Identity theft is on the rise and employers are now required to take additional precautions to protect consumer information. Effective June 1, 2005, new regulations promulgated under the Fair Credit Reporting Act (FCRA) as amended by the Fair and Accurate Credit Transactions Act (FACTA) require employers to take reasonable steps to prevent unauthorized use of and access to consumer information during disposal of such information. While the regulations do not require any specific disposal methods, the regulations provide examples of the types of disposal processes that would be reasonable. Paper documents containing consumer information, for example, could be placed in locked trash bins while awaiting disposal and then shredded or burned.
"Disposal" encompasses not only tossing hardware, floppy disks, and CDs into a dumpster, but also the sale, donation and other transfer of the storage media. The regulations suggest that it would be reasonable for an employer to develop procedures to render electronically stored consumer information irretrievable before disposal. For example employers could magnetically swipe disks or scratch CDs containing consumer information before disposing of them. Employers also could consider having appropriately trained personnel check all hard drives containing consumer information before the computers containing those hard drives permanently leave the employer's premises -- whether for donation to a school, for sale by a second-hand computer warehouse, or for incineration by the municipal waste department.
Employers who do not comply with these regulations, and whose employees or job applicants ultimately are victimized by identity theft as a result, could face a lawsuit seeking to enforce the remedies authorized by the FCRA. In the case of negligent violations, FCRA remedies are limited to actual damages and an award of attorneys fees and costs. Willful violators may be subject to statutory damages of up to $1,000 per violation or to an award of actual damages, whichever is greater, and may be required to pay a prevailing plaintiff's attorney’s fees and costs. All employers who possess or maintain consumer information must begin to develop reasonable measures to dispose of such information in order to protect against the unauthorized access or use of the information.
The FTC has issued a new publication, “New Rule Seeks to Protect Privacy by Requiring Proper Disposal of Sensitive Consumer Information,” to educate businesses about the new requirements.
For more information about disposal requirement or for assistance in developing a disposal plan that complies with the FCRA, please contact Mary Elizabeth Davis.