A recent blog posting by the Federal Trade Commission (FTC) on data retention and disposal practices is the genesis of this blog. The posting talks about the importance of having a plan in place due to the potential that a natural disaster may visit your company, a hurricane or a flood, and what would happen with your online and offline customer data in the event a natural disaster? The FTC offers the following “data minimization and disposal tips:
- Take stock. Create an inventory of the personal information you have. That way, if your files are destroyed or lost in a natural disaster, you’ll know what information is involved.
- Scale down. Collect only what you need. For example, if there’s no business reason why you have to have someone’s Social Security number, don’t ask for it in the first place. Keep records only as long as you have a reason to maintain them. Don’t hold onto customer credit card information unless you have a business need for it.
- Lock it. Store personal information in the safest part of your building. If information is missing after a natural disaster, contact law enforcement. If possible – this is where your inventory helps – contact affected individuals so they can place a fraud alert on their credit reports.
- Pitch it. Properly dispose of what you no longer need. Shred, burn or pulverize paper records before discarding. If you use consumer credit reports for a business purpose, you may also be subject to the FTC’s Disposal Rule.”
I couldn’t agree more with the above bullet points. But let’s expand upon this topic and talk about background check reports used for employment or tenancy screening purposes and proper disposal. These reports, defined under the federal Fair Credit Reporting Act (FCRA) as consumer reports, must be disposed of in a specific way. Namely, they must be shredded, burned or pulverized if in hard-copy. If electronically stored, the electronic record should be wiped so that it cannot be reconstructed or recreated.
The FCRA’s Disposal Rule (“Rule”), which became effective in 2005, states that when a company’s data retention policy allows for the disposal of consumer reports (aka background check reports) which contain sensitive personal information about employees or tenants, they must be disposed of in a manner which protects against “unauthorized access to or use of the information.” (FCRA § 628). The FTC enforces the Rule. The Rule covers not only the background screening companies that provide the reports, but also the employers and landlords who use them.
The Rule requires practices that are reasonable and appropriate to the type of personal information retained and being disposed of. And I quote this directly from the FTC, “reasonable measures for disposing of consumer report information could include establishing and complying with policies to:
- burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;
- destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
- conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include:
- reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule;
- obtaining information about the disposal company from several references;
- requiring that the disposal company be certified by a recognized trade association;
- reviewing and evaluating the disposal company’s information security policies or procedures.”
Note that section 628 of the FCRA provides for the issuance of regulations related to the disposal of records. If you want to read the actual Rule it can be found by clicking here, which takes you to 16 CFR Part 682.