FACT Act General Overview


Fair and Accurate Credit Transaction Act of 2003

16CRF PART 682: “Disposal of consumer report information and records, pursuant to the Fair and Accurate Credit Transaction Act of 2003.” Who Must Comply Section 216: “any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose to properly dispose of any such information or compilation,” must achieve FACT Act compliance.

Key Elements of the Statute. For whom compliance is required. Penalties for Non-Compliance. Methods for Achieving Compliance.

What You Must Do
Examples provided: implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot “practicably be read or reconstructed.”

Vendor Selection
After due diligence, entering into and monitoring FACT Act compliance with a written contract with another party engaged in the business of record destruction to dispose of consumer information in a manner consistent with this rule. In this context, due diligence could include reviewing an independent audit of the disposal company's operations and/or its compliance with this rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party.”

Key elements of the statute

FACT ACT
Fair and Accurate Credit Transaction Act of 2003

FEDERAL TRADE COMMISSION
16 CFR Part 682

[RIN 3084-AA94]

Disposal of Consumer Report Information and Records

AGENCY: Federal Trade Commission (FTC or Commission).
ACTION:Final Rule.

SUMMARY:The Fair and Accurate Credit Transactions Act of 2003 (“FACT Act” or “Act”) requires the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, Securities and Exchange Commission, and Federal Trade Commission, in coordination with one another, to adopt consistent and comparable rules regarding the proper disposal of consumer report information and records. This final Rule implements this requirement.

EFFECTIVE DATE:This Rule is effective on June 1, 2005.

FOR FURTHER INFORMATION CONTACT: Ellen Finn or Susan McDonald, Attorneys, (202) 326-3224, Division of Financial Practices, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, DC 20580.

PART 682 – DISPOSAL OF CONSUMER REPORT INFORMATION AND RECORDS
Sec.
§ 682.1 Definitions.
§ 682.2 Purpose and Scope.
§ 682.3 Proper Disposal of Consumer Information.
§ 682.4 Relation to Other Laws.
§ 682.5 Effective Date.
Authority: Pub. L. 108-159, sec.216.


§ 682.1 Definitions.

(a) In general. Except as modified by this part or unless the context otherwise requires, the terms used in this part have the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq.

(b) “Consumer information” means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. Consumer information also means a compilation of such records. Consumer information does not include information that does not identify individuals, such as aggregate information or blind data.

(c) “Dispose,” “disposing,” or “disposal” means:

1. the discarding or abandonment of consumer information, or
2. the sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored.

§ 682.2 Purpose and Scope.

(a) Purpose. This part (“rule”) implements section 216 of the Fair and Accurate Credit Transactions Act of 2003, which is designed to reduce the risk of consumer fraud and related harms, including identity theft, created by improper disposal of consumer information.

(b) Scope. This rule applies to any person over which the Federal Trade Commission has jurisdiction, that, for a business purpose, maintains or otherwise possesses consumer information.

The Disposal Rule, which tracks the language of section 216 of the FACT Act, applies to “any person that, for a business purpose, maintains or otherwise possesses consumer information, or any compilation of consumer information.” The entities covered by the Rule would include consumer reporting agencies, resellers of consumer reports, lenders, insurers, employers, landlords, government agencies, mortgage brokers, automobile dealers, waste disposal companies, and any other business that possesses or maintains consumer information. As explained in the NPR and supplemental IRFA, any company, regardless of industry or size, that possesses or maintains consumer information for a business purpose will be subject to the Rule.


§ 682.3 Proper Disposal of Consumer Information.

(a) Standard. Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.

(b) Examples. Reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal include the following examples. These examples are illustrative only and are not exclusive or exhaustive methods for complying with this rule:

1. Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.
2. Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed.
3. After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule. In this context, due diligence could include reviewing an independent audit of the disposal company’s operations and/or its compliance with this rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company’s information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company.
4. For persons or entities who maintain or otherwise possess consumer information through their provision of services directly to a person subject to this part, implementing and monitoring compliance with policies and procedures that protect against unauthorized or unintentional disposal of consumer information, and disposing of such information in accordance with examples (1) and (2) above.
5. For persons subject to the Gramm-Leach-Bliley Act, 15 U.S.C. 6081 et seq., and the Federal Trade Commission’s Standards for Safeguarding Customer Information, 16 CFR Part 314 (“Safeguards Rule”), incorporating the proper disposal of consumer information as required by this rule into the information security program required by the Safeguards Rule.

§ 682.4 Relation to Other Laws.

Nothing in this rule shall be construed:
(a) to require a person to maintain or destroy any record pertaining to a consumer that is not imposed under other law; or

(b) to alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record.


§ 682.5 Effective Date.

This rule is effective on June 1, 2005.

By Direction of the Commission.
Donald S. Clark
Secretary

Source: Federal Trade Commission

[ Back to top ]



For Whom Compliance is Required


FACT ACT
Fair and Accurate Credit Transaction Act of 2003

The FACT Act Disposal Rule applies to virtually every business and private employer in the U.S. The rule requires these businesses to come into compliance by June 1, 2005 by both adopting and implementing their own document destruction policies or by contracting with a document shredding company or other data destruction company to do so.

The Disposal Rule, which tracks the language of section 216 of the FACT Act, applies to “any person that, for a business purpose, maintains or otherwise possesses consumer information, or any compilation of consumer information.” The entities covered by the Rule would include consumer reporting agencies, resellers of consumer reports, lenders, insurers, employers, landlords, government agencies, mortgage brokers, automobile dealers, waste disposal companies, and any other business that possesses or maintains consumer information. As explained in the NPR and supplemental IRFA, any company, regardless of industry or size, that possesses or maintains consumer information for a business purpose will be subject to the Rule.


[ Back to top ]



Penalties for Non-Compliance


FACT ACT
Fair and Accurate Credit Transaction Act of 2003

The penalties for FACT ACT violation can be severe. The statute provides for private civil actions by individuals. Damages include any actual damages suffered, liquidated damages (if actual damages are absent or less than the liquidated ones), punitive damages, attorneys’ fees, and costs. Criminal penalties apply in certain circumstances. Many penalties handed down by the FTC begin at $11,000 per infraction and increase from there depending on the interpretation of the damages suffered and the negligence of the organization.


[ Back to top ]



Achieving Compliance


FACT ACT
Fair and Accurate Credit Transaction Act of 2003

How to Comply
The Safeguards Rule requires financial institutions to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the financial institution's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its plan, each financial institution must:

• Designate one or more employees to coordinate the safeguards;
• Identify and assess the risks to customer information in each relevant area of the company's operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
• Design and implement a safeguards program, and regularly monitor and test it;
• Select appropriate service providers and contract with them to implement safeguards; and
• Evaluate and adjust the program in light of relevant circumstances, including changes in the firm's business arrangements or operations, or the results of testing and monitoring of safeguards.

Information Systems
Information systems include network and software design, and information processing, storage, transmission, retrieval, and disposal. Here are some suggestions on how to maintain security throughout the life cycle of customer information - that is, from data entry to data disposal:

Dispose of customer information in a secure manner. For example:

• Hire or designate a records retention manager to supervise the disposal of records containing nonpublic personal information;
• Shred or recycle customer information recorded on paper and store it in a secure area until a recycling service picks it up;
• Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media that contain customer information;
• Effectively destroy the hardware; and
• Promptly dispose of outdated customer information.

[ Back to top ]