In an effort to protect the privacy of consumer information and reduce the risk of fraud and identity theft, a federal rule requires businesses and landlords to take certain protective measures to dispose of sensitive information derived from consumer reports. Any business or individual who uses a “consumer report” for a business purpose is subject to the requirements of this Disposal Rule. The Rule requires the “proper” disposal of information in consumer reports and records to protect against unauthorized access to or use of the information. The Federal Trade Commission (FTC) has the responsibility to enforce the Disposal Rule.
In a property management context, a consumer report includes tenant credit and other such reports generated by consumer credit reporting agencies (CRA’s), such as tent screening agency. A consumer report does not include information gathered directly by business for use by the business. Below, I have included more information about what constitutes a consumer report.
The FTC has indicated that the standard for the proper disposal of information derived from a consumer report is flexible, and allows organizations and individuals covered by the Rule to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology. Although the Disposal Rule applies to consumer reports and the information derived from consumer reports, the FTC and this author both encourage those who dispose of any records containing a consumer’s personal or financial information to take similar protective measures. In other words, treat all customer and client information as if they are subject to the Disposal Rule.
Who must comply?
The Disposal Rule applies to individuals, as well as large and small organizations, that use consumer reports. Among those who must comply with the Rule are:
• Consumer reporting companies
• Lenders
• Insurers
• Employers
• Landlords
• Government agencies
• Mortgage brokers
• Automobile dealers
• Attorneys or private investigators
• Debt collectors
• Individuals who obtain a credit report on prospective nannies, contractors, or tenants
• Entities that maintain information in consumer reports as part of their role as service providers to other organizations covered by the Rule.
What information does the Disposal Rule cover?
The Disposal Rule applies to consumer reports or information derived from consumer reports. The Fair Credit Reporting Act defines the term consumer report to include information obtained from a consumer reporting company that is used – or expected to be used – in establishing a consumer’s eligibility for credit, employment, or insurance, among other purposes. Credit reports and credit scores are consumer reports. So are reports that businesses or individuals receive with information relating to employment background, check writing history, insurance claims, residential or tenant history, or medical history.
What is ‘proper’ disposal?
The Disposal Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to:
• burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;
• destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
• conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include:
o reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule;
o obtaining information about the disposal company from several references;
o requiring that the disposal company be certified by a recognized trade association;
o reviewing and evaluating the disposal company’s information security policies or procedures.
The FTC says that financial institutions that are subject to both the Disposal Rule and the Gramm-Leach-Bliley (GLB) Safeguards Rule should incorporate practices dealing with the proper disposal of consumer information into the information security program that the Safeguards Rule requires (ftc.gov/privacy/privacyinitiatives/safeguards.html).
The Fair and Accurate Credit Transactions Act, which was enacted in 2003, directed the FTC, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration, and the Securities and Exchange Commission to adopt comparable and consistent rules regarding the disposal of sensitive consumer report information. The FTC’s Disposal Rule became effective June 1, 2005.