CONNECT WITH RKG LAW

FACTA Guidelines for Disposing Client Information

November 28, 2008

In March of 2008, a man in Wichita, Kansas left his home for several months to take care of his sick mother.  Unbeknownst to him, a married couple broke into the house, assumed his identity, and proceeded to purchase various luxury items, including flat screen televisions and a satellite hookup, while they took up residence as if it were their own home. They even invited neighbors over for dinner and took out a second mortgage in the real homeowners name.

It’s clear that the specter of identity theft has grown quite prominent over the last decade. In order to protect the public from the likes of the home invaders described above, the federal government has enacted the Fair and Accurate Credit Transactions Act (FACTA).  FACTA affects how businesses should dispose of records or documents containing consumer information. Likewise, it will serve you well as a client to ensure that the business doing work for you follows the FACTA guidelines, or you could end up opening up a nasty credit card bill showing pricey purchase of Elvis memorabilia from QVC that you never authorized.

The focus of FACTA is to protect "consumer information", which essentially is information through which individuals can be specifically identified and linked to certain data, such as social security numbers, credit card accounts, phone numbers and addresses. You should also keep an eye out for information that is unique to an individual.

FACTA requires that "[a]ny person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal." 16 CFR § 682.3(a). 

Acceptable methods of destroying consumer information include (but are not limited to) creating and monitoring procedures requiring:

  • the burning, shredding or pulverizing of the records so that information in them cannot practicably be read or reconstructed (while blenders are not necessarily recommended as a proper method of disposal, click here to see all the cool things they can and can’t pulverize);
  • erasure of electric media (disk drives, data tapes, CD ROMS, DVDS, thumb drives, etc) in such a fashion that the data on them cannot practicably be read or reconstructed,
  • engaging the services of an outside company legitimately engaged in the business of the proper destruction of such records, and
  • protecting against the unauthorized disposal or dissemination of the records.

Failure to comply with the FACTA disposal rules could result in substantial civil liability. Victims of identity theft may be entitled to recover their actual damages, which can often be very large, such as the victim described above. Further, federal and state governments are also authorized to bring enforcement actions against FACTA violators.

For more information, please see the following link: http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt152.shtm