December 2003 FACTA was enacted.
June 2005 the FACTA rule went into effect.
The Federal Trade Commission (FTC) has issued a new rule that will require businesses to properly dispose of and destroy sensitive consumer data. The Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to and/or use of information in a consumer report. The rule is one of several new requirements intended to combat consumer fraud and identity theft and protect privacy required by the federal Fair and Accurate Credit Transactions Act (FACT Act).
The new FACT Act Disposal Rule broadly covers “any record about an individual, whether in paper, electronic, or other form that is a consumer report (also known as a credit report) or is derived from a consumer report.” It requires any person or company that possesses or maintains such information to take “reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” The new rule provides examples of how to comply with the new requirements, including:
- Implementing and monitoring compliance with policies and procedures that require shredding or other forms of destruction of documents and electronic media containing consumer information.
- Contracting with a third party to properly dispose of consumer information and monitoring their performance.
The Rule applies to people and both large and small organizations that use consumer reports, including:
- Consumer reporting companies
- Government agencies
- Mortgage brokers
- Car dealers
- Attorneys; private investigators
- Debt collector
- Individuals who pull consumer reports on prospective home employees, such as nannies or contractors
- And entities that maintain information in consumer reports as part of their role as a service provider to other organizations covered by the Rule.
Financial institutions that are subject to both the Disposal Rule and the Gramm-Leach-Bliley (GLB) Safeguards Rule, which requires institutions to take steps to protect sensitive customer information, should incorporate practices dealing with the proper disposal of consumer information into the information security program that the Safeguards Rule requires.