Employer Obligations Under the FTC/FACT Act Disposal Rules
While everyone was taking time away from the office to hang out at the beach this summer, new regulations went into effect requiring disposal of confidential information. The rule applies to organization that utilize consumer reports. The Federal Trade Commission (FTC) defines a consumer report as:
"including information obtained from a consumer reporting company that is used - or expected to be used - in establishing a consumer's eligibility for credit, employment, or insurance, among other purposes. Examples of consumer reports include credit reports, credit scores, reports businesses or individuals receive with information relating to employment background, check writing history, insurance claims, residential or tenant history, or medical history."
Organizations must adopt reasonable measure to prevent unauthorized access to or use of the information. Such measures include:
- establishing and complying with policies to burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;
- destroying or erasing electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
- conducting due diligence and hiring a document destruction contractor to dispose of material specifically identified as consumer report information. Due diligence could include reviewing an independent audit of a disposal company's operations and/or its compliance with the new Rule; obtaining information about the disposal company from several references; requiring that the disposal company be certified by a recognized trade association; or reviewing and evaluating the disposal company's information security policies or procedures.
The FTC has established guidance (in understandable language) available on its website here.