With very little fanfare, a new rule went into effect on June 1, 2005 that
impacts employers and businesses, regardless of size. Enacted in an effort to
combat the growing problem of identity theft, this new rule requires all businesses
to appropriately destroy consumer information when no longer needed, making
it impossible for scam artists to access. Known as the “disposal rule”,
it is part of the federal Fair and Accurate Credit Transaction Act (FACTA) and
is administered by the Federal Trade Commission.
The disposal rule provides, “Any person who maintains or otherwise possesses
consumer information for a business purpose must properly dispose of such information
by taking reasonable measures to protect against unauthorized access to or use
of the information in connection with its disposal.”
Suppose an employer performs a credit check on a prospective nanny as part
of the hiring process, or receives personal information from a “temp agency”
that originated from a credit report. The employer must comply with the disposal
rule when the information is no longer needed. Experts advise that every business,
regardless of size, establish a shredding policy and every employee that uses
sensitive consumer information have a paper shredder within arms reach.
The type of information that must be destroyed includes “any record about
an individual, whether in paper, electronic, or other form, that is a consumer
report or is derived from a consumer report.”
The rule permits businesses to decide the method of destroying the information
that best meets their needs. Acceptable disposal methods for paper include burning,
pulverizing or shredding. It also requires companies to destroy or completely
erase electronic media. This includes hard drives, CD-ROMs, floppy disks and
information contained on PDAs.
Failure to comply with the new disposal rule could expose employers and business
owners to the following liability:
- Civil fines - Fines up to $2,500 per violation can be assessed
from the federal government
- Civil liability - Employers are potentially liable up to
$1,000 per employee in statutory damages
- Actual damages - Employers are liable for actual damages
if employees’ identities are stolen as a result of the company’s
failure to protect the information
- Class action lawsuit - Employers could be subject to a
class action lawsuit if multiple employees are affected.
(FACTA is Public Law 108-159, which was signed on December
6, 2003.)
View more shredders
