples to illustrate what it means by “reasonable measures.”
The Disposal Rule also provides that it is not to be construed to alter or affect any other record maintenance or disposal requirements to which a business is subject.