New regulations in effect today establish rules for disposing of credit reports
and information derived from them that employers use for employment purposes.
In late 2004, the Federal Trade Commission issued a final rule regarding the
proper disposal of consumer report information and records under the Fair and
Accurate Credit Transactions Act of 2003 (FACTA) and the Fair Credit Reporting
Act (FCRA).
The regulations cover any business that uses consumer reports for a business
purpose. The FTC says consumer reports include credit reports, credit scores,
and reports employers receive with information relating to employment background.
The purpose of the rule is to reduce the risk of identity theft from improper
disposal of a consumer report or any record derived from one. The rule requires
that businesses "take reasonable measures to protect against unauthorized
access to or use of the information in connection with its disposal."
The FTC says reasonable measures could include establishing and complying with
policies to:
- Burn, pulverize, or shred papers containing consumer report information
so that the information cannot be read or reconstructed;
- Destroy or erase electronic files or media containing consumer report information
so that the information cannot be read or reconstructed;
- Conduct due diligence and hire a document destruction contractor to dispose
of material specifically identified as consumer report information consistent
with the rule. Due diligence could include:
- reviewing an independent audit of a disposal company's operations and/or
its compliance with the Rule;
- obtaining information about the disposal company from several references;
- requiring that the disposal company be certified by a recognized trade
association;
- reviewing and evaluating the disposal company's information security
policies or procedures.
Links