On June 1, the Federal Trade Commission’s (FTC) new rule regarding disposal of personally identifying consumer information took effect. This rule was implemented as part of the Fair and Accurate Credit Transactions Act of 2003 to help combat consumer fraud and identity theft by prohibiting the improper disposal of consumer information. The rule applies to every company, regardless of industry or size, that obtains personally identifying consumer information derived from a credit report. Consumer information means any record about an individual, whether paper or electronic, and includes such things as home addresses, phone numbers, social security numbers, driver’s license numbers and email addresses. Employers who conduct background or credit checks on their employees are subject to this new disposal rule.
The rule provides that any person who maintains, or otherwise possesses, consumer information for business reasons must properly dispose of the information by taking “reasonable measures” to prevent unauthorized access to, or use of, the information. “Reasonable measures” means implementing and monitoring document disposal policies that require internal paper shredding, pulverizing or burning, as well the destruction of electronic media such as computer files, discs and hard drives, so the protected information cannot be reconstructed. For employers who elect to utilize outside vendors to perform this service, “reasonable measures” means exercising due diligence to retain a reputable outside vendor to properly dispose of the information in question. Due diligence requires an objective review of the disposal company’s operations and security policies and procedures to determine their competence and ability to comply with the FTC’s rule. Employers should also, as part of their due diligence, obtain several references for the vendor and require they be a member of a recognized trade association.
Employers must ensure their document retention/disposal policies and procedures comply with the FTC’s new rule. To this end, employers should specifically address the types of documents or electronic media subject to heightened disposal requirements, as well as the particular disposal methodology required (i.e. shredding, pulverizing or burning paper records, using Wipe software for computer files, discs or hard drives, etc.). Noncompliance could result in fines up to $2,500 per violation. Additionally, employees may also file private or class action lawsuits against their employer for violations and recover actual and punitive damages, as well as costs and attorneys' fees.