-
Start Preamble
Start Printed Page 68690
AGENCY:
Federal Trade Commission (FTC or Commission).
ACTION:
Final rule.
SUMMARY:
The Fair and Accurate Credit Transactions Act of 2003 (“FACT Act” or “Act”) requires the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, Securities and Exchange Commission, and Federal Trade Commission, in coordination with one another, to adopt consistent and comparable rules regarding the proper disposal of consumer report information and records. This final rule implements this requirement.
DATES:
This rule is effective on June 1, 2005.
Start Further InfoFOR FURTHER INFORMATION CONTACT:
Ellen Finn or Susan McDonald, Attorneys, (202) 326-3224, Division of Financial Practices, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, NW., Washington, DC 20580.
End Further Info End Preamble Start Supplemental InformationSUPPLEMENTARY INFORMATION:
Statement of Basis and Purpose
I. Background
The Fair and Accurate Credit Transactions Act of 2003, Public Law 108-159, 117 Stat. 1952 (“FACT Act” or “Act”) was signed into law on December 4, 2003. In part, the Act amends the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. 1681 et seq., by imposing a new requirement on persons who possess or maintain, for a business purpose, consumer information derived from consumer reports. The Act requires that “any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose[,] properly dispose of any such information or compilation.” [1]
The FACT Act directs the Commission to consult and coordinate with other agencies in connection with promulgating rules regarding the proper disposal of consumer report information and records. Specifically, the Act directs the Commission to consult and coordinate with the Federal banking agencies,[2] the National Credit Union Administration (“NCUA”), and the Securities and Exchange Commission (“SEC”) so that the regulations prescribed by each agency are consistent and comparable.[3] Further, the Act directs the Commission to ensure that the regulations are consistent with the requirements of the Gramm-Leach-Bliley Act (“GLBA”), 15 U.S.C. 6081 et seq.[4]
The Commission has conferred and coordinated extensively with the Federal banking agencies, the NCUA, and SEC to ensure that the agencies promulgate regulations that are comparable and consistent with each other and with the requirements of the GLBA.[5] On April 16, 2004, the Commission issued and sought comment on a proposed Rule implementing the requirements of section 216 of the FACT Act (the proposed Rule).[6] On July 8, 2004, the Commission supplemented its initial notice of proposed rulemaking (NPR), and sought comment on, a supplemental initial regulatory flexibility analysis (supplemental IRFA).[7] The supplemental IRFA was intended to provide additional information to assist small businesses in commenting on the impact, if any, the final Rule will have on such businesses. In response to both the NPR and the supplemental IRFA, the Commission received 58 comments from a variety of trade associations, businesses, consumer advocacy groups, and individuals. After carefully considering the comments received, the Commission adopts the proposed rule with only minor modifications described later in this notice.
Like the proposed rule, the final rule requires that persons over which the FTC has jurisdiction who maintain or otherwise possess consumer information for a business purpose properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. It also includes several examples, including one new and two slightly revised examples, of what the Commission believes constitute reasonable measures to protect consumer information in connection with its disposal. These examples are intended to provide covered entities with guidance on how to comply with the rule but are not intended to be safe harbors or exclusive methods for complying with the rule.
In addition, the final rule maintains the flexible “reasonable measures” standard of the proposed rule. The FTC realizes that there are few foolproof methods of records destruction and that entities covered by the rule must consider their own unique circumstances when determining how to best comply with the rule.
Finally, the final rule extends the effective date of the rule from three months to six months following publication in the Federal Register.
II. Overview of Comments Received
The Commission received 58 comments on the proposed rule, five of which were in response to the supplemental IRFA.[8] The vast majority of these comments were from industry trade organizations [9] and the business community.[10] Consumer advocacy Start Printed Page 68691groups,[11] individual consumers, and one Senator [12] also submitted comments on the proposed rule.
The Commission received comments on nearly all of the provisions contained in the proposed rule. Most commenters, including consumers, businesses, and industry representatives, expressed general support for a rule requiring the proper disposal of consumer information. Many commenters noted that numerous companies that possess or maintain consumer report information already have programs in place to ensure the information's proper disposal, either as a matter of sound business practice or pursuant to other legal requirements. In general, commenters stated that they believed that the proposed rule would help combat fraud, such as identity theft. Indeed, some commenters urged the Commission to adopt provisions that extend beyond what the FACT Act provides in order to combat identity theft by, for example, expanding the scope of information covered under the rule to include payroll records and credit card receipts [13] or all information stored in the same file as consumer report information.[14]
The majority of commenters focused on the proposed rule's standard for disposal and definitions of “consumer information” and “disposal.” Most commenters expressed support for the proposed rule's “reasonable measures” standard for disposal. Commenters supporting the standard noted that its flexibility would allow covered persons to make decisions appropriate to their particular circumstances and that a more specific or uniform standard would be unrealistic, unnecessarily costly, and insufficiently flexible to deal with the broad range of entities subject to the final rule.[15] One consumer advocacy group stated that a more specific minimum standard is needed to ensure that all businesses implement adequate disposal practices; [16] another commenter suggested that the final rule should require covered persons to adopt formal, written information retention and disposal programs.[17]
In general, commenters also approved of the definitions of “consumer information” and “disposal,” [18] but some suggested minor clarifications.[19] These comments are addressed more fully below.
In addition, the Commission received comments from industry representatives and financial institutions on the scope of the proposed rule. In general, these commenters stated that, for various reasons, consumer reporting agencies and other entities already subject to the Gramm-Leach-Bliley Act and the Commission's implementing Safeguards Rule [20] should not also be subject to the Disposal Rule.[21] Among other things, these commenters expressed concern that attempting to comply with multiple standards would engender uncertainty and possibly higher costs among persons covered by both rules. Commenters representing the records management and disposal industries [22] also expressed concern that the proposed rule would impose direct liability on such service providers for failing to properly dispose of records even when they have no contractual arrangements with the record owners requiring or paying them to do so. The Commission also received a comment from the U.S. Senator who introduced Section 216,[23] which stated that the scope of the proposed rule closely followed Congressional intent. These comments are addressed more fully below.
Overall, commenters were in favor of including examples of proper disposal methods in the final rule. Some commenters requested further clarification regarding the example involving garbage collectors.[24] Other commenters requested clarification as to whether the examples are minimum requirements, safe harbors, or simply illustrative guidance.[25] The Commission also received comments that discussed the effective date of the proposed rule. Numerous commenters requested that the period between issuance of the final rule and the effective date be lengthened.[26]
Finally, most commenters who addressed small business concerns stated that the proposed rule would not create any undue burden for small businesses. These commenters cited the proposed rule's flexible “reasonable methods” standard, which would allow covered persons to minimize costs, and the fact that the proposed rule would not impose new record keeping requirements, as the major factors that would alleviate any burdens on small businesses.[27]
III. Section-by-Section Analysis
Section 682.1: Definitions
Section 682.1(a) provides that, unless otherwise stated, terms used in the Disposal Rule have the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. Thus, for example, the term “consumer report” as used in the Disposal Rule has the same meaning as the term “consumer report” elsewhere in the FCRA. See 15 U.S.C. 1681a(d) (defining “consumer report”). The Commission received no comments suggesting changes to this provision, and it is adopted as proposed.
Consumer Information
The proposed rule defined “consumer information” as any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. The NPR stated that the phrase “derived from consumer reports” would cover all Start Printed Page 68692of the information about a consumer that is derived from any consumer report(s), including information taken from a consumer report, information that results in whole or in part from manipulation of information taken from a consumer report, and information that has been combined with other types of information. Further, the NPR explained that because the definition of “consumer information” refers to records “about an individual,” information that does not identify particular consumers would not be covered under the rule. The Commission received a variety of comments requesting clarification or modification of this definition of consumer information.
One consumer advocacy group requested that the definition include compilations of consumer information.[28] Although the proposed rule already proposed to cover compilations of consumer information by referring to compilations in the scope and standard sections of the rule, the Commission agrees that it would be clearer to include compilations in the definition of consumer information itself. Therefore, it has modified the definition of consumer information to include compilations.
Commenters were uniformly supportive of the proposed rule's application only to information that identifies particular individuals,[29] but many requested that the rule be more explicit on this point.[30] In response to these comments, and in order to provide additional guidance and clarity, the Commission has added language to the rule emphasizing that information that does not identify individuals, such as aggregate information or blind data, is not covered by the definition of consumer information.[31]
Commenters also sought guidance on the kinds of information that would be considered to identify particular individuals.[32] The Commission believes that there are a variety of personal identifiers beyond simply a person's name that would bring information within the scope of the rule, including, but not limited to, a social security number, driver's license number, phone number, physical address, and e-mail address. The Commission has not included a rigid definition in the final rule, however, because, depending upon the circumstances, data elements that are not inherently identifying can, in combination, identify particular individuals.[33]
A number of commenters also requested that certain categories of information be excluded from the definition of consumer information. These include credit header information,[34] publicly available information,[35] and “non-sensitive” information.[36] Although credit header information, which includes name, address, and social security number, is not itself a consumer report, it is generally derived from a consumer report and, therefore, within the universe of information covered by section 216 of the FACT Act. Similarly, public record information is often part of consumer reports and therefore falls within the scope of information Congress intended to cover. With respect to “non-sensitive” information, the Commission notes that persons subject to the Disposal Rule may always consider the sensitivity of the consumer information at issue in determining what disposal measures are reasonable under the circumstances.
Finally, some commenters suggested that recipients of information about consumers may not always know whether the information they receive was derived from a consumer report.[37] They suggested, therefore, that the definition of “consumer information” be limited to information that a person knows to be derived from a consumer report.[38]
In response to these comments, the Commission notes that knowledge is not an element or a prerequisite to the duty to comply with either the FACT Act or the Disposal Rule. Nevertheless, the Commission also notes that in most, if not all, circumstances covered by the rule, covered entities will or should know if they possess consumer information. First, in most circumstances under the FCRA, a person who obtains a consumer report may use that information only for the specific permissible purpose for which it was obtained. In such circumstances, the person who possesses the information should clearly be aware that it is a consumer report.
Second, when consumer information is transferred to a service provider or shared between affiliates following consumer notice and opportunity to opt-out,[39] the Commission believes that, in light of the nature of the relationship and information sharing practices between such parties, service providers and affiliates generally will or should know when they have been provided with covered consumer information. Moreover, the Commission believes that, for persons subject to the rule, identifying consumer information when providing it to service providers or affiliates is one “reasonable measure” to ensure that the information will be disposed of properly in accordance with the rule.[40] For these reasons, the Commission has not modified the definition as requested by the comments.
Disposal
Proposed section 682.1(c) defined “disposing” or “disposal” to include the discarding or abandonment of consumer information, as well as the sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored. The NPR noted that the sale, donation, or transfer of consumer information, by itself, would not be considered “disposal” under this definition.[41]
Start Printed Page 68693Some commenters suggested that the definition should state what disposal “means” as opposed to what it “includes.”[42] The Commission agrees and has adopted this change in the final rule.
One commenter also suggested that the definition of disposal as “the sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored” is not sufficiently broad with respect to the media and equipment covered.[43] This commenter suggested adding language specifically including computer media and other non-paper media and equipment. The Commission believes that the definition of disposal as proposed, which includes “any medium * * * upon which consumer information is stored,” is sufficiently broad to capture the materials of concern to the commenter.
Section 682.2: Purpose and Scope
Proposed section 682.2(a) set forth the purpose of the proposed Disposal Rule, which is to reduce the risk of consumer fraud and related harms, including identity theft, created by improper disposal of consumer information. The Commission received no comments suggesting changes to this provision, and it is adopted as proposed.
Proposed section 682.2(b), which tracks the language of section 216 of the FACT Act, sets forth the scope of the proposed Disposal Rule. The rule applies to “any person over which the Federal Trade Commission has jurisdiction, that, for a business purpose, maintains or otherwise possesses consumer information, or any compilation of consumer information.” The preamble to the proposed rule noted that the Commission reads “for a business purpose” broadly to include all business reasons for which a person may possess or maintain consumer information. As a result, the rule covers any person that possesses or maintains consumer information other than an individual consumer who has obtained his or her own consumer report or file disclosure.
As noted in the preamble to the proposed rule, among the entities that possess or maintain consumer information for a business purpose are consumer reporting agencies, as well as lenders, insurers, employers, landlords, government agencies, mortgage brokers, automobile dealers, and other users of consumer reports. In fact, all of the permissible purposes listed in § 604 of the FCRA would be considered business purposes under the rule.
The Commission received a number of financial industry comments arguing that the Disposal Rule should not apply to financial institutions subject to the Gramm-Leach-Bliley Act and the Commission's implementing Safeguards Rule.[44] These commenters' primary argument is that because the Safeguards Rule already covers information disposal, subjecting financial institutions to the Disposal Rule is unnecessary. Additionally, commenters expressed concern that attempting to comply with multiple standards would engender uncertainty and possibly higher costs among persons covered by both rules.
As the Commission stated in its Notice of Proposed Rulemaking, the coverage of the proposed Disposal Rule is different from that of the Commission's Safeguards Rule. In addition to covering a different (but overlapping) set of entities, the proposed Disposal Rule and the Safeguards Rule apply to different sets of information. Compare 16 CFR 314.1(b) (describing scope of “customer information” covered by Safeguards Rule) with Proposed Disposal Rule §§ 682.1(b) & 682.2(b) (defining scope of “consumer information” subject to proposed Disposal Rule).[45] As a result, the Commission believes that it is important to cover financial institutions under the Disposal Rule in order to ensure that the full range of information covered by section 216 of the FACT Act is properly protected in connection with its disposal. In addition, the plain language of section 216 of the FACT Act supports coverage of financial institutions.
In response to the commenters' concerns about the potential burdens imposed on persons covered by both the Safeguards Rule and Disposal Rule, the Commission notes that the substantive requirements of both rules are consistent with respect to disposal. Although the Safeguards Rule focuses on comprehensive information security and the Disposal Rule more narrowly on disposal, both incorporate flexible, risk-based standards that require reasonable measures to protect against unauthorized access to or use of information. As a result, compliance with the standards of the Disposal Rule will constitute compliance with the disposal obligations under the Safeguards Rule. Thus, companies should easily be able to develop approaches that satisfy the requirements of both rules without undue burdens or costs.[46] Accordingly, section 682.2(b) is adopted as proposed.
Section 682.3: Proper Disposal of Consumer Information
Under the proposed rule, any person that maintains or otherwise possesses consumer information would be required to “take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” Recognizing that there are few foolproof methods of record destruction, the NPR stated that the proposed rule would not require covered persons to ensure perfect destruction of consumer information in every instance; rather, it requires covered entities to take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. In determining what measures are “reasonable” under the rule, the Commission stated in the NPR that it expects that entities covered by the rule would consider the sensitivity of the consumer information, the nature and size of the entity's operations, the costs and benefits of different disposal methods, and relevant technological changes. The Commission also noted that “reasonable measures” are very likely to require elements such as the establishment of policies and procedures governing disposal, as well as appropriate employee training.
The vast majority of commenters supported this flexible standard for disposal.[47] Commenters noted that the Start Printed Page 68694standard will allow covered persons to make decisions appropriate to their particular circumstances; [48] minimize the costs of compliance, particularly for small businesses; [49] and harmonize the Disposal Rule with the requirements of the Commission's Safeguards Rule.[50] Accordingly, the basic standard for disposal has been adopted as proposed.
In order to provide additional clarity, the proposed rule also included examples intended to provide guidance on disposal measures that would be reasonable under the rule. Generally, commenters found the examples to be helpful. Although some commenters suggested treating the examples as minimum requirements,[51] many commenters approved of the examples remaining as illustrative guidance only and, in fact, requested a more explicit statement to that effect in the rule itself.[52] The Commission continues to believe that these examples should be illustrative only, not exhaustive, because they cannot take into account a particular entity's unique circumstances. In order to make this clear, the Commission has added language to the rule stating explicitly that “These examples are illustrative only and are not exclusive or exhaustive methods for complying with this rule.”
Finally, commenters expressed concern that the final example, which addresses what would be “reasonable measures” for a disposal service provider or traditional garbage collector, is confusing with respect to the obligations of both service providers and the record owners who transfer consumer information to them.[53] In particular, commenters representing the records management and disposal industries pointed out that service providers are frequently not in a position to make independent determinations as to whether information they possess is, or was derived from, a consumer report.[54] In addition, these commenters argued that imposing direct liability for disposal on a service provider may allow, and even create incentives for, record owners to “dump” covered materials on service providers without paying for the proper destruction required by the rule.[55] These commenters suggest that service providers should be liable for violations of the rule only if the service provider (1) has been notified that the information it possesses is consumer information as defined in the rule; and (2) has entered into a written contract to dispose of such information in accordance with this rule.[56]
The Commission has addressed these commenters' concerns by revising the rule's examples to clarify what the “reasonable measures” standard requires when information is transferred or otherwise provided to service providers. First, the Commission has deleted the “garbage collector” example that caused some confusion. Second, the Commission has revised Example 3 so that it explicitly contemplates that a record owner would tell a service provider when it is providing the service provider with consumer information.[57] Thus, as revised, Example 3 illustrates that, if a record owner transfers or otherwise provides consumer information to a service provider, the “reasonable measures” standard will generally require a record owner to take reasonable steps to select and retain a service provider that is capable of properly disposing of the consumer information at issue; notify the service provider that such information is consumer information; and enter into a contract that requires the service provider to dispose of such information in accordance with this rule. This example clarifies record owners' responsibilities with respect to service providers while also ensuring that service providers have the information required, and make the arrangements needed, to fulfill their responsibilities under the rule. The Commission also notes that Example 3 harmonizes this aspect of the Disposal Rule with the Commission's GLBA Safeguards Rule which contains analogous requirements.
Under the final rule, service providers continue to be covered, and, therefore, along with the record owner, bear responsibility for proper disposal of consumer information that they maintain or otherwise possess. In evaluating a service provider's compliance with this rule, however, a record owner's failure to provide notice or contract for disposal in accordance with the requirements of the rule will be strongly considered. Other factors relevant to a service provider's liability and the “reasonableness” of its action include actual or constructive knowledge of the nature of the consumer information, the course of dealing between the service provider and record owner, and, consistent with the rule's overall “reasonableness” standard, the sensitivity of the consumer information, the nature and size of the service provider's operations, and the costs and benefits of different disposal methods.
The Commission also received a number of comments concerning the relationship between the Disposal Rule and Safeguards Rule. Many of these commenters requested an explicit statement in the rule that, for financial institutions subject to the Safeguards Rule, incorporation of the requirements of this rule into the information security program required by the Safeguards Rule constitutes compliance with this rule.[58] The Commission has added an Example 5 to illustrate this point.
Lastly, one commenter expressed concern that the phrase “in connection with its disposal” could be read to require reasonable measures to protect against unauthorized access or use of consumer information during the disposal process, but not following it.[59] The Commission intends the phrase “in connection with its disposal” to mean both during and after the disposal process.
Section 682.4: Relation to Other Laws
Proposed section 682.4(a) made clear that nothing in the rule is intended to create a requirement that a person maintain or destroy any record pertaining to a consumer. The proposed rule also stated that the rule is not intended to affect any requirement imposed under any other provision of law to maintain or destroy such records. The Commission received no comments Start Printed Page 68695suggesting changes to this provision, and it is adopted as proposed.
Section 682.5: Effective Date
The Commission initially proposed to make the Disposal Rule effective 3 months after the publication of the final rule. Although some commenters supported a 3-month effective date,[60] the majority of commenters requested a longer effective date in order to allow covered entities to develop and implement appropriate disposal procedures or to research and contract with service providers.[61] These commenters suggested time periods ranging from 6 to 12 months after the publication of the final rule. After considering the comments and balancing the need for protections against the need to allow covered entities sufficient time to come into compliance, the Commission has extended the effective date to be 6 months after publication of the final rule.
IV. Final Regulatory Flexibility Analysis
The Regulatory Flexibility Act (“RFA”), 5 U.S.C. 601-612, requires that the Commission provide an Initial Regulatory Flexibility Analysis (“IRFA”) with a proposed rule and a Final Regulatory Flexibility Analysis (“FRFA”), with the final rule, unless the Commission certifies that the Rule will not have a significant economic impact on a substantial number of small business entities. For the majority of entities subject to the rule, a small business entity is defined by the Small Business Administration as one whose average annual receipts do not exceed $6 million or that has fewer than 500 employees.[62]
The Commission hereby certifies that the final rule will not have a significant economic impact on a substantial number of small business entities. The rule applies to “any person that, for a business purpose, maintains or otherwise possesses consumer information, or any compilation of consumer information.” As discussed in the NPR and in the supplemental IRFA, any company, regardless of industry or size, that possesses or maintains consumer information for a business purpose would be subject to the rule. Therefore, small entities across almost every industry could potentially be subject to the rule. However, as discussed in more detail below, many small entities subject to the rule are already subject to the GLBA Safeguards Rule,[63] which contains requirements similar to those in the rule. As a result, the marginal cost of compliance with the Disposal Rule for these businesses is likely to be minimal.
The Commission is unaware of any data concerning the frequency with which other small businesses obtain consumer reports. As a result, it is not possible to determine precisely how often small businesses would be required to undertake compliance efforts. In the July 8, 2004, supplemental IRFA, 69 FR 41219, the Commission asked several questions related to the existence, number, and nature of small business entities covered by the proposed rule, as well as the economic impact of the proposed rule on such entities. The Commission received five comments in response to its supplemental IRFA,[64] three of which addressed the small business issues raised. These comments, which are discussed in more detail below, were generally supportive of the rule as it applies to small businesses.[65]
The Commission continues to believe that a precise estimate of the number of small entities that fall under the rule is not currently feasible. However, based on the comments received and the Commission's own experience and knowledge of industry practices, the Commission also continues to believe that the cost and burden to small business entities complying with the rule is minimal and that the final rule will not have a significant impact on a substantial number of small entities. This document serves as notice to the Small Business Administration of the Commission's certification of no effect. Nonetheless, the Commission has decided to publish a Final Regulatory Flexibility Analysis with this final Rule. Therefore, the Commission has prepared the following analysis:
A. Need for and Objectives of the Rule
Section 216 of the FACT Act requires the Commission to issue regulations regarding the proper disposal of consumer information in order to prevent sensitive financial and personal information from falling into the hands of identity thieves or others who might use the information to victimize consumers. In this action, the Commission promulgates a final rule to fulfill the statutory mandate. The rule is authorized by and based upon section 216 of the FACT Act.
B. Significant Issues Raised by Public Comments.
On July 8, 2004, the Commission published a supplemental initial regulatory flexibility analysis for notice of proposed rulemaking, 69 FR 41219, in which the Commission asked several questions related to the existence, number, and nature of small business entities covered by the proposed rule, as well as the economic impact of the proposed rule on such entities. The Commission received five comments in response to its supplemental IRFA,[66] three of which addressed the small business issues raised.[67] These commenters all agreed that the rule should apply to small businesses. One commenter praised the proposed rule's reasonableness standard as “provid[ing] ample flexibility for all covered entities, large and small.”[68] Another commenter cited the low cost of compliance.[69]
The Commission also received comments in response to the initial NPR that addressed small business concerns. These comments were also generally supportive of the proposed rule as it would apply to small businesses. Many commenters supported the purpose for promulgating the rule, and cited both the rule's flexible standard and the low costs of shredders and disposal services as evidence that the compliance costs to small businesses will be low.[70]
C. Small Entities to Which the Rule Will Apply
The Disposal Rule, which tracks the language of section 216 of the FACT Act, applies to “any person that, for a business purpose, maintains or otherwise possesses consumer information, or any compilation of consumer information.” The entities Start Printed Page 68696covered by the rule would include consumer reporting agencies, resellers of consumer reports, lenders, insurers, employers, landlords, government agencies, mortgage brokers, automobile dealers, waste disposal companies, and any other business that possesses or maintains consumer information. As explained in the NPR and supplemental IRFA, any company, regardless of industry or size, that possesses or maintains consumer information for a business purpose will be subject to the rule. Therefore, numerous small entities across almost every industry could potentially be subject to the rule.
Although it is impossible to identify every industry that may possess or maintain consumer information [71] for business purposes, the Commission anticipates that, at a minimum, the small entities within the finance and insurance industries are likely to be subject to the rule. According to the Small Business Administration, there are approximately 231,000 small businesses within these industries.[72] Generally, these entities are already subject to the GLBA's Safeguards Rule, which contains requirements similar to those in the rule. As a result, as discussed further below, the marginal cost of compliance with the Disposal Rule for these businesses is likely to be minimal.
In addition, any business, regardless of industry, that obtains a consumer report, or information derived from a consumer report, will be subject to the rule. Among businesses that might fall into this category are landlords, utility companies, telecommunications companies, and any business that obtains consumer reports for employment screening purposes. The Commission is unaware of any data concerning the frequency with which small businesses such as these obtain consumer reports. As a result, it is not possible to determine precisely how many small businesses outside the finance and insurance industries will be subject to the rule, or how often these entities will be required to undertake compliance efforts.
D. Projected Reporting, Recordkeeping and Other Compliance Requirements
The final Disposal Rule does not impose any specific reporting, recordkeeping, or disclosure requirements within the meaning of the Paperwork Reduction Act. The rule requires covered entities, when disposing of consumer information, to take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. What is considered “reasonable” will vary according to an entity's nature and size, the costs and benefits of available disposal methods, and the sensitivity of the information involved. In formulating the rule, the Commission considered alternatives to this approach, and determined that the flexibility afforded by the rule reduces the burden that might otherwise be imposed on small entities by a more rigid, prescriptive rule.
As noted above, entities already subject to the Commission's Safeguards Rule should incur few, if any, additional compliance costs. Among other things, the Safeguards Rule already requires covered entities to develop and implement policies that require the proper disposal of “customer information” (as defined in the GLBA), as well as employee training programs and mechanisms to update its information security program on a periodic basis. In light of these existing measures, modifying policies to address the disposal of “consumer information” (as defined in the rule), and training employees on these changes, should be possible at little or no cost. In fact, because the definitions of “consumer information” and “customer information” overlap, many entities may already be in substantial compliance with the rule's requirements.
For small businesses not already subject to the GLBA Safeguards Rule, compliance costs may be greater. Because the rule does not mandate specific disposal measures, a precise estimate of compliance costs is not feasible. However, there are certain basic steps that are likely to be appropriate for many small entities. For example, shredding or burning paper records containing consumer information will generally be appropriate. Depending upon the volume of records at issue and the office equipment available to the small entity, this method of disposal may be accomplished by the small entity itself at no cost, may require the purchase of a paper shredder (available at office supply stores for as little as $25), or may require the hiring of a document disposal service on a periodic basis (the costs of which will vary based on the volume of material, frequency of service, and geographic location).
If a small entity has stored consumer information on electronic media (for example, computer discs or hard drives), disposal of such media could be accomplished by a small entity at almost no cost by simply smashing the material with a hammer. In some cases, appropriate disposal of electronic media might also be accomplished by overwriting or “wiping” the data prior to disposal. Utilities to accomplish such wiping are widely available for under $25; indeed, some such tools are available for download on the Internet at no cost. Whether “wiping,” as opposed to destruction, of electronic media is reasonable, as well as the adequacy of particular utilities to accomplish that “wiping,” will depend upon the circumstances.
The Commission did not receive any information on the amount of employee time, measured in labor hours or costs, that might be incurred by compliance with the Disposal Rule. The Commission believes that all businesses, regardless of size, will need to educate and train their employees on proper disposal. The actual amount of time it will take to ensure that consumer report information is properly disposed will vary, depending on a variety of circumstances, including the amount and nature of covered records. However, the Commission believes many businesses may already be following industry best practices, which may include disposing of documents through shredders, using waste disposal companies, or other confidential disposal methods; and continuing to do so would not impose additional costs on such businesses.
As the above discussion illustrates, although it is not possible to estimate small businesses' compliance costs precisely, such costs are likely to be quite modest for most small entities.
E. Steps Taken To Minimize Significant Economic Impact of the Rule on Small Entities
The Commission considered whether to exempt any persons or classes of persons from the rule's application pursuant to section 216(a)(3) of the FACT Act. The FTC asked for comment on this issue, as well as any significant alternatives, consistent with the purposes of the FACT Act, that could further minimize the rule's impact on small entities. The Commission received no information or suggestions in response to this request; rather, commenters specifically voiced support for application of the rule to small businesses.[73]
Start Printed Page 68697The Commission also requested comment on the need to adopt a delayed effective date for small entities in order to provide them with additional time to come into compliance. The Commission received no comments on this issue; however, the Commission has decided to extend the effective date for all entities subject to the rule, from 3 months to 6 months following publication of this rule. This additional time will allow small entities to carefully assess their compliance obligations and make cost-sensitive decisions concerning how to best comply with the rule.
V. Paperwork Reduction Act
In accordance with the Paperwork Reduction Act of 1995, 44 U.S.C. 3506 (PRA), the Commission reviewed the proposed and final rules. The rule explicitly provides that it is not intended “(1) to require a person to maintain or destroy any record pertaining to a consumer that is not imposed under any other law; or (2) to alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record.” As such, the rule does not impose any recordkeeping requirement or otherwise constitute a “collection of information” as it is defined in the regulations implementing the PRA. See 5 CFR 1320.3(c).
VI. Final Rule
Start List of SubjectsList of Subjects in 16 CFR Part 682
- Consumer reports
- Consumer reporting agencies
- Credit
- Fair Credit Reporting Act
- Trade practices
Accordingly, for the reasons stated in the preamble, the Federal Trade Commission amends 16 CFR chapter I, to add new part 682 as follows:
End Amendment Part Start PartPART 682—DISPOSAL OF CONSUMER REPORT INFORMATION AND RECORDS
End PartDefinitions.(a) In general. Except as modified by this part or unless the context otherwise requires, the terms used in this part have the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq.
(b) “Consumer information” means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. Consumer information also means a compilation of such records. Consumer information does not include information that does not identify individuals, such as aggregate information or blind data.
(c) “Dispose,” “disposing,” or “disposal” means:
(1) The discarding or abandonment of consumer information, or
(2) The sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored.
Purpose and scope.(a) Purpose. This part (“rule”) implements section 216 of the Fair and Accurate Credit Transactions Act of 2003, which is designed to reduce the risk of consumer fraud and related harms, including identity theft, created by improper disposal of consumer information.
(b) Scope. This rule applies to any person over which the Federal Trade Commission has jurisdiction, that, for a business purpose, maintains or otherwise possesses consumer information.
Proper disposal of consumer information.(a) Standard. Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.
(b) Examples. Reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal include the following examples. These examples are illustrative only and are not exclusive or exhaustive methods for complying with the rule in this part.
(1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.
(2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed.
(3) After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule. In this context, due diligence could include reviewing an independent audit of the disposal company's operations and/or its compliance with this rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company's information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company.
(4) For persons or entities who maintain or otherwise possess consumer information through their provision of services directly to a person subject to this part, implementing and monitoring compliance with policies and procedures that protect against unauthorized or unintentional disposal of consumer information, and disposing of such information in accordance with examples (b)(1) and (2) of this section.
(5) For persons subject to the Gramm-Leach-Bliley Act, 15 U.S.C. 6081 et seq., and the Federal Trade Commission's Standards for Safeguarding Customer Information, 16 CFR part 314 (“Safeguards Rule”), incorporating the proper disposal of consumer information as required by this rule into the information security program required by the Safeguards Rule.
Relation to other laws.Nothing in the rule in this part shall be construed:
(a) To require a person to maintain or destroy any record pertaining to a consumer that is not imposed under other law; or
(b) To alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record.
By direction of the Commission.
Donald S. Clark,
Secretary.
Footnotes
1. FACT Act section 216, 15 U.S.C. 1681w(a)(1).
Back to Citation2. The Federal Reserve Board of Governors, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and Office of Thrift Supervision.
Back to Citation5. The Federal banking agencies, NCUA, and SEC have proposed to implement § 216 of the FACT Act by amending their existing guidelines and rules on information security previously issued to implement section 501(b) of the GLBA. However, because the entities subject to the FTC's jurisdiction under the FACT Act and the GLBA are overlapping but not coextensive, the Commission has chosen to adopt a separate rule to implement § 216 of the FACT Act. Despite this difference in form, the substance of the rules is comparable and consistent.
Back to Citation6. The notice of proposed rulemaking and proposed Rule were published in the Federal Register on April 20, 2004. 69 FR 21387.
Back to Citation7. The supplemental IRFA was published in the Federal Register on July 8, 2004. 69 FR 41219.
Back to Citation8. The public comments relating to this rulemaking may be viewed at http://www.ftc.gov/os/comments/disposal/index.htm (proposed Rule) and at http://www.ftc.gov/os/comments/disposal-supplement/index.htm (supplemental IRFA). The Commission considered all comments received on or before the close of the comment periods on June 15, 2004, for the proposed rule and on July 30, 2004, for the supplemental analysis. Citations to comments filed in this proceeding are made to the name of the organization (if any) or the last name of the commenter, and the comment number of record.
Back to Citation9. These included the Consumer Data Industry Association (CDIA) (the trade association that represents the nationwide consumer reporting agencies and a variety of other consumer reporting agencies), the American Insurance Association, America's Community Bankers, ACA International (representing debt collection agencies and other accounts receivable professionals), ARMA International (the association of information management professionals), the National Association of Realtors, the Consumers Bankers Association, the Credit Union National Association (CUNA), the Michigan Credit Union League, the National Independent Automobile Dealer's Association, the Software & Information Industry Association (SIIA), the Pennsylvania Credit Union Association, the National Association of Profession Background Screeners, the National Association for Information Destruction, Inc. (NAID) (a trade association for the information destruction industry) and the Coalition to Implement the FACT Act (representing trade associations and companies that furnish, use, collect, and disclose consumer information).
Back to Citation10. These included financial institutions, such as Bank of America Corporation, Countrywide Home Loans, Elgin Bank of Texas, MasterCard International Incorporated, MBNA America Bank, N.A., Virginia Credit Union, Inc. and Visa U.S.A.; credit reporting agencies, such as Equifax Information Services LLC, Experian Information Solutions, Inc., and Trans Union LLC; and information management and destruction firms, including AccuShred, LLC, Allshred Services, Inc., Community Shredders, IndyShred, PRISM International, Reclamere, Inc., SECURE Eco Shred, and Shred-it Orlando.
Back to Citation11. These included Consumers Union and the Privacy Rights Clearinghouse, which was joined in its comments by Consumer Action, the Consumer Federation of California, the Identity Theft Resource Center, Privacy Activism, and the Worldwide Privacy Forum.
Back to Citation12. Senator Bill Nelson (D-FL).
Back to Citation13. See Comment, IndyShred #15
Back to Citation14. See Comment, NAID #48.
Back to Citation15. See, e.g., Comment, Equal Employment Advisory Council #26; National Automobile Dealers Association #52; Comment, Mastercard #29; Comment, Equifax #54; Comment, Consumer Bankers Association #53; Comment, Coalition to Implement the FACT Act #64.
Back to Citation16. See, Comment, Consumers Union #8; see also Comment, Gercken #14.
Back to Citation17. See Comment, ARMA International #35.
Back to Citation18. See, e.g., Comment, CUNA #22; Comment, Visa U.S.A. #23 ; Comment, Consumer Bankers Association #53; Comment, CDIA #46.
Back to Citation19. See, e.g., Comment, CUNA #22; Comment, Equifax #54; Comment, Michigan Credit Union League #58; Comment, TransUnion #44; Comment, Mastercard #29; Comment, Consumer Bankers Association #53; Comment, Coalition to Implement the Fact Act #64; Comment, MBNA #19; Comment, Visa U.S.A. #23; Comment, American Financial Services Association #33; Comment, CDIA #46; Comment, Bank of America #51.
Back to Citation21. See, e.g., Comment, Experian #59; Comment, TransUnion #44; Comment, Mastercard #29; Comment, Equifax #54.
Back to Citation22. See, e.g., Comment, PRISM International #21; Comment, NAID #49.
Back to Citation23. See Comment, Senator Bill Nelson #55.
Back to Citation24. See, e.g., Comment, CDIA #46; Comment, Equifax #54; Comment, NAID #49.
Back to Citation25. See, e.g., Comment, Mastercard #29; Comment, American Insurance Association #50.
Back to Citation26. See, e.g., Comment, Experian #59 (6 months); Comment, TransUnion #44 (6 months); Comment, Equifax #54 (6 months), Comment, American Financial Services Association #33 (6 months); Comment, American Insurance Association #50 (12 months); Consumer Bankers Association #53 (12 months); Comment, CDIA #46 (6 months); Comment, National Automobile Dealers Association #52 (9 months); Comment, Coalition to Implement the FACT Act #64 (6 months).
Back to Citation27. See, e.g., Comment, National Automobile Dealers Association #52; Comment, Mastercard #29; Comment, Consumer Bankers Association #53; Comment, Coalition to Implement the FACT Act #64.
Back to Citation28. Comment, Consumers Union #8.
Back to Citation29. See, e.g., Comment, MBNA #19; Comment, Visa U.S.A. #23; Comment, Equal Employment Advisory Council #26; Comment, TransUnion #44; Comment, Mastercard #29; Comment, Equifax #54; Comment, American Financial Services Association #33; Comment, Consumer Bankers Association #53; Comment, CDIA #46; Comment, Bank of America #51; Comment, Coalition to Implement the Fact Act #64.
Back to Citation30. See, e.g., Comment, MBNA #19; Comment, Visa U.S.A. #23; Comment, TransUnion #44; Comment, Equifax #54; Comment, American Financial Services Association #33; Comment, CDIA #46; Comment, Bank of America #51.
Back to Citation31. The terms “aggregate information” and “blind data” as used in the rule are intended to have the same meaning as in § 313.3(o)(2)(ii)(B) of the Commission's GLBA Rule regarding the Privacy of Consumer Financial Information, 16 CFR part 313.
Back to Citation32. See, e.g., Comment, Consumers Union #8; Comment, MBNA #19; Comment, Equifax #54; Comment, Senator Bill Nelson #55; Comment, Privacy Rights Clearinghouse #39; Comment, Michigan Credit Union League #58.
Back to Citation33. See Comment, Consumers Union #8; Comment, Privacy Rights Clearinghouse #39.
Back to Citation34. See, e.g., Comment, Equifax #54.
Back to Citation35. See, e.g., Comment, National Independent Automobile Dealers Association #53.
Back to Citation36. See, e.g., Comment, America's Community Bankers #24; Comment, Mastercard #29.
Back to Citation37. See, e.g., Comment, Consumer Bankers Association #53; Comment, Coalition to Implement the Fact Act #64.
Back to Citation38. See, e.g., Comment, Mastercard #29; Comment, American Financial Services Association #33; Comment, Consumer Bankers Association #53; Comment, Coalition to Implement the Fact Act #64.
Back to Citation39. See FCRA § 603(d)(2)(A)(iii), 15 U.S.C. 1681a(d)(2)(A)(iii).
Back to Citation40. Example 3 of the final rule, which is discussed further below, illustrates this point as to service providers.
Back to Citation41. A number of industry commenters requested an explicit statement to this effect in the rule. See, e.g., Comment, America's Community Bankers #24; Comment, TransUnion #44; Comment, Mastercard #29; Comment, Consumer Bankers Association #53; Comment, NAID #49; Comment, Coalition to Implement the Fact Act #64. The Commission has not added such a statement to the final Rule because of its clear statement in the NPR, which it reaffirms here, that the sale, donation, or transfer of consumer information, by itself, does not constitute “disposal” under the Rule's definition. Of course, the FCRA's restrictions on the sale and use of consumer information are still applicable even when such information is sold, donated, or transferred in a manner that would not amount to “disposal” under this Rule.
Back to Citation42. See, e.g., Comment, TransUnion #44; Comment, Mastercard #29; Comment, Consumer Bankers Association #53; Comment, Coalition to Implement the Fact Act #64.
Back to Citation43. See Comment, Consumers' Union #8.
Back to Citation44. See, e.g. Comment, Experian #59; Comment, TransUnion #44; Comment, Mastercard #29; Comment, Equifax #54.
Back to Citation45. For example, a consumer who applies for a loan from a financial institution, but is rejected based on information in her credit report is not a “customer” of the financial institution under the GLBA and her credit report would therefore not be protected by the Safeguards Rule; however, her credit report would be “consumer information” under the Disposal Rule. Credit reports obtained about employees or prospective employees are also not “customer” information covered under the GLBA, but would be “consumer information” under the Disposal Rule.
Back to Citation46. Example 5 also illustrates that, for financial institutions subject to the Safeguards Rule, incorporation of the requirements of this rule into the information security program required by the Safeguards Rule constitutes compliance with this rule.
Back to Citation47. See, e.g., Comment, National Association of Professional Background Screeners #7; Comment, MBNA #19; Comment, Experian #59; Comment, CUNA #22; Comment, Visa U.S.A. #23; Comment, Equal Employment Advisory Council #26; Comment, TransUnion #44; Comment, National Independent Automobile Dealers Association #53; Comment, Mastercard #29; Comment, Equifax #31; Comment, Consumer Bankers Association #53; Comment, CDIA #46; Comment, NAID #49; Comment, Bank of America #51; Comment, National Automobile Dealers Association #52; Comment, SIIA #56; Comment, Michigan Credit Union League #58; Comment, Coalition to Implement the FACT Act #64.
Back to Citation48. See, e.g., Comment, National Independent Automobile Dealers Association #53; Comment, Mastercard #29; Comment, Consumer Bankers Association #36; Comment, Coalition to Implement the FACT Act #64.
Back to Citation49. See, e.g., Comment, Equal Employment Advisory Council #26; Comment, Equifax #31.
Back to Citation50. See, e.g., Comment, MBNA #19; Comment, Visa U.S.A. #23; Comment, Coalition to Implement the FACT Act #64.
Back to Citation51. See, e.g., Comment, Consumers Union #8; Comment, NAID #49; Comment, Privacy Rights Clearinghouse #39.
Back to Citation52. See, e.g., Comment, CUNA #22; Comment, Mastercard #29; Comment, Countrywide Home Loans #43; Comment, Michigan Credit Union League #58.
Back to Citation53. See, e.g., Comment, CDIA #46; Comment, Equifax #54; Comment, NAID #49.
Back to Citation54. Comment, PRISM International #21; Comment, NAID #49.
Back to Citation55. Comment, PRISM International #21; Comment, NAID #49.
Back to Citation56. Comment, PRISM International #21; Comment, NAID #49.
Back to Citation57. Although the example involves a disposal service provider, the measures it contemplates would also generally be reasonable with respect to other types of services providers.
Back to Citation58. See, e.g., Comment, MBNA #19; Comment, America's Community Bankers #24; Comment, American Financial Services Association #33; Comment, Bank of America #51.
Back to Citation59. Comment, Consumers Union #8.
Back to Citation60. See, e.g., Comment, CUNA #22.
Back to Citation61. See, e.g., Comment, Experian #59; Comment, TransUnion #44; Comment, National Independent Automobile Dealers Association #53; Comment, Equifax #54; Comment, American Financial Services Association #33; Comment, American Insurance Association #50; Consumer Bankers Association #53; Comment, CDIA #46; Comment, National Automobile Dealers Association #52; Comment, Coalition to Implement the FACT Act #64.
Back to Citation62. 5 U.S.C. 603-605. These numbers represent the size standards for most retail and service industries ($6 million total receipts) and manufacturing industries (500 employees). A list of the SBA's size standards for all industries can be found at http://www.sba.gov/size/summary-whatis.html.
Back to Citation64. Supplemental Comments were received from the NAID, the National Association of Realtors (NAR), the American Bankers' Association, ACRAnet, and an individual commenter.
Back to Citation65. See, e.g., Supp. Comment, NAID #6; Supp. Comment, Ms. Lisa Beavers #2; Supp. Comment, NAR #3.
Back to Citation66. The NAID, the NAR, the American Bankers' Association, and two individual commenters.
Back to Citation67. The other two comments raised issues already considered with respect to the rule generally.
Back to Citation68. Supp. Comment, NAID #6.
Back to Citation69. Supp. Comment, Beavers #2.
Back to Citation70. Comment, Virginia Credit Union, Inc. #10; Comment, IndyShred #15; Comment, NAR #60; Comment, AccuShred, LLC #45.
Back to Citation71. “Consumer Information” is defined in the proposed rule as any “record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report.”
Back to Citation72. This number represents 2001 totals as reported by the SBA. See http://www.sba.gov/advo/stats/.
Back to Citation73. See Supp. Comment, NAID #6; Supp. Comment, Ms. Lisa Beavers #2; Supp. Comment, NAR #3.
Back to Citation[FR Doc. 04-25937 Filed 11-23-04; 8:45 am]
BILLING CODE 6250-01-P
Document Information
- Effective Date:
- 6/1/2005
- Published:
- 11/24/2004
- Department:
- Federal Trade Commission
- Entry Type:
- Rule
- Action:
- Final rule.
- Document Number:
- 04-25937
- Dates:
- This rule is effective on June 1, 2005.
- Pages:
- 68689-68697 (9 pages)
- RINs:
- 3084-AA94: Fair and Accurate Credit Transactions Act of 2003
- RIN Links:
- https://www.federalregister.gov/regulations/3084-AA94/fair-and-accurate-credit-transactions-act-of-2003
- Topics:
- Credit, Trade practices
- PDF File:
- 04-25937.pdf
- CFR: (5)
- 16 CFR 682.1
- 16 CFR 682.2
- 16 CFR 682.3
- 16 CFR 682.4
- 16 CFR 682.5