Your World of Legal Intelligence
 United States | 1-800-335-6202

Fair and Accurate Credit Transaction Act; implementation: Disposal of consumer report information and records,

As Enacted ( Federal Register) Cited authorities 11 Cited in Related
Vincent

[Federal Register: April 20, 2004 (Volume 69, Number 76)]

[Proposed Rules]

[Page 21387-21392]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr20ap04-29]

[[Page 21387]]

Part III

Federal Trade Commission

16 CFR Part 682

Disposal of Consumer Report Information and Records; Proposed Rule

[[Page 21388]]

FEDERAL TRADE COMMISSION

16 CFR Part 682

RIN 3084-AA94

Disposal of Consumer Report Information and Records

AGENCY: Federal Trade Commission (FTC).

ACTION: Notice of proposed rulemaking; request for public comment.

SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') is proposing a rule regarding the proper disposal of consumer report information and records. The Fair and Accurate Credit Transactions Act of 2003 (``FACT Act'' or ``Act'') requires the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision (collectively, the ``Federal banking agencies''), National Credit Union Administration, Securities and Exchange Commission, and Federal Trade Commission, in coordination with one another, to adopt consistent and comparable rules regarding such disposal.

DATES: Written comments must be received on or before June 15, 2004.

ADDRESSES: Interested parties are invited to submit written comments. Comments should refer to ``The FACT Act Disposal Rule, R-411007'' to facilitate the organization of comments. A comment filed in paper form should include this reference both in the text and on the envelope, and should be mailed or delivered to the following address: Federal Trade Commission/Office of the Secretary, Room 159-H (Annex H), 600 Pennsylvania Avenue, NW., Washington, DC 20580. Comments containing confidential material must be filed in paper form. The FTC is requesting that any comment filed in paper form be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

An electronic comment can be filed by (1) clicking on http://www.regulations.gov ; (2) selecting ``Federal Trade Commission'' at

``Search for Open Regulations;'' (3) locating the summary of this Notice; (4) clicking on ``Submit a Comment on this Regulation;'' and (5) completing the form. For a given electronic comment, any information placed in the following fields--``Title,'' ``First Name,'' ``Last Name,'' ``Organization Name,'' ``State,'' ``Comment,'' and ``Attachment''--will be publicly available on the FTC Web site. The fields marked with an asterisk on the form are required in order for the FTC to fully consider a particular comment. Commenters may choose not to fill in one or more of those fields, but if they do so, their comments may not be considered.

Comments on any proposed filing, recordkeeping, or disclosure requirements that are subject to paperwork burden review under the Paperwork Reduction Act should additionally be submitted to: Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: Desk Officer for the Federal Trade Commission. Comments should be submitted via facsimile to (202) 395-6974 because U.S. postal mail at the Office of Management and Budget is subject to lengthy delays due to heightened security precautions. Such comments should also be sent to the following address: Federal Trade Commission/Office of the Secretary, Room 159-H (Annex H), 600 Pennsylvania Avenue, NW., Washington, DC 20580.

The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. All timely and responsive public comments, whether filed in paper or electronic form, will be considered by the Commission, and will be available to the public on the FTC Web site, to the extent practicable, at http://www.ftc.gov. As a matter of discretion, the FTC

makes every effort to remove home contact information for individuals from the public comments it receives before placing those comments on the FTC Web site. More information, including routine uses permitted by the Privacy Act, may be found in the FTC's privacy policy, at http://www.ftc.gov/ftc/privacy.htm .

FOR FURTHER INFORMATION CONTACT: Ellen Finn or Susan McDonald, Attorneys, (202) 326-3224, Division of Financial Practices, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: This notice contains the following sections:

  1. Introduction II. Summary of Proposed Rule III. Invitation to Comment IV. Communications by Outside Parties to Commissioners or Their Advisors V. Paperwork Reduction Act VI. Regulatory Flexibility Act Proposed Rule

  2. Introduction

    The FACT Act was signed into law on December 4, 2003. Fair and Accurate Credit Transactions Act of 2003, Pub. L. No. 108-159 (2003). In general, the Act amends the Fair Credit Reporting Act (``FCRA'') to enhance the accuracy of consumer reports and to allow consumers to exercise greater control regarding the type and amount of marketing solicitations they receive. To promote increasingly efficient national credit markets, the FACT Act also establishes uniform national standards in key areas of regulation regarding consumer report information. Finally, the Act contains a number of provisions intended to combat consumer fraud and related crimes, including identity theft, and to assist its victims.

    Section 216 of the FACT Act requires the Commission, Federal banking agencies, National Credit Union Administration, and Securities and Exchange Commission (the ``Agencies''), to issue regulations requiring ``any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose to properly dispose of any such information or compilation.'' The purpose of this section is to prevent unauthorized disclosure of consumer information and to reduce the risk of fraud or related crimes, including identity theft, by ensuring that records containing sensitive financial or personal information are appropriately redacted or destroyed before being discarded. The Agencies are required to consult and coordinate with each other so that, to the extent possible, regulations implementing this section are consistent and comparable. In addition, the Agencies' regulations must be consistent with the Gramm-Leach-Bliley Act (``GLBA'') and other provisions of Federal law. The Commission has conferred with the Agencies and now offers for public comment this proposed rule regarding the disposal of consumer report information and records (``Disposal Rule'' or ``Rule'').\1\

    \1\ The Federal banking agencies, SEC, and NCUA propose to implement section 216 of the FACT Act by amending their existing guidelines and rules on information security previously issued to implement section 501(b) of the GLBA. However, because the entities subject to the FTC's jurisdiction under the FACT Act and the GLBA are overlapping but not coextensive, the Commission is proposing a separate rule to implement section 216 of the FACT Act.

  3. Summary of Proposed Rule

    The following is a section-by-section summary of the Commission's proposed Rule.

    [[Page 21389]]

    Proposed Section 682.1: Definitions

    This section defines terms for purposes of the proposed Disposal Rule. Proposed section 682.1(a) makes clear that, unless otherwise stated, terms used in the Disposal Rule have the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. Thus, for example, the term ``consumer report'' as used in the Disposal Rule has the same meaning as the term ``consumer report'' elsewhere in the FCRA. See 15 U.S.C. 1681a(d) (defining ``consumer report''). The proposed Disposal Rule also defines two new terms: ``consumer information'' and ``disposal.''

    Proposed section 682.1(b) defines ``consumer information'' as any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. The Commission believes a broad definition of the term, which includes all types of records that are consumer reports, or contain consumer information derived from consumer reports, will best effectuate the purpose of the Act. However, under this definition, information that is derived from consumer reports but does not identify any particular consumers would not be covered under the proposed Rule. The Commission believes that limiting ``consumer information'' to information that identifies particular consumers is consistent with current law relating to the scope of the term ``consumer report'' under the FCRA and the purposes of section 216.

    Proposed section 682.1(c) defines ``disposing'' or ``disposal'' to include the discarding or abandonment of consumer information, as well as the sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored. By itself, the sale, donation, or transfer of consumer information would not be considered ``disposal'' under the proposed Rule.

    The Commission requests comment on both of these proposed definitions.

    Proposed Section 682.2: Purpose and Scope

    Proposed section 682.2(a) sets forth the purpose of the proposed Disposal Rule, which is to reduce the risk of consumer fraud and related harms, including identity theft, created by improper disposal of consumer information. See Cong. Rec. S13889 (Nov. 4, 2003) (Statement of Sen. Nelson).

    Proposed section 682.2(b) sets forth the scope of the proposed Disposal Rule, which applies to ``any person over which the Federal Trade Commission has jurisdiction, that, for a business purpose, maintains or otherwise possesses consumer information, or any compilation of consumer information.''\2\ This section, which tracks the language of section 216 of the FACT Act, creates two criteria for determining whether a person would be required to comply with the Disposal Rule. First, does the person maintain or otherwise possess the consumer information for a business purpose? Second, does the record being disposed of contain consumer information, or any compilation of consumer information?

    \2\ ``Person'' is defined in the FCRA, 15 U.S.C. 1681a(b), as ``any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity.''

    As to the first criterion, the Commission reads ``for a business purpose'' broadly to include all business reasons for which a person may possess or maintain consumer information. Thus, the Rule would likely cover any person that possesses or maintains consumer information other than an individual consumer who has obtained his or her own consumer report. Among the entities that possess or maintain consumer information for a business purpose are consumer reporting agencies, including resellers of consumer reports, that are in the business of selling consumer information, as well as lenders, insurers, employers, landlords, government agencies, mortgage brokers, automobile dealers, and other users of consumer reports.\3\ Companies that possess consumer information in connection with the provision of services to another entity are also directly covered by the proposed Rule to the extent that they dispose of the consumer information. \4\

    \3\ As these examples illustrate, the Commission views a ``business purpose'' as broader than a ``permissible purpose'' as defined in section 604 of the FCRA. See 15 U.S.C. 1681b (outlining permissible uses of consumer reports). Although ``permissible purposes'' are generally ``business purposes,'' there are a variety of business purposes for which persons maintain or possess ``consumer information'' beyond those listed as ``permissible'' for users of consumer reports.

    \4\ Examples of such companies could include records management or waste disposal companies.

    As to the second criterion, the FACT Act and proposed Rule make clear that the disposal requirements apply not only to consumer reports, but also to records containing ``consumer information, or any compilation of consumer information, derived from consumer reports.'' FACT Act, section 628(a)(1). The Commission believes that the phrase ``derived from consumer reports'' covers all of the information about a consumer that is taken from a consumer report, including information that results in whole or in part from manipulation of information from a consumer report or information from a consumer report that has been combined with other types of information.\5\ Thus, any person that possesses such information, including an affiliate that has received it pursuant to section 603(d)(2)(A)(iii) of the FCRA, would be obligated to properly dispose of it.

    \5\ Information that does not identify particular consumers would not be covered, even if the information was originally ``derived from consumer reports,'' since that information would no longer be ``about a consumer.''

    The Commission requests comment on the scope of the proposed Rule and the costs and benefits of covering the entities and information proposed. The Commission also seeks comment on whether the definition of covered ``consumer information'' should be further clarified, by example or otherwise. Finally, the Commission requests comment on whether there are any persons or classes of persons covered by the proposed Rule that it should consider exempting from the Rule's application pursuant to section 216(a)(3) of the FACTA.

    Proposed Section 682.3: Proper Disposal of Consumer Information

    Regarding the standard for disposal, the proposed Rule would require that any person that maintains or otherwise possesses consumer information ``take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.'' The Commission recognizes that there are few foolproof methods of record destruction. Accordingly, the proposed Rule does not require covered persons to ensure perfect destruction of consumer information in every instance; rather, it requires covered entities to take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.

    In determining what measures are ``reasonable'' under the Rule, the Commission expects that entities covered by the proposed Rule would consider the sensitivity of the consumer information, the nature and size of the entity's operations, the costs and benefits of different disposal methods, and relevant technological changes. ``Reasonable measures'' are very likely to require elements such as the establishment of policies and procedures governing disposal, as well as appropriate employee training.

    [[Page 21390]]

    The flexible standard for disposal in the proposed Rule would allow covered persons to make decisions appropriate to their particular circumstances and should minimize the disruption of existing practices to the extent that they already provide appropriate protections for consumers. It is also intended to minimize the burden of compliance for smaller entities. In addition, a ``reasonable measures'' standard would harmonize the Disposal Rule with the Commission's Safeguards Rule, 16 CFR part 314, implementing section 501(b) of the GLBA, so that entities subject to both rules will not face conflicting requirements.\6\ An entity subject to the Safeguards Rule is required to address the disposal of customer information as one part of a larger, written information security program reasonable and appropriate for that entity. An entity that incorporates proper disposal measures for consumer information, as defined in the FACT Act Disposal Rule, into the broader information security program required by the Safeguards Rule would easily be able to comply with both rules.\7\

    \6\ The coverage of the proposed Disposal Rule is different from that of the Commission's Safeguards Rule. Although some entities may be subject to both rules, there are a variety of entities subject to the proposed Disposal Rule that are not subject to the Safeguards Rule because they are not ``financial institutions'' under GLBA. This differential coverage was specifically intended by Congress. See Cong. Rec. S13889 (Nov. 4, 2003) (Statement of Sen. Nelson). In addition, the proposed Disposal Rule and the Safeguards Rule apply to different sets of information. See 16 CFR 314.1(b) (describing scope of ``customer information'' covered by Safeguards Rule); Proposed Disposal Rule Sec. Sec. 682.1(b) & 682.2(b) (defining scope of ``consumer information'' subject to proposed Disposal rule).

    \7\ As noted above, in addition to the entities that own consumer information, waste disposal companies and other companies that obtain consumer information in connection with the provision of services would be directly covered by the Disposal Rule. By contrast, such entities are generally deemed ``service providers'' under the Safeguards Rule. To the extent that such entities undertake disposal measures that comply with the Disposal Rule, such measures would also be appropriate disposal measures under the service provider provisions of the Safeguards Rule. See 16 CFR 314.4(d). However, such disposal measures would only be one part of the broader security program required of both financial institutions and, indirectly, their service providers under the Safeguards Rule.

    Despite the many benefits of a flexible ``reasonableness'' standard, the Commission recognizes that such a standard can leave covered persons with some uncertainty about compliance. Accordingly, the proposed Rule includes examples intended to provide guidance on disposal measures that would be deemed reasonable under the Rule. These examples are illustrative only, not exhaustive, and because they cannot take into account a particular entity's unique circumstances, they are intended merely to provide general guidance.

    The Commission invites comment on the proposed standard for record disposal. In particular, the Commission invites comment on: (1) The costs and benefits of the proposed standard; (2) the costs and benefits of any alternative standards; (3) the appropriateness and usefulness of providing examples in the Rule of reasonable record disposal measures; (4) the merits of the examples included in this notice, as well as any other standards or examples that the Commission might consider to provide guidance on appropriate record disposal.

    Proposed Section 682.4: Relation to Other Laws

    The proposal makes clear that nothing in the proposed Rule is intended to create a requirement that a person maintain or destroy any record pertaining to a consumer. Nor is the Rule intended to affect any requirement imposed under any other provision of law to maintain or destroy such records.

    Proposed Section 682.5: Effective Date

    The Commission proposes to make the Disposal Rule effective 3 months after the publication of the final Rule.

  4. Invitation To Comment

    The Commission invites interested members of the public to submit written data, views, facts, and arguments addressing the issues raised by this Notice. Written comments must be received on or before June 15, 2004. Comments should refer to ``The FACT Act Disposal Rule, R-411007'' to facilitate the organization of comments. A comment filed in paper form should include this reference both in the text and on the envelope, and should be mailed or delivered to the following address: Federal Trade Commission/Office of the Secretary, Room 159-H (Annex H), 600 Pennsylvania Avenue, NW., Washington, DC 20580. If the comment contains any material for which confidential treatment is requested, it must be filed in paper (rather than electronic) form, and the first page of the document must be clearly labeled ``Confidential.'' \8\ The FTC is requesting that any comment filed in paper form be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

    \8\ Commission Rule 4.2(d), 16 CFR 4.2(d). The comment must be accompanied by an explicit request for confidential treatment, including the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. The request will be granted or denied by the Commission's General Counsel, consistent with applicable law and the public interest. See Commission Rule 4.9(c), 16 CFR 4.9(c).

    An electronic comment can be filed by (1) clicking on http://www.regulations.gov ; (2) selecting ``Federal Trade Commission'' at

    ``Search for Open Regulations;'' (3) locating the summary of this Notice; (4) clicking on ``Submit a Comment on this Regulation;'' and (5) completing the form. For a given electronic comment, any information placed in the following fields--``Title,'' ``First Name,'' ``Last Name,'' ``Organization Name,'' ``State,'' ``Comment,'' and ``Attachment''--will be publicly available on the FTC Web site. The fields marked with an asterisk on the form are required in order for the FTC to fully consider a particular comment. Commenters may choose not to fill in one or more of those fields, but if they do so, their comments may not be considered.

    Comments on any proposed filing, recordkeeping, or disclosure requirements that are subject to paperwork burden review under the Paperwork Reduction Act should additionally be submitted to: Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: Desk Officer for the Federal Trade Commission. Comments should be submitted via facsimile to (202) 395-6974 because U.S. postal mail at the Office of Management and Budget is subject to lengthy delays due to heightened security precautions. Such comments should also be sent to the following address: Federal Trade Commission/Office of the Secretary, Room 159-H (Annex H), 600 Pennsylvania Avenue, NW., Washington, DC 20580.

    The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. All timely and responsive public comments, whether filed in paper or electronic form, will be considered by the Commission, and will be available to the public on the FTC Web site, to the extent practicable, at http://www.ftc.gov. As a matter of discretion, the FTC

    makes every effort to remove home contact information for individuals from the public comments it receives before placing those comments on the FTC Web site. More information, including routine uses permitted by the Privacy Act, may be found in the FTC's privacy policy, at http://www.ftc.gov/ftc/privacy.htm .

    [[Page 21391]]

  5. Communications by Outside Parties to Commissioners or Their Advisors

    Written communications and summaries or transcripts of oral communications respecting the merits of this proceeding from any outside party to any Commissioner or Commissioner's advisor will be placed on the public record. See 16 CFR 1.26(b)(5).

  6. Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 3506) (PRA), the Commission has reviewed the proposed rule. The proposed rule explicitly provides that it is not intended ``(1) to require a person to maintain or destroy any record pertaining to a consumer that is not imposed under other law; or (2) to alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record.'' As such, the proposed rule does not impose any recordkeeping requirement or otherwise constitute a ``collection of information'' as it is defined in the regulations implementing the PRA. See 5 CFR 1320.3(c).

  7. Regulatory Flexibility Act

    The Regulatory Flexibility Act (``RFA''), 5 U.S.C. 601-612, requires an agency to provide an Initial Regulatory Flexibility Analysis (``IRFA'') with a proposed rule and a Final Regulatory Flexibility Analysis (``FRFA'') with the final rule, if any, unless the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities. See 5 U.S.C. 603-605. The Commission has determined that it is appropriate to publish an IRFA in order to inquire into the impact of the proposed Rule on small entities. Therefore, the Commission has prepared the following analysis.

    1. Reasons for the Proposed Rule

      Section 216 of the FACT Act requires the Commission to issue regulations regarding the proper disposal of consumer information in order to prevent sensitive financial and personal information from falling into the hands of identity thieves or others who might use the information to victimize consumers. The requirements of the proposed Rule are intended to fulfill the obligations imposed by section 216.

    2. Statement of Objectives and Legal Basis

      The objectives of the proposed Rule are discussed above. The legal basis for the proposed Rule is section 216 of the FACT Act.

    3. Description of Small Entities to Which the Proposed Rule Will Apply

      The proposed Disposal Rule, which tracks the language of section 216 of the FACT Act, applies to ``any person that, for a business purpose, maintains or otherwise possesses consumer information, or any compilation of consumer information.'' As discussed above, the entities covered by the Rule would include consumer reporting agencies, resellers of consumer reports, lenders, insurers, employers, landlords, government agencies, mortgage brokers, automobile dealers, waste disposal companies, and any other business that possesses or maintains consumer information. Although it is not readily feasible to determine a precise number of small entities that will be subject to the proposed Rule, it is clear that numerous small entities across almost every industry could potentially be subject to the Rule.

      For example, any employer, regardless of industry or size, that obtains a consumer report (whether a full credit report or a pre- employment background check of public records) would be subject to the proposed Rule. Indeed, any company, regardless of industry or size, that obtains consumer reports for a business purpose would be subject to the proposed Rule. In addition, a variety of consumer reporting agencies and resellers of consumer reports may qualify as small businesses, as could a number of waste disposal companies, all of which would be subject to the proposed Rule.

      Given the diversity of the entities potentially subject to the Rule, determining a precise estimate of the number of small entities that will be subject to the proposed Rule, or describing those entities, is not possible. The Commission invites comment and information on this issue.

    4. Projected Reporting, Recordkeeping and Other Compliance Requirements

      The proposed Rule would not impose any reporting or any specific recordkeeping requirements within the meaning of the Paperwork Reduction Act, discussed above. The proposed Rule would require covered entities, when disposing of consumer information, to take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. What is considered ``reasonable'' will vary according to an entity's nature and size, the costs and benefits of available disposal methods, and the sensitivity of the information involved. This flexibility is intended to reduce the burden that might otherwise be imposed on small entities by a more rigid, prescriptive rule. Nonetheless, the Commission is concerned about the potential impact of the proposed Rule on small entities, and invites comment on the costs of compliance for such parties.

    5. Identification of Other Duplicative, Overlapping, or Conflicting Federal Rules

      The FTC has not identified any other Federal statutes, rules, or policies that would conflict with the proposed Rule's requirement that covered persons take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. However, the Commission is requesting comment on the extent to which other federal standards involving privacy or security of information may duplicate, satisfy, or inform the proposed Rule's requirements. In addition, the FTC seeks comment and information about any statutes or rules that may conflict with the proposed requirements, as well as any other state, local, or industry rules or policies that require covered entities to implement practices that comport with the requirements of the proposed Rule.

    6. Discussion of Significant Alternatives

      Section 216 of the FACT Act requires the Commission to issue regulations regarding the proper disposal of consumer information. The Act also requires that the regulations cover ``any person who possesses or maintains'' consumer report information. This broad coverage is consistent with the section's purpose of preventing identity theft because the risks created by improper disposal of consumer information are the same regardless of the nature of the entity disposing of the records. However, the standards in the proposed Rule are flexible, and take account of a covered entity's size and sophistication, as well as the costs and benefits of alternative disposal methods. The FTC welcomes comment on any significant alternatives, consistent with the purposes of the FACT Act, that would minimize the impact on small entities.

      List of Subjects in 16 CFR Part 682

      Consumer reports, Consumer reporting agencies, Credit, Fair Credit Reporting Act, Trade practices.

      Accordingly, the Commission proposes to add part 682 of title 16 of the Code of Federal Regulations as follows:

      [[Page 21392]]

      PART 682--DISPOSAL OF CONSUMER REPORT INFORMATION AND RECORDS

      Sec. 682.1 Definitions. 682.2 Purpose and scope. 682.3 Proper disposal of consumer information. 682.4 Relation to other laws. 682.5 Effective date.

      Authority: Pub. L. 108-159, sec. 216.

      Sec. 682.1 Definitions.

      (a) In general. Except as modified by this part or unless the context otherwise requires, the terms used in this part have the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq.

      (b) As used in this part, ``consumer information'' means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report.

      (c) As used in this part, ``disposing'' or ``disposal'' includes:

      (1) the discarding or abandonment of consumer information, and

      (2) the sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored.

      Sec. 682.2 Purpose and scope.

      (a) Purpose. This part (``rule'') implements section 216 of the Fair and Accurate Credit Transactions Act of 2003, which is designed to reduce the risk of consumer fraud and related harms, including identity theft, created by improper disposal of consumer information.

      (b) Scope. This rule applies to any person over which the Federal Trade Commission has jurisdiction, that, for a business purpose, maintains or otherwise possesses consumer information or any compilation of consumer information.

      Sec. 682.3 Proper disposal of consumer information.

      (a) Standard. Any person who maintains or otherwise possesses consumer information, or any compilation of consumer information, for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.

      (b) Examples. Reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal would include:

      (1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.

      (2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed.

      (3) After due diligence, entering into and monitoring compliance with a written contract with another party engaged in the business of record destruction to dispose of consumer information in a manner consistent with this rule. In this context, due diligence could include reviewing an independent audit of the disposal company's operations and/or its compliance with this rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company's information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company.

      (4) (a) For disposal companies explicitly hired to dispose of consumer information: implementing and monitoring compliance with policies and procedures that protect against unauthorized access to or use of consumer information during collection and transportation, and disposing of such information in accordance with examples (1) and (2) above.

      (b) For traditional garbage collectors engaged in the normal course of business: disposing of garbage in accordance with standard procedures.

      Sec. 682.4 Relation to other laws.

      Nothing in this rule shall be construed--

      (a) to require a person to maintain or destroy any record pertaining to a consumer that is not imposed under other law; or

      (b) to alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record.

      Sec. 682.5 Effective date.

      This rule is effective 3 months from the date on which a final rule is published in the Federal Register.

      By direction of the Commission. Donald S. Clark, Secretary.

      [FR Doc. 04-8904 Filed 4-19-04; 8:45 am]

      BILLING CODE 6750-01-P

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT