Source: National Association for Information Destruction
Today the Federal Trade Commission (FTC) issued a final Rule requiring businesses to properly dispose of and destroy sensitive consumer data. The Rule is one of several new requirements intended to combat consumer fraud and identity theft and protect privacy required by the federal Fair and Accurate Credit Transactions Act (FACT Act) which was enacted in December 2003.
The new FACT Act Disposal Rule broadly covers "any record about an individual, whether in paper, electronic, or other form that is a consumer report [also known as a credit report] or is derived from a consumer report." It requires any person or company that possesses or maintains such information to "tak[e] reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal."
"This new Rule is an important step forward in the fight against consumer fraud and identity theft. Shredding documents and properly destroying computer files and hard drives will help ensure that records containing sensitive personal and financial information don't fall into the wrong hands," said Robert Johnson, executive director of the National Association for Information Destruction (NAID). "It's important for the business community to understand that this law applies to nearly every business and private employer in the U.S."
According to a study released by the FTC in September 2003, nearly 10 million Americans were the victims of identity theft in the previous year alone. The study also found that U.S. businesses lost $47 billion and consumers lost approximately $5 billion as a result of identity theft during the same period.
"There is no reason that a stack of customer files containing credit reports should be sitting in a dumpster, easily accessible to just about anyone. This rule will force banks, retailers and auto dealers that obtain credit reports to shred those documents into little pieces before throwing them away," added Johnson.
The new rule provides examples of how to comply with the new requirements, including:
* Implementing and monitoring compliance with policies and procedures that require shredding or other forms of destruction of documents and electronic media containing consumer information; and
* Contracting with a third party to properly dispose of consumer information and monitoring their performance.