Tips on How to Effectively Dispose of Consumer Records and Comply With the FTC’s Rules
When was the last time you reviewed your policy and process for disposing of consumer report records? Yes, I know it is not something that is ‘top of the mind’ as you are conducting running your business or your human resources organization. However, it is one of the details that can get you into trouble if not handled properly.
First, let’s take a look at what the legal requirements are regarding disposal of consumer report records.
The Federal Trade Commission’s (FTC) Disposal Rule loosely outlines what needs to happen to any consumer report that your company gains access to, and the sensitive information derived from those reports.
First, let’s start with defining a consumer report to make sure we are working from a common framework.
What is a Consumer Report?
Consumer reports are governed by the Fair Credit Reporting Act (FCRA) that defines the term consumer report “to include information obtained from a consumer reporting company that is used – or expected to be used – in establishing a consumer’s eligibility for credit, employment, or insurance, among other purposes. Credit reports and credit scores are consumer reports. So are reports businesses or individuals receive with information relating to employment background, check writing history, insurance claims, residential or tenant history, or medical history.”
As you are aware these type reports contain a considerable amount of sensitive and personal identifiable information which must be safeguarded. Given the privacy nature of the information, if you are doing business internationally you may also fall under the jurisdiction of the European Union’s General Data Protection Regulation (GDPR) or other similar laws in other countries. However, that is a discussion for another time.
Cornell Law School offers this definition of a ‘consumer report:’
“the term “consumer report” means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for—
(A) credit or insurance to be used primarily for personal, family, or household purposes;
(B) employment purposes; or
(C) any other purpose authorized under section 1681b of this title.”
Rules Governing the Disposal of Records
In an effort to protect the privacy of consumer information and reduce the risk of fraud and identity theft, a federal rule requires businesses to take appropriate measures to dispose of sensitive information derived from consumer reports.
According to the Federal Trade Commission (FTC) who is charged with responsibility for enforcing the disposal rule, “Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule. The Rule requires the proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.”
The rule covers both hard copy and electronic formats of any information derived from a consumer report and, of course, the report itself.
The Disposal Rule says that anyone who has information from a consumer report must ensure that the information is properly disposed of “by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.
The Disposal Rule applies to people and organizations that use consumer reports.
Here’s some information about what is deemed to be ‘reasonable measures:’ (this is not intended to be a complete list of possible options)
The Disposal Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to:
- burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;
- destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed; With digital records, we turned to the experts at MIT, who recommend a couple of ways to securely erase digital information including using software tools or destroying the disk entirely.
- conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include:
- reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule,
- obtaining information about the disposal company from several references,
- requiring that the disposal company be certified by a recognized trade association.
The FTC standard for the proper disposal of information derived from a consumer report is flexible, and allows the organizations and individuals covered by the Rule to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology.
Although the Disposal Rule applies to consumer reports and the information derived from consumer reports, the FTC encourages those who dispose of any records containing a consumer’s personal or financial information to take similar protective measures.
When can you dispose of the information?
There isn’t a set standard defining when you need to dispose of the information from a consumer report. However, The FTC and EEOC stated the following in a joint report issued:
Any personnel or employment records you make or keep (including all application forms, regardless of whether the applicant was hired, and other records related to hiring) must be preserved for one year after the records were made, or after a personnel action was taken, whichever comes later. (The EEOC extends this requirement to two years for educational institutions and for state and local governments. The Department of Labor also extends this requirement to two years for federal contractors that have at least 150 employees and a government contract of at least $150,000.) If the applicant or employee files a charge of discrimination, you must maintain the records until the case is concluded.
Once you’ve satisfied all applicable record-keeping requirements, you may dispose of any background reports you received. However, the law requires that you dispose of the reports – and any information gathered from them – securely. That can include burning, pulverizing, or shredding paper documents and disposing of electronic information so that it can’t be read or reconstructed.
For more information, see Disposing of Consumer Report Information? Rule Tells How.
It is important to consult with a labor attorney regarding how long you should keep consumer reports and when to legally dispose of them.
If you are conducting employment background checks, you will need to adhere to the FTC’s Disposal Rule. Hopefully, this article has provided you with a better understanding regarding the information that falls under the FTC Disposal Rule, how and when to dispose of it, and where to get more information.
For further information, the FTC has a great web page set up outlining recommendations about “proper” disposal. You can check it out here: https://www.ftc.gov/tips-advice/business-center/guidance/disposing-consumer-report-information-rule-tells-how