The Federal Trade Commission’s (FTC) Disposal Rule loosely outlines what needs to happen to any consumer report that your company gains access to, and the sensitive information derived from those reports.
What is a Consumer Report?
Consumer reports are governed by the Fair Credit Reporting Act (FCRA) and consist of any information that you get from a consumer reporting agency (CRA), such as credit reports, credit scores, and background checks.
For a more technical definition of a ‘consumer report’ we consulted the Legal Information Institute run by the Cornell Law School:
“the term “consumer report” means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for—
(A) credit or insurance to be used primarily for personal, family, or household purposes;
(B) employment purposes; or
(C) any other purpose authorized under section 1681b of this title.”
The Disposal Rule
The Disposal Rule says that anyone who has information from a consumer report must ensure that the information is properly disposed of “by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”
The Federal Trade Commission enforces the Disposal Rule, which came into effect in June of 2005, in an effort to protect the privacy of consumers by keeping sensitive information out of the hands of hackers, dumpster divers, and data thieves. The rule covers both hard copy and electronic formats of any information derived from a consumer report and, of course, the report itself.
If you’re interested, you can read the rule in its entirety here: https://www.ecfr.gov/cgi-bin/text-idx?SID=05ef5f2c86602203c40e44237833e01e&mc=true&node=pt16.1.682&rgn=div5.
Tips to Comply with the Disposal Rule
The end goal of disposal is “so that the information cannot be read or reconstructed;”. With paper records, you can shred, burn or pulverize them. We recommend a cross cut shredder if you choose that route.
With digital records, we turned to the experts at MIT, who recommend a couple of ways to securely erase digital information including using software tools or destroying the disk entirely.
For further information, the FTC has a great web page set up outlining recommendations about “proper” disposal. You can check it out here: https://www.ftc.gov/tips-advice/business-center/guidance/disposing-consumer-report-information-rule-tells-how
When can you dispose of the information?
There isn’t a hard and fast rule around when you need to dispose of the information from a consumer report. We recommend following the guidelines set out by the Equal Employment Opportunity Commission (EEOC) around personnel and employment records, which states that, in most circumstances, you need to keep the records for one year.
As an aside, when a CRA, such as AIS gathers information to compile a consumer report for a customer the records are deemed “business records” and must be kept for 7 years. Once the 7 years has elapsed, they can securely dispose of the records.
It is likely that you will need to adhere to the FTC’s Disposal Rule at some point. It is important that you understand what information falls under the rule, how and when to dispose of it, and where to get more information if you are unsure about any part of the rule.