Have you been disposing of old personnel or job applicant files by tossing them into the trash can? Effective June 1, 2005, such a practice could run afoul of a new regulation promulgated by the Federal Trade Commission. The regulation implements a provision of the Fair and Accurate Credit Transactions Act (“FACTA”) that requires “any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose [to] properly dispose of any such information or compilation.” Under the new regulation, businesses that dispose of records that contain certain types of information about their employees and applicants must take reasonable measures to protect against unauthorized access to that information.
Who must comply with the new regulation?
The new regulation applies to any business, regardless of size, that maintains or possesses consumer information.
What is consumer information?
Consumer information means any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report. A consumer report means any communication by a consumer reporting agency that bears on an individual’s character, general reputation, personal characteristics, mode of living, or credit worthiness that is or may be used to establish an individual’s eligibility for employment, insurance, or credit.
In the employment context, the classic example of a consumer report is a background check on a current employee or a job applicant that is prepared by a third party. Both the background check itself and any record that is derived from the background check are covered by the regulation. Depending on your business, there may be other types of consumer reports or information that you maintain or possess which would also be covered.
Note that consumer information only includes information that identifies a particular individual; it does not include information that does not identify a particular individual, such as aggregate information or blind data.
What does the new regulation require?
The new regulation requires anybody who maintains or possesses consumer information to properly dispose of such information by taking “reasonable measures” to protect against unauthorized access to or use of the information in connection with its disposal.
What measures are considered reasonable?
Although the new regulation does not actually define “reasonable measures,” it provides several examples, including the following:
• Implementing and monitoring compliance with procedures that require the burning, pulverizing, or shredding of papers containing consumer information so the information cannot practicably be read or reconstructed.
• Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed.
• Contracting with a third party engaged in the business of record destruction to dispose of consumer information in a manner consistent with the regulation. Employers who contract with a third party to dispose of their consumer information must take reasonable steps to ensure that the third party complies with the new regulation. Such steps could include reviewing an independent audit of the disposal company’s compliance with the regulation, obtaining information about the disposal company from several references or reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company’s information securities policies and procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company.
What steps should you take to comply with the new regulation?
• If you already have document retention and disposal policies in place, carefully review those policies to ensure they comply with the new regulation.
• If you don’t already have document retention and disposal policies, establish and implement ones that comply with the new regulation.
• Regularly train your employees on proper disposal procedures.
• Monitor compliance regularly to ensure your policies are being followed.
• If you contract with an outside company to handle your document disposal, take reasonable steps to ensure that the outside company is complying with the regulation.