Section



[Code of Federal Regulations]
[Title 16, Volume 1]
[Revised as of January 1, 2005]
From the U.S. Government Printing Office via GPO Access
[CITE: 16CFR682.3]

[Page 543-544]
 
                     TITLE 16--COMMERCIAL PRACTICES
 
                   CHAPTER I--FEDERAL TRADE COMMISSION
 
PART 682_DISPOSAL OF CONSUMER REPORT INFORMATION AND RECORDS--Table 
of Contents
 
Sec. 682.3  Proper disposal of consumer information.

    (a) Standard. Any person who maintains or otherwise possesses 
consumer information for a business purpose must properly dispose of 
such information by taking reasonable measures to protect against 
unauthorized access to or use of the information in connection with its 
disposal.
    (b) Examples. Reasonable measures to protect against unauthorized 
access to or use of consumer information in connection with its disposal 
include the following examples. These examples are illustrative only and 
are not exclusive or exhaustive methods for complying with the rule in 
this part.
    (1) Implementing and monitoring compliance with policies and 
procedures that require the burning, pulverizing, or shredding of papers 
containing consumer information so that the information cannot 
practicably be read or reconstructed.
    (2) Implementing and monitoring compliance with policies and 
procedures that require the destruction or erasure of electronic media 
containing consumer information so that the information cannot 
practicably be read or reconstructed.
    (3) After due diligence, entering into and monitoring compliance 
with a contract with another party engaged in the business of record 
destruction to dispose of material, specifically identified as consumer 
information, in a manner consistent with this rule. In this context, due 
diligence could include reviewing an independent audit of the disposal 
company's operations and/or its compliance with this rule, obtaining 
information about the disposal company from several references or other 
reliable sources, requiring that the disposal company be certified by a 
recognized trade association or similar third party, reviewing and 
evaluating the disposal company's information security policies or 
procedures, or taking other appropriate measures to determine the 
competency and integrity of the potential disposal company.
    (4) For persons or entities who maintain or otherwise possess 
consumer information through their provision of services directly to a 
person subject to

[[Page 544]]

this part, implementing and monitoring compliance with policies and 
procedures that protect against unauthorized or unintentional disposal 
of consumer information, and disposing of such information in accordance 
with examples (b)(1) and (2) of this section.
    (5) For persons subject to the Gramm-Leach-Bliley Act, 15 U.S.C. 
6081 et seq., and the Federal Trade Commission's Standards for 
Safeguarding Customer Information, 16 CFR part 314 (``Safeguards 
Rule''), incorporating the proper disposal of consumer information as 
required by this rule into the information security program required by 
the Safeguards Rule.