[Federal Register: November 24, 2004 (Volume 69, Number 226)]
[Rules and Regulations]
[Page 68689-68697]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr24no04-10]
[[Page 68689]]
-----------------------------------------------------------------------
Part V
Federal Trade Commission
-----------------------------------------------------------------------
16 CFR Part 682
Disposal of Consumer Report Information and Records; Final Rule
[[Page 68690]]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 682
RIN 3084-AA94
Disposal of Consumer Report Information and Records
AGENCY: Federal Trade Commission (FTC or Commission).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Fair and Accurate Credit Transactions Act of 2003 (``FACT
Act'' or ``Act'') requires the Federal Reserve Board, Office of the
Comptroller of the Currency, Federal Deposit Insurance Corporation,
Office of Thrift Supervision, National Credit Union Administration,
Securities and Exchange Commission, and Federal Trade Commission, in
coordination with one another, to adopt consistent and comparable rules
regarding the proper disposal of consumer report information and
records. This final rule implements this requirement.
DATES: This rule is effective on June 1, 2005.
FOR FURTHER INFORMATION CONTACT: Ellen Finn or Susan McDonald,
Attorneys, (202) 326-3224, Division of Financial Practices, Bureau of
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue,
NW., Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
Statement of Basis and Purpose
I. Background
The Fair and Accurate Credit Transactions Act of 2003, Public Law
108-159, 117 Stat. 1952 (``FACT Act'' or ``Act'') was signed into law
on December 4, 2003. In part, the Act amends the Fair Credit Reporting
Act (``FCRA''), 15 U.S.C. 1681 et seq., by imposing a new requirement
on persons who possess or maintain, for a business purpose, consumer
information derived from consumer reports. The Act requires that ``any
person that maintains or otherwise possesses consumer information, or
any compilation of consumer information, derived from consumer reports
for a business purpose[,] properly dispose of any such information or
compilation.'' \1\
---------------------------------------------------------------------------
\1\ FACT Act section 216, 15 U.S.C. 1681w(a)(1).
---------------------------------------------------------------------------
The FACT Act directs the Commission to consult and coordinate with
other agencies in connection with promulgating rules regarding the
proper disposal of consumer report information and records.
Specifically, the Act directs the Commission to consult and coordinate
with the Federal banking agencies,\2\ the National Credit Union
Administration (``NCUA''), and the Securities and Exchange Commission
(``SEC'') so that the regulations prescribed by each agency are
consistent and comparable.\3\ Further, the Act directs the Commission
to ensure that the regulations are consistent with the requirements of
the Gramm-Leach-Bliley Act (``GLBA''), 15 U.S.C. 6081 et seq.\4\
---------------------------------------------------------------------------
\2\ The Federal Reserve Board of Governors, Office of the
Comptroller of the Currency, Federal Deposit Insurance Corporation,
and Office of Thrift Supervision.
\3\ 15 U.S.C. 1681w(a)(2)(A).
\4\ 15 U.S.C. 1681w(a)(2)(B).
---------------------------------------------------------------------------
The Commission has conferred and coordinated extensively with the
Federal banking agencies, the NCUA, and SEC to ensure that the agencies
promulgate regulations that are comparable and consistent with each
other and with the requirements of the GLBA.\5\ On April 16, 2004, the
Commission issued and sought comment on a proposed Rule implementing
the requirements of section 216 of the FACT Act (the proposed Rule).\6\
On July 8, 2004, the Commission supplemented its initial notice of
proposed rulemaking (NPR), and sought comment on, a supplemental
initial regulatory flexibility analysis (supplemental IRFA).\7\ The
supplemental IRFA was intended to provide additional information to
assist small businesses in commenting on the impact, if any, the final
Rule will have on such businesses. In response to both the NPR and the
supplemental IRFA, the Commission received 58 comments from a variety
of trade associations, businesses, consumer advocacy groups, and
individuals. After carefully considering the comments received, the
Commission adopts the proposed rule with only minor modifications
described later in this notice.
---------------------------------------------------------------------------
\5\ The Federal banking agencies, NCUA, and SEC have proposed to
implement Sec. 216 of the FACT Act by amending their existing
guidelines and rules on information security previously issued to
implement section 501(b) of the GLBA. However, because the entities
subject to the FTC's jurisdiction under the FACT Act and the GLBA
are overlapping but not coextensive, the Commission has chosen to
adopt a separate rule to implement Sec. 216 of the FACT Act.
Despite this difference in form, the substance of the rules is
comparable and consistent.
\6\ The notice of proposed rulemaking and proposed Rule were
published in the Federal Register on April 20, 2004. 69 FR 21387.
\7\ The supplemental IRFA was published in the Federal Register
on July 8, 2004. 69 FR 41219.
---------------------------------------------------------------------------
Like the proposed rule, the final rule requires that persons over
which the FTC has jurisdiction who maintain or otherwise possess
consumer information for a business purpose properly dispose of such
information by taking reasonable measures to protect against
unauthorized access to or use of the information in connection with its
disposal. It also includes several examples, including one new and two
slightly revised examples, of what the Commission believes constitute
reasonable measures to protect consumer information in connection with
its disposal. These examples are intended to provide covered entities
with guidance on how to comply with the rule but are not intended to be
safe harbors or exclusive methods for complying with the rule.
In addition, the final rule maintains the flexible ``reasonable
measures'' standard of the proposed rule. The FTC realizes that there
are few foolproof methods of records destruction and that entities
covered by the rule must consider their own unique circumstances when
determining how to best comply with the rule.
Finally, the final rule extends the effective date of the rule from
three months to six months following publication in the Federal
Register.
II. Overview of Comments Received
The Commission received 58 comments on the proposed rule, five of
which were in response to the supplemental IRFA.\8\ The vast majority
of these comments were from industry trade organizations \9\ and the
business community.\10\ Consumer advocacy
[[Page 68691]]
groups,\11\ individual consumers, and one Senator \12\ also submitted
comments on the proposed rule.
---------------------------------------------------------------------------
\8\ The public comments relating to this rulemaking may be
viewed at http://www.ftc.gov/os/comments/disposal/index.htm (proposed Rule) and at http://www.ftc.gov/os/comments/disposal-supplement/index.htm
(supplemental IRFA). The Commission considered
all comments received on or before the close of the comment periods
on June 15, 2004, for the proposed rule and on July 30, 2004, for
the supplemental analysis. Citations to comments filed in this
proceeding are made to the name of the organization (if any) or the
last name of the commenter, and the comment number of record.
\9\ These included the Consumer Data Industry Association (CDIA)
(the trade association that represents the nationwide consumer
reporting agencies and a variety of other consumer reporting
agencies), the American Insurance Association, America's Community
Bankers, ACA International (representing debt collection agencies
and other accounts receivable professionals), ARMA International
(the association of information management professionals), the
National Association of Realtors, the Consumers Bankers Association,
the Credit Union National Association (CUNA), the Michigan Credit
Union League, the National Independent Automobile Dealer's
Association, the Software & Information Industry Association (SIIA),
the Pennsylvania Credit Union Association, the National Association
of Profession Background Screeners, the National Association for
Information Destruction, Inc. (NAID) (a trade association for the
information destruction industry) and the Coalition to Implement the
FACT Act (representing trade associations and companies that
furnish, use, collect, and disclose consumer information).
\10\ These included financial institutions, such as Bank of
America Corporation, Countrywide Home Loans, Elgin Bank of Texas,
MasterCard International Incorporated, MBNA America Bank, N.A.,
Virginia Credit Union, Inc. and Visa U.S.A.; credit reporting
agencies, such as Equifax Information Services LLC, Experian
Information Solutions, Inc., and Trans Union LLC; and information
management and destruction firms, including AccuShred, LLC, Allshred
Services, Inc., Community Shredders, IndyShred, PRISM International,
Reclamere, Inc., SECURE Eco Shred, and Shred-it Orlando.
\11\ These included Consumers Union and the Privacy Rights
Clearinghouse, which was joined in its comments by Consumer Action,
the Consumer Federation of California, the Identity Theft Resource
Center, Privacy Activism, and the Worldwide Privacy Forum.
\12\ Senator Bill Nelson (D-FL).
---------------------------------------------------------------------------
The Commission received comments on nearly all of the provisions
contained in the proposed rule. Most commenters, including consumers,
businesses, and industry representatives, expressed general support for
a rule requiring the proper disposal of consumer information. Many
commenters noted that numerous companies that possess or maintain
consumer report information already have programs in place to ensure
the information's proper disposal, either as a matter of sound business
practice or pursuant to other legal requirements. In general,
commenters stated that they believed that the proposed rule would help
combat fraud, such as identity theft. Indeed, some commenters urged the
Commission to adopt provisions that extend beyond what the FACT Act
provides in order to combat identity theft by, for example, expanding
the scope of information covered under the rule to include payroll
records and credit card receipts \13\ or all information stored in the
same file as consumer report information.\14\
---------------------------------------------------------------------------
\13\ See Comment, IndyShred 15
\14\ See Comment, NAID 48.
---------------------------------------------------------------------------
The majority of commenters focused on the proposed rule's standard
for disposal and definitions of ``consumer information'' and
``disposal.'' Most commenters expressed support for the proposed rule's
``reasonable measures'' standard for disposal. Commenters supporting
the standard noted that its flexibility would allow covered persons to
make decisions appropriate to their particular circumstances and that a
more specific or uniform standard would be unrealistic, unnecessarily
costly, and insufficiently flexible to deal with the broad range of
entities subject to the final rule.\15\ One consumer advocacy group
stated that a more specific minimum standard is needed to ensure that
all businesses implement adequate disposal practices; \16\ another
commenter suggested that the final rule should require covered persons
to adopt formal, written information retention and disposal
programs.\17\
---------------------------------------------------------------------------
\15\ See, e.g., Comment, Equal Employment Advisory Council
26; National Automobile Dealers Association 52;
Comment, Mastercard 29; Comment, Equifax 54;
Comment, Consumer Bankers Association 53; Comment,
Coalition to Implement the FACT Act 64.
\16\ See, Comment, Consumers Union 8; see also Comment,
Gercken 14.
\17\ See Comment, ARMA International 35.
---------------------------------------------------------------------------
In general, commenters also approved of the definitions of
``consumer information'' and ``disposal,'' \18\ but some suggested
minor clarifications.\19\ These comments are addressed more fully
below.
---------------------------------------------------------------------------
\18\ See, e.g., Comment, CUNA 22; Comment, Visa U.S.A.
23 ; Comment, Consumer Bankers Association 53;
Comment, CDIA 46.
\19\ See, e.g., Comment, CUNA 22; Comment, Equifax
54; Comment, Michigan Credit Union League 58;
Comment, TransUnion 44; Comment, Mastercard 29;
Comment, Consumer Bankers Association 53; Comment,
Coalition to Implement the Fact Act 64; Comment, MBNA
19; Comment, Visa U.S.A. 23; Comment, American
Financial Services Association 33; Comment, CDIA
46; Comment, Bank of America 51.
---------------------------------------------------------------------------
In addition, the Commission received comments from industry
representatives and financial institutions on the scope of the proposed
rule. In general, these commenters stated that, for various reasons,
consumer reporting agencies and other entities already subject to the
Gramm-Leach-Bliley Act and the Commission's implementing Safeguards
Rule \20\ should not also be subject to the Disposal Rule.\21\ Among
other things, these commenters expressed concern that attempting to
comply with multiple standards would engender uncertainty and possibly
higher costs among persons covered by both rules. Commenters
representing the records management and disposal industries \22\ also
expressed concern that the proposed rule would impose direct liability
on such service providers for failing to properly dispose of records
even when they have no contractual arrangements with the record owners
requiring or paying them to do so. The Commission also received a
comment from the U.S. Senator who introduced Section 216,\23\ which
stated that the scope of the proposed rule closely followed
Congressional intent. These comments are addressed more fully below.
---------------------------------------------------------------------------
\20\ 16 CFR part 314.
\21\ See, e.g., Comment, Experian 59; Comment,
TransUnion 44; Comment, Mastercard 29; Comment,
Equifax 54.
\22\ See, e.g., Comment, PRISM International 21;
Comment, NAID 49.
\23\ See Comment, Senator Bill Nelson 55.
---------------------------------------------------------------------------
Overall, commenters were in favor of including examples of proper
disposal methods in the final rule. Some commenters requested further
clarification regarding the example involving garbage collectors.\24\
Other commenters requested clarification as to whether the examples are
minimum requirements, safe harbors, or simply illustrative
guidance.\25\ The Commission also received comments that discussed the
effective date of the proposed rule. Numerous commenters requested that
the period between issuance of the final rule and the effective date be
lengthened.\26\
---------------------------------------------------------------------------
\24\ See, e.g., Comment, CDIA 46; Comment, Equifax
54; Comment, NAID 49.
\25\ See, e.g., Comment, Mastercard 29; Comment,
American Insurance Association 50.
\26\ See, e.g., Comment, Experian 59 (6 months);
Comment, TransUnion 44 (6 months); Comment, Equifax
54 (6 months), Comment, American Financial Services
Association 33 (6 months); Comment, American Insurance
Association 50 (12 months); Consumer Bankers Association
53 (12 months); Comment, CDIA 46 (6 months);
Comment, National Automobile Dealers Association 52 (9
months); Comment, Coalition to Implement the FACT Act 64 (6
months).
---------------------------------------------------------------------------
Finally, most commenters who addressed small business concerns
stated that the proposed rule would not create any undue burden for
small businesses. These commenters cited the proposed rule's flexible
``reasonable methods'' standard, which would allow covered persons to
minimize costs, and the fact that the proposed rule would not impose
new record keeping requirements, as the major factors that would
alleviate any burdens on small businesses.\27\
---------------------------------------------------------------------------
\27\ See, e.g., Comment, National Automobile Dealers Association
52; Comment, Mastercard 29; Comment, Consumer
Bankers Association 53; Comment, Coalition to Implement the
FACT Act 64.
---------------------------------------------------------------------------
III. Section-by-Section Analysis
Section 682.1: Definitions
Section 682.1(a) provides that, unless otherwise stated, terms used
in the Disposal Rule have the same meaning as set forth in the Fair
Credit Reporting Act, 15 U.S.C. 1681 et seq. Thus, for example, the
term ``consumer report'' as used in the Disposal Rule has the same
meaning as the term ``consumer report'' elsewhere in the FCRA. See 15
U.S.C. 1681a(d) (defining ``consumer report''). The Commission received
no comments suggesting changes to this provision, and it is adopted as
proposed.
Consumer Information
The proposed rule defined ``consumer information'' as any record
about an individual, whether in paper, electronic, or other form, that
is a consumer report or is derived from a consumer report. The NPR
stated that the phrase ``derived from consumer reports'' would cover
all
[[Page 68692]]
of the information about a consumer that is derived from any consumer
report(s), including information taken from a consumer report,
information that results in whole or in part from manipulation of
information taken from a consumer report, and information that has been
combined with other types of information. Further, the NPR explained
that because the definition of ``consumer information'' refers to
records ``about an individual,'' information that does not identify
particular consumers would not be covered under the rule. The
Commission received a variety of comments requesting clarification or
modification of this definition of consumer information.
One consumer advocacy group requested that the definition include
compilations of consumer information.\28\ Although the proposed rule
already proposed to cover compilations of consumer information by
referring to compilations in the scope and standard sections of the
rule, the Commission agrees that it would be clearer to include
compilations in the definition of consumer information itself.
Therefore, it has modified the definition of consumer information to
include compilations.
---------------------------------------------------------------------------
\28\ Comment, Consumers Union 8.
---------------------------------------------------------------------------
Commenters were uniformly supportive of the proposed rule's
application only to information that identifies particular
individuals,\29\ but many requested that the rule be more explicit on
this point.\30\ In response to these comments, and in order to provide
additional guidance and clarity, the Commission has added language to
the rule emphasizing that information that does not identify
individuals, such as aggregate information or blind data, is not
covered by the definition of consumer information.\31\
---------------------------------------------------------------------------
\29\ See, e.g., Comment, MBNA 19; Comment, Visa U.S.A.
23; Comment, Equal Employment Advisory Council 26;
Comment, TransUnion 44; Comment, Mastercard 29;
Comment, Equifax 54; Comment, American Financial Services
Association 33; Comment, Consumer Bankers Association
53; Comment, CDIA 46; Comment, Bank of America
51; Comment, Coalition to Implement the Fact Act
64.
\30\ See, e.g., Comment, MBNA 19; Comment, Visa U.S.A.
23; Comment, TransUnion 44; Comment, Equifax
54; Comment, American Financial Services Association
33; Comment, CDIA 46; Comment, Bank of America
51.
\31\ The terms ``aggregate information'' and ``blind data'' as
used in the rule are intended to have the same meaning as in Sec.
313.3(o)(2)(ii)(B) of the Commission's GLBA Rule regarding the
Privacy of Consumer Financial Information, 16 CFR part 313.
---------------------------------------------------------------------------
Commenters also sought guidance on the kinds of information that
would be considered to identify particular individuals.\32\ The
Commission believes that there are a variety of personal identifiers
beyond simply a person's name that would bring information within the
scope of the rule, including, but not limited to, a social security
number, driver's license number, phone number, physical address, and e-
mail address. The Commission has not included a rigid definition in the
final rule, however, because, depending upon the circumstances, data
elements that are not inherently identifying can, in combination,
identify particular individuals.\33\
---------------------------------------------------------------------------
\32\ See, e.g., Comment, Consumers Union 8; Comment,
MBNA 19; Comment, Equifax 54; Comment, Senator
Bill Nelson 55; Comment, Privacy Rights Clearinghouse
39; Comment, Michigan Credit Union League 58.
\33\ See Comment, Consumers Union 8; Comment, Privacy
Rights Clearinghouse 39.
---------------------------------------------------------------------------
A number of commenters also requested that certain categories of
information be excluded from the definition of consumer information.
These include credit header information,\34\ publicly available
information,\35\ and ``non-sensitive'' information.\36\ Although credit
header information, which includes name, address, and social security
number, is not itself a consumer report, it is generally derived from a
consumer report and, therefore, within the universe of information
covered by section 216 of the FACT Act. Similarly, public record
information is often part of consumer reports and therefore falls
within the scope of information Congress intended to cover. With
respect to ``non-sensitive'' information, the Commission notes that
persons subject to the Disposal Rule may always consider the
sensitivity of the consumer information at issue in determining what
disposal measures are reasonable under the circumstances.
---------------------------------------------------------------------------
\34\ See, e.g., Comment, Equifax 54.
\35\ See, e.g., Comment, National Independent Automobile Dealers
Association 53.
\36\ See, e.g., Comment, America's Community Bankers
24; Comment, Mastercard 29.
---------------------------------------------------------------------------
Finally, some commenters suggested that recipients of information
about consumers may not always know whether the information they
receive was derived from a consumer report.\37\ They suggested,
therefore, that the definition of ``consumer information'' be limited
to information that a person knows to be derived from a consumer
report.\38\
---------------------------------------------------------------------------
\37\ See, e.g., Comment, Consumer Bankers Association
53; Comment, Coalition to Implement the Fact Act
64.
\38\ See, e.g., Comment, Mastercard 29; Comment,
American Financial Services Association 33; Comment,
Consumer Bankers Association 53; Comment, Coalition to
Implement the Fact Act 64.
---------------------------------------------------------------------------
In response to these comments, the Commission notes that knowledge
is not an element or a prerequisite to the duty to comply with either
the FACT Act or the Disposal Rule. Nevertheless, the Commission also
notes that in most, if not all, circumstances covered by the rule,
covered entities will or should know if they possess consumer
information. First, in most circumstances under the FCRA, a person who
obtains a consumer report may use that information only for the
specific permissible purpose for which it was obtained. In such
circumstances, the person who possesses the information should clearly
be aware that it is a consumer report.
Second, when consumer information is transferred to a service
provider or shared between affiliates following consumer notice and
opportunity to opt-out,\39\ the Commission believes that, in light of
the nature of the relationship and information sharing practices
between such parties, service providers and affiliates generally will
or should know when they have been provided with covered consumer
information. Moreover, the Commission believes that, for persons
subject to the rule, identifying consumer information when providing it
to service providers or affiliates is one ``reasonable measure'' to
ensure that the information will be disposed of properly in accordance
with the rule.\40\ For these reasons, the Commission has not modified
the definition as requested by the comments.
---------------------------------------------------------------------------
\39\ See FCRA Sec. 603(d)(2)(A)(iii), 15 U.S.C.
1681a(d)(2)(A)(iii).
\40\ Example 3 of the final rule, which is discussed further
below, illustrates this point as to service providers.
---------------------------------------------------------------------------
Disposal
Proposed section 682.1(c) defined ``disposing'' or ``disposal'' to
include the discarding or abandonment of consumer information, as well
as the sale, donation, or transfer of any medium, including computer
equipment, upon which consumer information is stored. The NPR noted
that the sale, donation, or transfer of consumer information, by
itself, would not be considered ``disposal'' under this definition.\41\
---------------------------------------------------------------------------
\41\ A number of industry commenters requested an explicit
statement to this effect in the rule. See, e.g., Comment, America's
Community Bankers 24; Comment, TransUnion 44;
Comment, Mastercard 29; Comment, Consumer Bankers
Association 53; Comment, NAID 49; Comment,
Coalition to Implement the Fact Act 64. The Commission has
not added such a statement to the final Rule because of its clear
statement in the NPR, which it reaffirms here, that the sale,
donation, or transfer of consumer information, by itself, does not
constitute ``disposal'' under the Rule's definition. Of course, the
FCRA's restrictions on the sale and use of consumer information are
still applicable even when such information is sold, donated, or
transferred in a manner that would not amount to ``disposal'' under
this Rule.
---------------------------------------------------------------------------
[[Page 68693]]
Some commenters suggested that the definition should state what
disposal ``means'' as opposed to what it ``includes.''\42\ The
Commission agrees and has adopted this change in the final rule.
---------------------------------------------------------------------------
\42\ See, e.g., Comment, TransUnion 44; Comment,
Mastercard 29; Comment, Consumer Bankers Association
53; Comment, Coalition to Implement the Fact Act
64.
---------------------------------------------------------------------------
One commenter also suggested that the definition of disposal as
``the sale, donation, or transfer of any medium, including computer
equipment, upon which consumer information is stored'' is not
sufficiently broad with respect to the media and equipment covered.\43\
This commenter suggested adding language specifically including
computer media and other non-paper media and equipment. The Commission
believes that the definition of disposal as proposed, which includes
``any medium * * * upon which consumer information is stored,'' is
sufficiently broad to capture the materials of concern to the
commenter.
---------------------------------------------------------------------------
\43\ See Comment, Consumers' Union 8.
---------------------------------------------------------------------------
Section 682.2: Purpose and Scope
Proposed section 682.2(a) set forth the purpose of the proposed
Disposal Rule, which is to reduce the risk of consumer fraud and
related harms, including identity theft, created by improper disposal
of consumer information. The Commission received no comments suggesting
changes to this provision, and it is adopted as proposed.
Proposed section 682.2(b), which tracks the language of section 216
of the FACT Act, sets forth the scope of the proposed Disposal Rule.
The rule applies to ``any person over which the Federal Trade
Commission has jurisdiction, that, for a business purpose, maintains or
otherwise possesses consumer information, or any compilation of
consumer information.'' The preamble to the proposed rule noted that
the Commission reads ``for a business purpose'' broadly to include all
business reasons for which a person may possess or maintain consumer
information. As a result, the rule covers any person that possesses or
maintains consumer information other than an individual consumer who
has obtained his or her own consumer report or file disclosure.
As noted in the preamble to the proposed rule, among the entities
that possess or maintain consumer information for a business purpose
are consumer reporting agencies, as well as lenders, insurers,
employers, landlords, government agencies, mortgage brokers, automobile
dealers, and other users of consumer reports. In fact, all of the
permissible purposes listed in Sec. 604 of the FCRA would be
considered business purposes under the rule.
The Commission received a number of financial industry comments
arguing that the Disposal Rule should not apply to financial
institutions subject to the Gramm-Leach-Bliley Act and the Commission's
implementing Safeguards Rule.\44\ These commenters' primary argument is
that because the Safeguards Rule already covers information disposal,
subjecting financial institutions to the Disposal Rule is unnecessary.
Additionally, commenters expressed concern that attempting to comply
with multiple standards would engender uncertainty and possibly higher
costs among persons covered by both rules.
---------------------------------------------------------------------------
\44\ See, e.g. Comment, Experian 59; Comment,
TransUnion 44; Comment, Mastercard 29; Comment,
Equifax 54.
---------------------------------------------------------------------------
As the Commission stated in its Notice of Proposed Rulemaking, the
coverage of the proposed Disposal Rule is different from that of the
Commission's Safeguards Rule. In addition to covering a different (but
overlapping) set of entities, the proposed Disposal Rule and the
Safeguards Rule apply to different sets of information. Compare 16 CFR
314.1(b) (describing scope of ``customer information'' covered by
Safeguards Rule) with Proposed Disposal Rule Sec. Sec. 682.1(b) &
682.2(b) (defining scope of ``consumer information'' subject to
proposed Disposal Rule).\45\ As a result, the Commission believes that
it is important to cover financial institutions under the Disposal Rule
in order to ensure that the full range of information covered by
section 216 of the FACT Act is properly protected in connection with
its disposal. In addition, the plain language of section 216 of the
FACT Act supports coverage of financial institutions.
---------------------------------------------------------------------------
\45\ For example, a consumer who applies for a loan from a
financial institution, but is rejected based on information in her
credit report is not a ``customer'' of the financial institution
under the GLBA and her credit report would therefore not be
protected by the Safeguards Rule; however, her credit report would
be ``consumer information'' under the Disposal Rule. Credit reports
obtained about employees or prospective employees are also not
``customer'' information covered under the GLBA, but would be
``consumer information'' under the Disposal Rule.
---------------------------------------------------------------------------
In response to the commenters' concerns about the potential burdens
imposed on persons covered by both the Safeguards Rule and Disposal
Rule, the Commission notes that the substantive requirements of both
rules are consistent with respect to disposal. Although the Safeguards
Rule focuses on comprehensive information security and the Disposal
Rule more narrowly on disposal, both incorporate flexible, risk-based
standards that require reasonable measures to protect against
unauthorized access to or use of information. As a result, compliance
with the standards of the Disposal Rule will constitute compliance with
the disposal obligations under the Safeguards Rule. Thus, companies
should easily be able to develop approaches that satisfy the
requirements of both rules without undue burdens or costs.\46\
Accordingly, section 682.2(b) is adopted as proposed.
---------------------------------------------------------------------------
\46\ Example 5 also illustrates that, for financial institutions
subject to the Safeguards Rule, incorporation of the requirements of
this rule into the information security program required by the
Safeguards Rule constitutes compliance with this rule.
---------------------------------------------------------------------------
Section 682.3: Proper Disposal of Consumer Information
Under the proposed rule, any person that maintains or otherwise
possesses consumer information would be required to ``take reasonable
measures to protect against unauthorized access to or use of the
information in connection with its disposal.'' Recognizing that there
are few foolproof methods of record destruction, the NPR stated that
the proposed rule would not require covered persons to ensure perfect
destruction of consumer information in every instance; rather, it
requires covered entities to take reasonable measures to protect
against unauthorized access to or use of the information in connection
with its disposal. In determining what measures are ``reasonable''
under the rule, the Commission stated in the NPR that it expects that
entities covered by the rule would consider the sensitivity of the
consumer information, the nature and size of the entity's operations,
the costs and benefits of different disposal methods, and relevant
technological changes. The Commission also noted that ``reasonable
measures'' are very likely to require elements such as the
establishment of policies and procedures governing disposal, as well as
appropriate employee training.
The vast majority of commenters supported this flexible standard
for disposal.\47\ Commenters noted that the
[[Page 68694]]
standard will allow covered persons to make decisions appropriate to
their particular circumstances; \48\ minimize the costs of compliance,
particularly for small businesses; \49\ and harmonize the Disposal Rule
with the requirements of the Commission's Safeguards Rule.\50\
Accordingly, the basic standard for disposal has been adopted as
proposed.
---------------------------------------------------------------------------
\47\ See, e.g., Comment, National Association of Professional
Background Screeners 7; Comment, MBNA 19; Comment,
Experian 59; Comment, CUNA 22; Comment, Visa
U.S.A. 23; Comment, Equal Employment Advisory Council
26; Comment, TransUnion 44; Comment, National
Independent Automobile Dealers Association 53; Comment,
Mastercard 29; Comment, Equifax 31; Comment,
Consumer Bankers Association 53; Comment, CDIA 46;
Comment, NAID 49; Comment, Bank of America 51;
Comment, National Automobile Dealers Association 52;
Comment, SIIA 56; Comment, Michigan Credit Union League
58; Comment, Coalition to Implement the FACT Act
64.
\48\ See, e.g., Comment, National Independent Automobile Dealers
Association 53; Comment, Mastercard 29; Comment,
Consumer Bankers Association 36; Comment, Coalition to
Implement the FACT Act 64.
\49\ See, e.g., Comment, Equal Employment Advisory Council
26; Comment, Equifax 31.
\50\ See, e.g., Comment, MBNA 19; Comment, Visa U.S.A.
23; Comment, Coalition to Implement the FACT Act
64.
---------------------------------------------------------------------------
In order to provide additional clarity, the proposed rule also
included examples intended to provide guidance on disposal measures
that would be reasonable under the rule. Generally, commenters found
the examples to be helpful. Although some commenters suggested treating
the examples as minimum requirements,\51\ many commenters approved of
the examples remaining as illustrative guidance only and, in fact,
requested a more explicit statement to that effect in the rule
itself.\52\ The Commission continues to believe that these examples
should be illustrative only, not exhaustive, because they cannot take
into account a particular entity's unique circumstances. In order to
make this clear, the Commission has added language to the rule stating
explicitly that ``These examples are illustrative only and are not
exclusive or exhaustive methods for complying with this rule.''
---------------------------------------------------------------------------
\51\ See, e.g., Comment, Consumers Union 8; Comment,
NAID 49; Comment, Privacy Rights Clearinghouse 39.
\52\ See, e.g., Comment, CUNA 22; Comment, Mastercard
29; Comment, Countrywide Home Loans 43; Comment,
Michigan Credit Union League 58.
---------------------------------------------------------------------------
Finally, commenters expressed concern that the final example, which
addresses what would be ``reasonable measures'' for a disposal service
provider or traditional garbage collector, is confusing with respect to
the obligations of both service providers and the record owners who
transfer consumer information to them.\53\ In particular, commenters
representing the records management and disposal industries pointed out
that service providers are frequently not in a position to make
independent determinations as to whether information they possess is,
or was derived from, a consumer report.\54\ In addition, these
commenters argued that imposing direct liability for disposal on a
service provider may allow, and even create incentives for, record
owners to ``dump'' covered materials on service providers without
paying for the proper destruction required by the rule.\55\ These
commenters suggest that service providers should be liable for
violations of the rule only if the service provider (1) has been
notified that the information it possesses is consumer information as
defined in the rule; and (2) has entered into a written contract to
dispose of such information in accordance with this rule.\56\
---------------------------------------------------------------------------
\53\ See, e.g., Comment, CDIA 46; Comment, Equifax
54; Comment, NAID 49.
\54\ Comment, PRISM International 21; Comment, NAID
49.
\55\ Comment, PRISM International 21; Comment, NAID
49.
\56\ Comment, PRISM International 21; Comment, NAID
49.
---------------------------------------------------------------------------
The Commission has addressed these commenters' concerns by revising
the rule's examples to clarify what the ``reasonable measures''
standard requires when information is transferred or otherwise provided
to service providers. First, the Commission has deleted the ``garbage
collector'' example that caused some confusion. Second, the Commission
has revised Example 3 so that it explicitly contemplates that a record
owner would tell a service provider when it is providing the service
provider with consumer information.\57\ Thus, as revised, Example 3
illustrates that, if a record owner transfers or otherwise provides
consumer information to a service provider, the ``reasonable measures''
standard will generally require a record owner to take reasonable steps
to select and retain a service provider that is capable of properly
disposing of the consumer information at issue; notify the service
provider that such information is consumer information; and enter into
a contract that requires the service provider to dispose of such
information in accordance with this rule. This example clarifies record
owners' responsibilities with respect to service providers while also
ensuring that service providers have the information required, and make
the arrangements needed, to fulfill their responsibilities under the
rule. The Commission also notes that Example 3 harmonizes this aspect
of the Disposal Rule with the Commission's GLBA Safeguards Rule which
contains analogous requirements.
---------------------------------------------------------------------------
\57\ Although the example involves a disposal service provider,
the measures it contemplates would also generally be reasonable with
respect to other types of services providers.
---------------------------------------------------------------------------
Under the final rule, service providers continue to be covered,
and, therefore, along with the record owner, bear responsibility for
proper disposal of consumer information that they maintain or otherwise
possess. In evaluating a service provider's compliance with this rule,
however, a record owner's failure to provide notice or contract for
disposal in accordance with the requirements of the rule will be
strongly considered. Other factors relevant to a service provider's
liability and the ``reasonableness'' of its action include actual or
constructive knowledge of the nature of the consumer information, the
course of dealing between the service provider and record owner, and,
consistent with the rule's overall ``reasonableness'' standard, the
sensitivity of the consumer information, the nature and size of the
service provider's operations, and the costs and benefits of different
disposal methods.
The Commission also received a number of comments concerning the
relationship between the Disposal Rule and Safeguards Rule. Many of
these commenters requested an explicit statement in the rule that, for
financial institutions subject to the Safeguards Rule, incorporation of
the requirements of this rule into the information security program
required by the Safeguards Rule constitutes compliance with this
rule.\58\ The Commission has added an Example 5 to illustrate this
point.
---------------------------------------------------------------------------
\58\ See, e.g., Comment, MBNA 19; Comment, America's
Community Bankers 24; Comment, American Financial Services
Association 33; Comment, Bank of America 51.
---------------------------------------------------------------------------
Lastly, one commenter expressed concern that the phrase ``in
connection with its disposal'' could be read to require reasonable
measures to protect against unauthorized access or use of consumer
information during the disposal process, but not following it.\59\ The
Commission intends the phrase ``in connection with its disposal'' to
mean both during and after the disposal process.
---------------------------------------------------------------------------
\59\ Comment, Consumers Union 8.
---------------------------------------------------------------------------
Section 682.4: Relation to Other Laws
Proposed section 682.4(a) made clear that nothing in the rule is
intended to create a requirement that a person maintain or destroy any
record pertaining to a consumer. The proposed rule also stated that the
rule is not intended to affect any requirement imposed under any other
provision of law to maintain or destroy such records. The Commission
received no comments
[[Page 68695]]
suggesting changes to this provision, and it is adopted as proposed.
Section 682.5: Effective Date
The Commission initially proposed to make the Disposal Rule
effective 3 months after the publication of the final rule. Although
some commenters supported a 3-month effective date,\60\ the majority of
commenters requested a longer effective date in order to allow covered
entities to develop and implement appropriate disposal procedures or to
research and contract with service providers.\61\ These commenters
suggested time periods ranging from 6 to 12 months after the
publication of the final rule. After considering the comments and
balancing the need for protections against the need to allow covered
entities sufficient time to come into compliance, the Commission has
extended the effective date to be 6 months after publication of the
final rule.
---------------------------------------------------------------------------
\60\ See, e.g., Comment, CUNA 22.
\61\ See, e.g., Comment, Experian 59; Comment,
TransUnion 44; Comment, National Independent Automobile
Dealers Association 53; Comment, Equifax 54;
Comment, American Financial Services Association 33;
Comment, American Insurance Association 50; Consumer
Bankers Association 53; Comment, CDIA 46; Comment,
National Automobile Dealers Association 52; Comment,
Coalition to Implement the FACT Act 64.
---------------------------------------------------------------------------
IV. Final Regulatory Flexibility Analysis
The Regulatory Flexibility Act (``RFA''), 5 U.S.C. 601-612,
requires that the Commission provide an Initial Regulatory Flexibility
Analysis (``IRFA'') with a proposed rule and a Final Regulatory
Flexibility Analysis (``FRFA''), with the final rule, unless the
Commission certifies that the Rule will not have a significant economic
impact on a substantial number of small business entities. For the
majority of entities subject to the rule, a small business entity is
defined by the Small Business Administration as one whose average
annual receipts do not exceed $6 million or that has fewer than 500
employees.\62\
---------------------------------------------------------------------------
\62\ 5 U.S.C. 603-605. These numbers represent the size
standards for most retail and service industries ($6 million total
receipts) and manufacturing industries (500 employees). A list of
the SBA's size standards for all industries can be found at http://www.sba.gov/size/summary-whatis.html
.
---------------------------------------------------------------------------
The Commission hereby certifies that the final rule will not have a
significant economic impact on a substantial number of small business
entities. The rule applies to ``any person that, for a business
purpose, maintains or otherwise possesses consumer information, or any
compilation of consumer information.'' As discussed in the NPR and in
the supplemental IRFA, any company, regardless of industry or size,
that possesses or maintains consumer information for a business purpose
would be subject to the rule. Therefore, small entities across almost
every industry could potentially be subject to the rule. However, as
discussed in more detail below, many small entities subject to the rule
are already subject to the GLBA Safeguards Rule,\63\ which contains
requirements similar to those in the rule. As a result, the marginal
cost of compliance with the Disposal Rule for these businesses is
likely to be minimal.
---------------------------------------------------------------------------
\63\ 16 CFR part 314.
---------------------------------------------------------------------------
The Commission is unaware of any data concerning the frequency with
which other small businesses obtain consumer reports. As a result, it
is not possible to determine precisely how often small businesses would
be required to undertake compliance efforts. In the July 8, 2004,
supplemental IRFA, 69 FR 41219, the Commission asked several questions
related to the existence, number, and nature of small business entities
covered by the proposed rule, as well as the economic impact of the
proposed rule on such entities. The Commission received five comments
in response to its supplemental IRFA,\64\ three of which addressed the
small business issues raised. These comments, which are discussed in
more detail below, were generally supportive of the rule as it applies
to small businesses.\65\
---------------------------------------------------------------------------
\64\ Supplemental Comments were received from the NAID, the
National Association of Realtors (NAR), the American Bankers'
Association, ACRAnet, and an individual commenter.
\65\ See, e.g., Supp. Comment, NAID 6; Supp. Comment,
Ms. Lisa Beavers 2; Supp. Comment, NAR 3.
---------------------------------------------------------------------------
The Commission continues to believe that a precise estimate of the
number of small entities that fall under the rule is not currently
feasible. However, based on the comments received and the Commission's
own experience and knowledge of industry practices, the Commission also
continues to believe that the cost and burden to small business
entities complying with the rule is minimal and that the final rule
will not have a significant impact on a substantial number of small
entities. This document serves as notice to the Small Business
Administration of the Commission's certification of no effect.
Nonetheless, the Commission has decided to publish a Final Regulatory
Flexibility Analysis with this final Rule. Therefore, the Commission
has prepared the following analysis:
A. Need for and Objectives of the Rule
Section 216 of the FACT Act requires the Commission to issue
regulations regarding the proper disposal of consumer information in
order to prevent sensitive financial and personal information from
falling into the hands of identity thieves or others who might use the
information to victimize consumers. In this action, the Commission
promulgates a final rule to fulfill the statutory mandate. The rule is
authorized by and based upon section 216 of the FACT Act.
B. Significant Issues Raised by Public Comments.
On July 8, 2004, the Commission published a supplemental initial
regulatory flexibility analysis for notice of proposed rulemaking, 69
FR 41219, in which the Commission asked several questions related to
the existence, number, and nature of small business entities covered by
the proposed rule, as well as the economic impact of the proposed rule
on such entities. The Commission received five comments in response to
its supplemental IRFA,\66\ three of which addressed the small business
issues raised.\67\ These commenters all agreed that the rule should
apply to small businesses. One commenter praised the proposed rule's
reasonableness standard as ``provid[ing] ample flexibility for all
covered entities, large and small.''\68\ Another commenter cited the
low cost of compliance.\69\
---------------------------------------------------------------------------
\66\ The NAID, the NAR, the American Bankers' Association, and
two individual commenters.
\67\ The other two comments raised issues already considered
with respect to the rule generally.
\68\ Supp. Comment, NAID 6.
\69\ Supp. Comment, Beavers 2.
---------------------------------------------------------------------------
The Commission also received comments in response to the initial
NPR that addressed small business concerns. These comments were also
generally supportive of the proposed rule as it would apply to small
businesses. Many commenters supported the purpose for promulgating the
rule, and cited both the rule's flexible standard and the low costs of
shredders and disposal services as evidence that the compliance costs
to small businesses will be low.\70\
---------------------------------------------------------------------------
\70\ Comment, Virginia Credit Union, Inc. 10; Comment,
IndyShred 15; Comment, NAR 60; Comment, AccuShred,
LLC 45.
---------------------------------------------------------------------------
C. Small Entities to Which the Rule Will Apply
The Disposal Rule, which tracks the language of section 216 of the
FACT Act, applies to ``any person that, for a business purpose,
maintains or otherwise possesses consumer information, or any
compilation of consumer information.'' The entities
[[Page 68696]]
covered by the rule would include consumer reporting agencies,
resellers of consumer reports, lenders, insurers, employers, landlords,
government agencies, mortgage brokers, automobile dealers, waste
disposal companies, and any other business that possesses or maintains
consumer information. As explained in the NPR and supplemental IRFA,
any company, regardless of industry or size, that possesses or
maintains consumer information for a business purpose will be subject
to the rule. Therefore, numerous small entities across almost every
industry could potentially be subject to the rule.
Although it is impossible to identify every industry that may
possess or maintain consumer information \71\ for business purposes,
the Commission anticipates that, at a minimum, the small entities
within the finance and insurance industries are likely to be subject to
the rule. According to the Small Business Administration, there are
approximately 231,000 small businesses within these industries.\72\
Generally, these entities are already subject to the GLBA's Safeguards
Rule, which contains requirements similar to those in the rule. As a
result, as discussed further below, the marginal cost of compliance
with the Disposal Rule for these businesses is likely to be minimal.
---------------------------------------------------------------------------
\71\ ``Consumer Information'' is defined in the proposed rule as
any ``record about an individual, whether in paper, electronic, or
other form, that is a consumer report or is derived from a consumer
report.''
\72\ This number represents 2001 totals as reported by the SBA.
See http://www.sba.gov/advo/stats/.
---------------------------------------------------------------------------
In addition, any business, regardless of industry, that obtains a
consumer report, or information derived from a consumer report, will be
subject to the rule. Among businesses that might fall into this
category are landlords, utility companies, telecommunications
companies, and any business that obtains consumer reports for
employment screening purposes. The Commission is unaware of any data
concerning the frequency with which small businesses such as these
obtain consumer reports. As a result, it is not possible to determine
precisely how many small businesses outside the finance and insurance
industries will be subject to the rule, or how often these entities
will be required to undertake compliance efforts.
D. Projected Reporting, Recordkeeping and Other Compliance Requirements
The final Disposal Rule does not impose any specific reporting,
recordkeeping, or disclosure requirements within the meaning of the
Paperwork Reduction Act. The rule requires covered entities, when
disposing of consumer information, to take reasonable measures to
protect against unauthorized access to or use of the information in
connection with its disposal. What is considered ``reasonable'' will
vary according to an entity's nature and size, the costs and benefits
of available disposal methods, and the sensitivity of the information
involved. In formulating the rule, the Commission considered
alternatives to this approach, and determined that the flexibility
afforded by the rule reduces the burden that might otherwise be imposed
on small entities by a more rigid, prescriptive rule.
As noted above, entities already subject to the Commission's
Safeguards Rule should incur few, if any, additional compliance costs.
Among other things, the Safeguards Rule already requires covered
entities to develop and implement policies that require the proper
disposal of ``customer information'' (as defined in the GLBA), as well
as employee training programs and mechanisms to update its information
security program on a periodic basis. In light of these existing
measures, modifying policies to address the disposal of ``consumer
information'' (as defined in the rule), and training employees on these
changes, should be possible at little or no cost. In fact, because the
definitions of ``consumer information'' and ``customer information''
overlap, many entities may already be in substantial compliance with
the rule's requirements.
For small businesses not already subject to the GLBA Safeguards
Rule, compliance costs may be greater. Because the rule does not
mandate specific disposal measures, a precise estimate of compliance
costs is not feasible. However, there are certain basic steps that are
likely to be appropriate for many small entities. For example,
shredding or burning paper records containing consumer information will
generally be appropriate. Depending upon the volume of records at issue
and the office equipment available to the small entity, this method of
disposal may be accomplished by the small entity itself at no cost, may
require the purchase of a paper shredder (available at office supply
stores for as little as $25), or may require the hiring of a document
disposal service on a periodic basis (the costs of which will vary
based on the volume of material, frequency of service, and geographic
location).
If a small entity has stored consumer information on electronic
media (for example, computer discs or hard drives), disposal of such
media could be accomplished by a small entity at almost no cost by
simply smashing the material with a hammer. In some cases, appropriate
disposal of electronic media might also be accomplished by overwriting
or ``wiping'' the data prior to disposal. Utilities to accomplish such
wiping are widely available for under $25; indeed, some such tools are
available for download on the Internet at no cost. Whether ``wiping,''
as opposed to destruction, of electronic media is reasonable, as well
as the adequacy of particular utilities to accomplish that ``wiping,''
will depend upon the circumstances.
The Commission did not receive any information on the amount of
employee time, measured in labor hours or costs, that might be incurred
by compliance with the Disposal Rule. The Commission believes that all
businesses, regardless of size, will need to educate and train their
employees on proper disposal. The actual amount of time it will take to
ensure that consumer report information is properly disposed will vary,
depending on a variety of circumstances, including the amount and
nature of covered records. However, the Commission believes many
businesses may already be following industry best practices, which may
include disposing of documents through shredders, using waste disposal
companies, or other confidential disposal methods; and continuing to do
so would not impose additional costs on such businesses.
As the above discussion illustrates, although it is not possible to
estimate small businesses' compliance costs precisely, such costs are
likely to be quite modest for most small entities.
E. Steps Taken To Minimize Significant Economic Impact of the Rule on
Small Entities
The Commission considered whether to exempt any persons or classes
of persons from the rule's application pursuant to section 216(a)(3) of
the FACT Act. The FTC asked for comment on this issue, as well as any
significant alternatives, consistent with the purposes of the FACT Act,
that could further minimize the rule's impact on small entities. The
Commission received no information or suggestions in response to this
request; rather, commenters specifically voiced support for application
of the rule to small businesses.\73\
---------------------------------------------------------------------------
\73\ See Supp. Comment, NAID 6; Supp. Comment, Ms. Lisa
Beavers 2; Supp. Comment, NAR 3.
---------------------------------------------------------------------------
[[Page 68697]]
The Commission also requested comment on the need to adopt a
delayed effective date for small entities in order to provide them with
additional time to come into compliance. The Commission received no
comments on this issue; however, the Commission has decided to extend
the effective date for all entities subject to the rule, from 3 months
to 6 months following publication of this rule. This additional time
will allow small entities to carefully assess their compliance
obligations and make cost-sensitive decisions concerning how to best
comply with the rule.
V. Paperwork Reduction Act
In accordance with the Paperwork Reduction Act of 1995, 44 U.S.C.
3506 (PRA), the Commission reviewed the proposed and final rules. The
rule explicitly provides that it is not intended ``(1) to require a
person to maintain or destroy any record pertaining to a consumer that
is not imposed under any other law; or (2) to alter or affect any
requirement imposed under any other provision of law to maintain or
destroy such a record.'' As such, the rule does not impose any
recordkeeping requirement or otherwise constitute a ``collection of
information'' as it is defined in the regulations implementing the PRA.
See 5 CFR 1320.3(c).
VI. Final Rule
List of Subjects in 16 CFR Part 682
Consumer reports, Consumer reporting agencies, Credit, Fair Credit
Reporting Act, Trade practices.
0
Accordingly, for the reasons stated in the preamble, the Federal Trade
Commission amends 16 CFR chapter I, to add new part 682 as follows:
PART 682--DISPOSAL OF CONSUMER REPORT INFORMATION AND RECORDS
Sec.
682.1 Definitions.
682.2 Purpose and scope.
682.3 Proper disposal of consumer information.
682.4 Relation to other laws.
682.5 Effective date.
Authority: Pub. L. 108-159, sec. 216.
Sec. 682.1 Definitions.
(a) In general. Except as modified by this part or unless the
context otherwise requires, the terms used in this part have the same
meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681
et seq.
(b) ``Consumer information'' means any record about an individual,
whether in paper, electronic, or other form, that is a consumer report
or is derived from a consumer report. Consumer information also means a
compilation of such records. Consumer information does not include
information that does not identify individuals, such as aggregate
information or blind data.
(c) ``Dispose,'' ``disposing,'' or ``disposal'' means:
(1) The discarding or abandonment of consumer information, or
(2) The sale, donation, or transfer of any medium, including
computer equipment, upon which consumer information is stored.
Sec. 682.2 Purpose and scope.
(a) Purpose. This part (``rule'') implements section 216 of the
Fair and Accurate Credit Transactions Act of 2003, which is designed to
reduce the risk of consumer fraud and related harms, including identity
theft, created by improper disposal of consumer information.
(b) Scope. This rule applies to any person over which the Federal
Trade Commission has jurisdiction, that, for a business purpose,
maintains or otherwise possesses consumer information.
Sec. 682.3 Proper disposal of consumer information.
(a) Standard. Any person who maintains or otherwise possesses
consumer information for a business purpose must properly dispose of
such information by taking reasonable measures to protect against
unauthorized access to or use of the information in connection with its
disposal.
(b) Examples. Reasonable measures to protect against unauthorized
access to or use of consumer information in connection with its
disposal include the following examples. These examples are
illustrative only and are not exclusive or exhaustive methods for
complying with the rule in this part.
(1) Implementing and monitoring compliance with policies and
procedures that require the burning, pulverizing, or shredding of
papers containing consumer information so that the information cannot
practicably be read or reconstructed.
(2) Implementing and monitoring compliance with policies and
procedures that require the destruction or erasure of electronic media
containing consumer information so that the information cannot
practicably be read or reconstructed.
(3) After due diligence, entering into and monitoring compliance
with a contract with another party engaged in the business of record
destruction to dispose of material, specifically identified as consumer
information, in a manner consistent with this rule. In this context,
due diligence could include reviewing an independent audit of the
disposal company's operations and/or its compliance with this rule,
obtaining information about the disposal company from several
references or other reliable sources, requiring that the disposal
company be certified by a recognized trade association or similar third
party, reviewing and evaluating the disposal company's information
security policies or procedures, or taking other appropriate measures
to determine the competency and integrity of the potential disposal
company.
(4) For persons or entities who maintain or otherwise possess
consumer information through their provision of services directly to a
person subject to this part, implementing and monitoring compliance
with policies and procedures that protect against unauthorized or
unintentional disposal of consumer information, and disposing of such
information in accordance with examples (b)(1) and (2) of this section.
(5) For persons subject to the Gramm-Leach-Bliley Act, 15 U.S.C.
6081 et seq., and the Federal Trade Commission's Standards for
Safeguarding Customer Information, 16 CFR part 314 (``Safeguards
Rule''), incorporating the proper disposal of consumer information as
required by this rule into the information security program required by
the Safeguards Rule.
Sec. 682.4 Relation to other laws.
Nothing in the rule in this part shall be construed:
(a) To require a person to maintain or destroy any record
pertaining to a consumer that is not imposed under other law; or
(b) To alter or affect any requirement imposed under any other
provision of law to maintain or destroy such a record.
Sec. 682.5 Effective date.
The rule in this part is effective on June 1, 2005.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 04-25937 Filed 11-23-04; 8:45 am]
BILLING CODE 6250-01-P