A new Federal Trade Commission ("FTC") rule imposes obligations on employers who maintain or possess consumer information derived from a consumer report for a business purpose (as discussed below, broadly defined and which includes information obtained in connection with an applicant or employee background check conducted by a third party), with respect to the disposal of that information. The requirements of the FTC's so-called "Disposal Rule,"1 went into effect on June 1, 2005, following a public comment period and a six month waiting period.
The Disposal Rule implements a requirement of section 216 of the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"), which in part, amended the Fair Credit Reporting Act ("FCRA"). The FACT Act required the collaboration of several government agencies, including the FTC and the Securities and Exchange Commission, to adopt rules regarding the proper disposal of consumer report information in order to "reduce the risk of consumer fraud and related harms, including identity theft, created by improper disposal of consumer information."2
Coverage Of The Disposal Rule
By the enactment of the Disposal Rule, the FTC hopes to protect the privacy of sensitive consumer information and to reduce the risk of fraud and identity theft that may be facilitated by the careless or lax disposal of sensitive financial or personal information relating to an individual. The Disposal Rule therefore has broad applicability and covers any person over which the FTC has jurisdiction (including, without limitation, employers, attorneys, consumer reporting companies, landlords, private investigators - even individuals who obtain credit reports on prospective nannies, contractors or tenants). In short, covered individuals or entities that "maintain or otherwise possess consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal."3
"Consumer information" regulated by the Disposal Rule is defined as "any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report."4 As "consumer report" is not otherwise defined by the Disposal Rule, the term has the same meaning as set forth in the FCRA: any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for, among other things, an employment purpose.5 An employment purpose is broadly defined by the FCRA to include evaluating a consumer for employment, promotion, reassignment or retention as an employee, and thus includes consumer reports procured by third parties on applicants for employment as well as current employees.6
In addition, compilations of consumer information are explicitly covered by the Disposal Rule. Further, while information that does not identify individuals, such as aggregate information or blind data, is specifically excluded from the Disposal Rule's scope, employers should be wary of excluding consumer related information that may identify a particular individual, even where no names are used. In response to commentators' requests for guidance on this issue, the FTC has noted that "there are a variety of personal identifiers beyond simply a person's name that would bring information within the scope of the [Disposal] Rule, including, but not limited to, a social security number, driver's license number, phone number, physical address, and e-mail address."7 Furthermore, even elements of consumer information that are not "inherently identifying" may, in combination and depending on the circumstances, allow for the identification of particular individuals and thus be brought within the scope of the Disposal Rule.8 Therefore, employers should carefully analyze whether consumer information that they maintain or possess falls within the broad purview of the Disposal Rule - even where that information at first blush does not name a particular individual.
The Proper Disposal Of Information Obligation
The Disposal Rule does not prescribe a one-size-fits-all approach to the disposal (defined as the "discarding or abandonment of consumer information, ...[t]he sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored") of consumer information that must be taken in all cases to satisfy the requirements of the Disposal Rule.9 Rather, the Disposal Rule creates a variable standard of reasonableness pursuant to which each employer must measure what disposal methods are reasonable to protect against unauthorized access to or use of sensitive consumer information. Reasonableness will therefore fluctuate depending upon the circumstances, considering such factors as the sensitivity of the information, the costs and benefits of different available disposal methods, an entity's nature and size, and changes in technology.
In an effort to provide guidance on the disposal obligation, the Disposal Rule provides examples of generally reasonable consumer information disposal practices. Implementing and monitoring compliance with policies and procedures that require an employer to do the following should fulfill the reasonable measures obligation of the Disposal Rule:
Burn, pulverize, or shred papers containing consumer information so that the information cannot practicably be read or reconstructed;
Destroy or erase electronic media containing consumer information so that the information cannot practicably be read or reconstructed; or
After conducting "due diligence" (discussed below), contract with a party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, consistent with the Disposal Rule.10
The "due diligence" envisioned by the FTC in connection with the hiring of a document destruction contractor to fulfill an employer's obligations could include: reviewing an independent audit of the disposal company's operations and/or its compliance with the Disposal Rule; obtaining information about the disposal company from several references or other reliable sources; requiring that the disposal company be certified by a recognized trade association or similar third party; reviewing and evaluating the disposal company's information security policies or procedures; or taking other appropriate measures to determine the competency and integrity of the potential disposal company.11 Of course, these examples are "illustrative only" and simply provide non-exclusive, non-exhaustive examples of reasonable measures by which the FTC believes that the Disposal Rule's obligations may be fulfilled.12
Importantly, the Disposal Rule does not affect an employer's record keeping or record retention requirements pursuant to other applicable laws and is not intended to create a requirement that records pertaining to a consumer either be maintained or destroyed.13 Employers must continue to fulfill their obligations under other applicable rules and regulations governing the use, disclosure, retention and disposal of sensitive consumer information to which they may be subject. For instance, despite an argument made during the public comment period that entities already subject to the protections of the FTC's Safeguards Rule,14 pursuant to the Gramm-Leach-Bliley Act,15 should be exempt from the Disposal Rule, such an exemption was not incorporated into the final Disposal Rule and financial institution employers must comply with the obligations of both of these rules.
Many employers who procure consumer reports already have mechanisms in place that govern the disposal of sensitive information. Given the Disposal Rule, however, it is important for all employers who maintain or possess information on consumers (importantly, whether in paper, electronic or other form) that is derived from a consumer report to create and adhere to policies regulating the proper disposal of that information. Employers should take into consideration all of the circumstances to establish "reasonable measures" to protect sensitive financial and personal consumer information from unauthorized disclosure and use in connection with its disposal. Finally, employers should ensure that all relevant employees are educated and trained in, and comply with, the disposal policy to avoid potential liability from the information's improper disposal.
1 See 16 C.F.R. pt. 682.
2 See 16 C.F.R.§ 682.2(a).
3 See 16 C.F.R. § 682.3(a).
4 See 16 C.F.R. § 682.1(b).
5 See 16 C.F.R. § 682.1(a), 15 U.S.C.§ 1681a(d).
6 See 15 U.S.C. § 1681a(h)
7 See Commentary to 16 C.F.R. pt. 682.
8 See Id.
9 See 16 C.F.R. § 682.1(c).
10 See 16 C.F.R. § 682.3(b).
11 See 16 C.F.R. § 682.3(b)(3).
12 See 16 C.F.R. § 682.3(b).
13 See 16 C.F.R. §682.4.
14 16 C.F.R. pt. 314.
15 15 U.S.C. §§ 6801 et. seq.
Albert J. Solecki, Jr. is a Partner in the Labor and Employment Law Group at Goodwin Procter LLP and Chairman of its New York office. Melissa G. Rosenberg is an Associate in Goodwin Procter's Labor and Employment Law Group, resident in the firm's New York office.