Businesses commonly use consumer reports when deciding whether to make a job offer or extend a line of credit. In the wrong hands, consumer reports may also be used to commit fraud and identity theft. This is why the Federal Trade Commission (FTC) enacted the Disposal Rule.
The authority for the Disposal Rule comes from the Fair and Accurate Credit Transactions Act (FACTA), which requires proper disposal methods by those who use consumer information from consumer reports for business purposes. As required by FACTA, the FTC’s Disposal Rule requires the use of reasonable disposal measures to protect against unauthorized access to or use of consumer information. Individuals and businesses of any size that use consumer reports for business purposes must comply with this rule
The Disposal Rule applies to consumer reports or information that comes from consumer reports. Under the Fair Credit Reporting Act, consumer reports include information obtained from a consumer reporting company that is used or expected to be used for various reasons, such as establishing a consumer’s eligibility for credit, employment or insurance. Credit reports and credit scores are consumer reports. Reports with information relating to employment, check writing history, insurance claims, residential or tenant history and medical history are also consumer reports.
The Disposal Rule, which simply requires reasonable disposal measures to prevent unauthorized access to or use of consumer information, is designed to be flexible. The rule allows organizations and individuals to determine what measures are reasonable by considering the sensitivity of the information, the costs and benefits of different disposal methods and changes in technology.
Under the rule, reasonable measures may include:
- burning, pulverizing or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.
- destroying or erasing electronic media containing consumer information so that the information cannot practicably be read or reconstructed.
- after due diligence, hiring a third party to properly dispose the consumer information. Due diligence could include reviewing an independent audit of the disposal company’s operations and/or its compliance with this rule, checking references, requiring certification by a recognized trade association or taking other appropriate measures to determine the competency and integrity of the disposal company.
According to the FTC, these examples are illustrative only and are not exclusive or exhaustive methods for complying with the Disposal Rule.
The Disposal Rule is but one aspect of protecting against a data security breach. Organizational protective measures should cover everything from the wireless network to the copy machine, and should also include insurance.
Various cyber liability products are available to protect against privacy injuries, such as identity theft, and to cover the cost of complying with various data breach notice laws. Given their complexity, an experienced insurance agent should be consulted to ensure that adequate coverage is obtained.
If you would like to learn more about insuring against data security breaches, contact us.
If you would like to learn more about preventing data security breaches, take our online course Information Risk Management: Strategies for Preventing and Mitigating Information Security Breaches.
If you would like to subscribe to our newsletters please click here.