FTC Regulations Require Business To Properly Dispose Of Employees’ Personal Information

On June 1, 2005, the Federal Trade Commission’s rules interpreting the Fair and Accurate Credit Transaction Act (FACTA) took effect. FACTA, in part, requires proper disposal of credit and “consumer” information. Congress included the proper disposal requirement to decrease the risk of consumer fraud, including the growing problem of identity theft, created by the improper disposal of consumer information.

The rules broadly affect any individual business entity, regardless of industry, size or number of employees, that “maintains or otherwise possesses consumer information for a business purpose.” Proper disposal of such information is required.

The most important thing for employers to be aware of is that the disposal rules cover records of virtually any information that is obtained from an outside agency for the purpose of an employment background check. According to both FACTA and the FTC rules, such “consumer information” includes any record about an individual, whether in paper, electronic or other form that is a consumer report or is derived from a consumer report. A “consumer report” includes any information obtained from a consumer reporting agency that is expected to play a role in establishing the individual’s eligibility for credit or employment, including continued employment. According to the FTC, this includes information in the public record. Additionally, businesses should be aware that any record that copies, uses or incorporates information from a credit or background report is likely covered under the law. However, information that does not identify individuals, such as aggregate or blind data, is not included in this definition.

A business that gathers this consumer information is required by FACTA to properly dispose of it. There is no set timeline; the law only requires that disposal, when undertaken, be done properly. The FTC has outlined a broad, flexible definition of how to “properly dispose” of sensitive records. The process entails taking “reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” What measures are reasonable may depend on the size and resources of a business. Thus, the FTC does not direct a set method of disposal. Instead, the rules lay out a series of illustrative examples that involve destruction of both physical and electronic records. The FTC has suggested that businesses can destroy physical records with a shredder and destroy electronic information by smashing computers with a hammer, or perhaps more practically, by overwriting data with a wiping utility prior to disposal.

Noncompliance with FACTA invites a range of civil liabilities and penalties. Specifically, the act allows for victims of identity theft to sue a noncompliant business for actual damages and attorneys’ fees as well as class action lawsuits to enforce its provisions. Businesses should carefully review these new requirements and develop policies concerning the proper disposal of records containing consumer information to ensure they are not unwitting, liable accomplices to the spread of identity theft.