The FACTA Disposal Rule is designed to prevent the unauthorized access to – or use of – information in a consumer report. Is your business compliant?
When people think of business regulation, the Securities and Exchange Commission or HIPAA may come to mind first. But just because you are not in the healthcare industries, that does not mean your business is off the hook when it comes to secure destruction of confidential information. On June 1, 2005, The Federal Trade Commission (FTC) enacted The Disposal Rule which requires businesses to take appropriate measures to dispose of sensitive information derived from consumer reports. Any business (or individual) who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule. The FTC also encourages businesses who deal with any records containing a consumer’s personal or financial information to take similar protective measures. Businesses who are subjected to the FACTA Disposal Rule include, but are not limited to, the following:
- consumer reporting companies,
- insurance companies,
- government agencies,
- automotive dealers,
- attorneys, and
- debt collectors.
Businesses of all sizes, as well as individuals who may pull consumer reports on prospective home employees such as nannies or care givers, are included. According to the FTC, “The Fair Credit Reporting Act defines the term consumer report to include information obtained from a consumer reporting company that is used – or expected to be used – in establishing a consumer’s eligibility for credit, employment, or insurance, among other purposes.”
The Disposal Rule is designed to prevent the unauthorized access to – or use of – information in a consumer report. The way in which this confidential information is destroyed is more flexible than some of the other governing bodies. The FTC considers burning, pulverizing, or shredding papers and destroying or erasing electronic files or media containing consumer report information so that the information cannot be read or reconstructed. The FTC also allows businesses to conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. The FTC states that “Due diligence could include: reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule; obtaining information about the disposal company from several references; requiring that the disposal company be certified by a recognized trade association; or reviewing and evaluating the disposal company’s information security policies or procedures.”
There are penalties associated with breaking the Disposal Rule range from the thousands for state and federal penalties to millions of dollars in the form of a class action lawsuit (see: Equifax for proof of that!).
SRS helps many businesses stay compliant through our shred program. We provide you a secure shredding container to your office based on your volume needs. Each bin is equipped with a locking system that makes them secure to protect your sensitive files until they are destroyed. Then, on a regularly scheduled basis, typically every 1-4 weeks, one of our friendly, uniformed drivers will come to pick up your shredding. Our shredding process is NAID AAA-certified, meaning it meets the industry’s most-stringent requirements and is subject to random audits by NAID to ensure compliance.
If you’re reading this and realize that you have files that need to be destroyed in order to become compliant with the Disposal Rule, we also offer one-time purges to destroy lots of documents at once. At SRS, we believe that the cost of a regular shred program is much cheaper than the cost of a breach, not only in terms of dollars, but in terms of your reputation. Please contact us today to find out if we can help your business adhere to the FACTA Disposal Rule.