New Regulation on Consumer Information and Records Disposal Now in Effect
A new regulation that took effect on June 1 may require changes in the way that employers dispose of certain personnel records.
The Federal Trade Commission’s (FTC’s) final rule regarding the proper disposal of consumer report information and records under the Fair and Accurate Credit Transactions Act of 2003 (FACTA) amendments to the Fair Credit Reporting Act (FCRA) imposes a new requirement on anyone who “maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose properly dispose of any such information or compilation.” The purpose of the so-called Disposal Rule is to reduce the risk of identity theft and other consumer harm from improper disposal of a consumer report or any record derived from one.
The term "consumer report" includes a written, oral, or other communication of information about a person's credit, character, general reputation, personal characteristics, or mode of living that was prepared or collected by a consumer reporting agency. Common examples in the employment context include employee or applicant background checks and employee misconduct investigations performed by third parties. The requirements do not apply if the employer conducts its own search for background information. Also not covered is information that does not identify individuals, such as aggregate information or blind data.
The new regulation requires that covered entities “take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” The standard for disposal is vague to allow entities to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and relevant changes in technology over time. The rule includes specific examples of measures that would satisfy the standard. The most relevant of the listed examples are:
(1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed;
(2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed; and
(3) After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule.
The rule states that it should not be construed (a) to require the maintenance or destruction of any record about a consumer that is not imposed by another law, or (b) to alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record. Therefore, personnel documents retained by employers that are not covered by the new rule, such as payroll information, tax forms, and I-9 forms, are not affected and should be retained as otherwise required by law.
The FTC has released a new publication to educate businesses about the new requirements. To view it, click here. To view the text of the new regulation, click here.
return to top ]