Disposing of Identity Theft
New regulations require companies to protect consumer credit information.

By Diane Waters and Paul Croker

Businesses of all sizes are expected to protect consumers from identity theft, according to the Fair and Accurate Credit Transactions Act of 2003 (FACTA).
FACTA amended the Fair Credit Reporting Act by imposing and authorizing various rights and responsibilities relevant to credit information. Provisions of FACTA have been phased in over the last couple of years, and are directed toward reducing identity theft and the losses incurred by identity theft victims.  

FACTA and the resulting rules and regulations provide standards with respect to the following: (1) disposal of consumer report information and records, (2) creditors providing notice of negative information provided to credit agencies, and (3) information that must be provided to victims of identity theft upon proper request.

Further, FACTA provides that receipts for credit and debit card transactions may not include more than the last five digits of the card number or expiration date, and if a fraud alert is placed on an individual's credit report, then any business that is asked to extend credit is required to take certain actions to determine that the credit application was not made by an identity thief. These are just some of the effects FACTA and the resulting rules and regulations will have on businesses.

Disposal of Records
One of the more recent Federal Trade Commission regulations of FACTA became effective June 1, and is known as the Disposal of Consumer Report Information and Records. It regulates the method and manner of disposal of various records and applies to any person or business that maintains or otherwise possesses consumer information, whether on paper, electronic, or other form, that is a consumer report.

Very generally, that means if your business has any information related to an individual’s credit worthiness, credit standing, character, reputation, personal characteristics or "mode of living," and if that information is generally used for any number of purposes including, but not limited to, employment, credit or insurance purposes, then the regulation likely applies to your business.

Some examples of businesses that might be affected include consumer reporting agencies, lenders, insurers, employers, landlords, government agencies, mortgage brokers, automobile dealers, and any other entities that utilize consumer information.

Your Responsibilities
If you determine that this regulation does apply to your business, the next challenge is to figure out how your business is affected. You must take reasonable measures to protect against unauthorized access or use of the information with respect to disposal of consumer information. Based upon the language of the regulations, at a minimum you have the responsibility of establishing policies and procedures on the methods of records disposal. Additionally, you must have employee training on the disposal of such consumer information.

Policies and procedures must ensure that disposal of records is sufficient to protect the consumer. At a minimum, this likely means shredding documents and deleting computer hard drives. It is possible, and even likely in many circumstances, that something in addition to shredding and deleting is required. One problem with the regulation is that it lacks clarity on how far an entity must go to protect the consumer.

Intentional Vagueness
The regulation was apparently left vague in an effort not to impose unreasonably onerous duties and responsibilities on the smallest businesses, while still setting the expectation of thorough protective measures by larger businesses.

The result leaves everyone guessing. The Federal Trade Commission clearly states that "reasonable measures" must be taken both during and after the disposal process. Businesses must use their own judgment as to what is appropriate for their particular circumstances. Of course, when developing these "reasonable measures," it is important to remember that anyone reviewing whether your measures are "reasonable" will likely be doing it with the benefit of hindsight.

FACTA has implications far and wide affecting all businesses, including even the smallest, small business. The total impact of FACTA will not be known for years to come as the regulations are enacted, implemented and enforced. In the meantime, any business that has access to personal consumer information or records needs to take steps to make certain that they are in compliance with the recently implemented disposal of records rule.

Diane Waters is with Martin, Pringle, Oliver, Wallace and Bauer, LLP, specializing in general business and litigation. She can be reached at (913) 491-5500. Paul Croker is with Wallace Saunders Austin Brown & Enochs, specializing in general business. He can be reached at (913) 888-1000.