- New Regulations Require Employers to Protect Employees' Consumer Information from Potential Identity Theft
- October 10, 2005
- Law Firm: Dinsmore & Shohl LLP - Cincinnati Office
As of June 1, 2005, any person or company who maintains or possesses consumer information for a business purpose is required to properly dispose of the consumer information to reduce the risk of consumer fraud and identity theft created by improper disposal of consumer information. The new "Disposal Rule," issued by the Fair Trade Commission (FTC) under the Fair and Accurate Credit Transaction Act (FACTA), applies to employers, consumer reporting agencies, lenders, insurers, landlords, government agencies, mortgage brokers, automobile dealers, waste disposal companies and any other business, whether large or small, that possesses or maintains consumer information.
Under the Disposal Rule, any entity who possesses consumer information must take reasonable measures to protect against unauthorized access to consumer information at the time of disposal, including implementing policies and procedures that require burning, pulverizing or shredding papers and destroying or erasing electronic media containing consumer information.
The Definition of "Consumer Information"
The Disposal Rule was adopted pursuant to FACTA, which amends the Fair Credit Reporting Act (FCRA). The Disposal Rule defines "consumer information" as "any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report." Under the FCRA, a consumer report includes any written, oral or other communication containing information on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or collected for establishing eligibility for employment purposes. Consumer reporting agencies are any person or company that assembles or evaluates consumer credit information for the purpose of furnishing consumer reports to third parties. Private companies who obtain background check information for employers are considered consumer reporting agencies. Thus, any employer who obtains consumer report information on an employee or prospective employee must comply with the Disposal Rule.
The Disposal Rule requires entities to take reasonable measures to protect against unauthorized access to or use of consumer information during disposal. Disposal includes the discarding or abandonment of consumer information or the sale, donation or transfer of any medium, including computer equipment, upon which any consumer information is stored. While the Rule does not provide a "safe harbor" for disposal, it does provide examples of reasonable measures, including implementing and monitoring compliance with policies and procedures requiring:
- burning, pulverizing, or shredding papers containing consumer information so the information cannot be read or reconstructed; and
- destroying or erasing electronic media containing consumer information.
Potential Penalties for Violations
Failure to comply with the Disposal Rule may expose an employer to penalties under the FCRA, including any actual damages sustained by the consumer up to $1000, punitive damages, and attorney's fees.
Recommendations for Employers
- Treat consumer information as confidential. Consider limiting access to consumer information or keeping consumer information separate from personnel files.
- Review and revise document retention policies to ensure compliance with the Disposal Rule.
- Conduct training of employees with access to consumer information to ensure that proper policies and procedures are being implemented regarding the destruction and disposal of consumer information.
- If you use an outside document retention and destruction service, ensure that the outside company is in compliance with the Disposal Rule.