Credit Rule Changes...

William Hubbartt New federal government regulations creating requirements for businesses to take reasonable measures for proper disposal of consumer credit information became effective June 1, 2005, according to the Federal Trade Commission.

The data disposal rules implement a section of the Fair and Accurate Credit Transactions Act of 2003, an act known as FACTA. The purpose of the revised rules is to reduce the risk of consumer fraud and related harms such as identify theft, by defining a standard for proper disposal of consumer credit information.

The regulation states that "Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal."

The rule does not apply to an individual consumer who has obtained his or her own consumer report. All other persons or entities who hold consumer information that is a consumer report or derived from a consumer report, whether in paper, electronic or other form are subject to the regulation. FTC officials concede that this broad definition could affect entities across almost every industry.

The FTC commentary explaining the intent of the regulation suggests that covered entities could include consumer reporting agencies, lenders, insurers, employers, landlords, government agencies, mortgage brokers, automobile dealers, utility companies, telecommunications companies and others.

A business that runs a consumer credit report as part of a financing transaction to sell its products and services, or an employer who obtains a credit report to screen new hires, receives information that is subject to the regulation.

The regulation requires the covered entity to dispose of information properly by taking reasonable measures to guard against unauthorized use of disclosure of the information. The covered entity may determine an appropriate method of destruction of the data. Paper documents, for example may be subjected to shredding or other destruction for disposal.

Disposal of electronic information must also be adequate to achieve the stated purpose of the rule. Donation of old computers or electronic equipment must now occur in a manner that guards against unauthorized disclosure of consumer data. Wiping, reformatting, or physical destruction of electronic media are commonly used methods of disposal.

Records disposal organizations are stepping up to offer services to aid compliance. The covered entity is responsible to take reasonable steps to guard against unauthorized disclosure in the disposal process. This could require careful screening of individuals or entities who offer such services or are assigned by the employer to perform such services.

It is recommended that the employer define policies and procedures which identify individuals responsible for handling consumer data, limit disclosures and use of the data for the prescribed purpose, and to oversee proper disposal of consumer information.

William S. Hubbartt is a human resources and privacy consultant St. Charles, IL. www.Hubbartt.com. He is the author of "The HIPAA Security Rule - A Guide for Employers and Health Care Providers,"a 200+ page book in CD format.

Print page