It’s good to review the basics every now and again. This week’s blog focuses on the elements of the Disposal Rule as defined by the FTC–the government agency charged with overseeing identity theft protection.
The Disposal Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to:
(1) Burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;
(2) Destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
(3) Conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include:
a. Reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule;
b. Obtaining information about the disposal company from several references;
c. Requiring that the disposal company be certified by a recognized trade association;
d. Reviewing and evaluating the disposal company’s information security policies or procedures.
The FTC says that financial institutions that are subject to both the Disposal Rule and the Gramm-Leach-Bliley (GLB) Safeguards Rule should incorporate practices dealing with the proper disposal of consumer information into the information security program that the Safeguards Rule requires (ftc.gov/privacy/privacyinitiatives/safeguards.html).
The Fair and Accurate Credit Transactions Act, which was enacted in 2003, directed the FTC, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration, and the Securities and Exchange Commission to adopt comparable and consistent rules regarding the disposal of sensitive consumer report information. The FTC’s Disposal Rule became effective June 1, 2005. It was published in the Federal Register on November 24, 2004 [69 Fed. Reg. 68,690], and is available at ftc.gov/os/2004/11/041118disposalfrn.pdf.
On site shredding service is a powerful way to comply. For more information, please visit www.hvshred.com