DLO / Sunday, May 1, 2005 / Categories: Springfield Business Journal Article, Blog Post New Rules Regarding Credit Reports If your business uses consumer credit reports, a new federal law that becomes effective June 1, 2005 imposes requirements that you might not be aware of regarding disposal of that information. Failure to adhere to the new requirements may lead to the imposition of drastic penalties. First, absent written authorization, a business may obtain that information only when it has a "legitimate business need" for a "permissible purpose." Businesses that can access credit reports without authorization typically include insurance companies, employers, landlords, automobile dealers, credit grantors (such as banks) and collection agencies. The new federal rule was issued by the Federal Trade Commission in connection with the Fair and Accurate Credit Transactions Act of 2003 ("FACTA"). The requirements are part of the ongoing Federal effort to combat identity theft and consumer fraud. The new rule requires that "any person" who possesses "consumer information" for a "business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal." Consumer information must be destroyed once there is no longer a business need for it. Smaller businesses that don't have formalized document retention and destruction procedures are most likely to run afoul of the new rule. Think that you aren't a person because you are a business? Think again. The definition of a "person" is quite broad. The new rule states that it "covers any person that possesses or maintains consumer information other than an individual consumer who has obtained his or her own consumer report." The FTC has stated, in commentary to the rule, that it is impossible to specify who might fall under the rule's umbrella. In fact, the FTC anticipates that "entities across almost every industry could potentially be subject to the rule." The safest course is to assume that if you have consumer credit information in your possession the new rules applies to you. What is "consumer information?" The FTC defines it as "any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report." The rule is limited to "information that identifies particular individuals," and includes "a variety of personal identifiers beyond simply a person's name…, including, but not limited to, a social security number, driver's license number, phone number, physical address, and e-mail address." However, the FTC has left the definition flexible because it believes that some information not "inherently identifying" can, when combined with other data, establish a person's identity. If it's an actual credit report, it's most certainly "consumer information." In more ambiguous situations, once again the safest course is to assume that the information is covered by the new rule. Assuming you do possess such consumer information, what constitutes "disposal?" Because "consumer information" may be kept in paper or electronic form, the answer is not as simple as shredding or burning. For paper records, the FTC suggests that shredding the documents will be sufficient. Disposal of electronic records is, however, somewhat murky. Does "wiping" the hard drive suffice, or must it be physically destroyed? The FTC offers no concrete guidance, instead suggesting that whether "wiping, as opposed to destruction, is reasonable, as well as the adequacy of particular utilities to accomplish that wiping, will depend on the circumstances," presumably including the extent of the resources available to the business. If you are in doubt, destroying the hard drive would seem to offer the most protection. Regarding "reasonable measures," the FTC has made it clear that simply hiring a document destruction service provider will not relieve a business of its responsibilities under the new rule. At a minimum, before you hire such a service provider it should be advised that the documents, in whatever format, contain consumer information. And, make sure that the information will be destroyed in compliance with these new requirements. When determining whether a business has implemented "reasonable measures," the FTC will look, it says, at whether the business has established, and followed, appropriate policies and procedures, together with employee training. Your legal counsel should be able to help you draft such a policy. Disposal has also been extended to encompass unauthorized access to consumer information during the disposal process itself. In other words, if you elect to tackle this job yourself, you should supervise the process and make sure that it is performed by responsible employees. What happens if you violate the new rule? Victims can sue you for actual damages, and you may also be subject to penalties of up to $1,000 for each violation together with possible punitive damages and attorney's fees. You may also be subject to administrative enforcement penalties of up to $2,500 for each violation. Don't let this new rule catch you unprepared. by Thomas C. Pavlik, Jr. Previous Article Who Will Make Your Medical Decisions? Next Article What Does the New Bankruptcy Act Mean to You? Print 7822