(4) For natural or legal persons who maintain or otherwise possess consumer information by providing services directly to a person subject to this Part, implement and monitor compliance with policies and procedures that protect against unauthorized or accidental disposal of consumer information, and dispose of such information in accordance with examples (b)(1) and (2) of this section. The disposal rule prescribes disposal practices that are appropriate and appropriate to prevent unauthorized access to or use of information contained in a consumer report. Appropriate measures for the disposal of consumer reporting information could, for example, include establishing and enforcing policies to: The rule provides several examples of what the Commission considers to be appropriate measures to protect consumer information related to its disposal, including policies and procedures that include (1) burning, spraying or shredding paper, or (2) destroying or deleting electronic information. Media containing consumer information require that the information be read or reconstructed in practice. These examples are intended to provide guidance to affected businesses on how to comply with Start Printed Page 52847, but are not intended to be safe haven rules or proprietary methods of compliance. In promulgating the rule, the FTC noted that there are few foolproof methods for destroying records and that entities covered by the rule must consider their own particular circumstances when deciding how best to comply with the rule. In accordance with the directive of the Act, the Commission promulgated the Sales Regulation in 2004, which entered into force on 1 June 2005. [1] The Elimination Rule requires persons under the jurisdiction of the FTC who retain or otherwise possess consumer information for a business purpose to properly dispose of that information by taking reasonable steps to protect against unauthorized access to or use of the information in connection with its disposal. The rule defines “consumer information” as “any document of a person, whether in paper, electronic or other form, that is a consumer report or derived from a consumer relationship.
Consumer information also means the compilation of these registers. Consumer information does not include information that does not identify individuals, such as aggregated information or blind data. [2] (5) For individuals subject to the Gramm-Leach-Bliley Act, 15 U.S.C. 6081 et seq. and the Federal Trade Commission standards for the protection of customer information, 16 CFR Part 314 (“Safeguards Rule”), which include the appropriate disposal of consumer information under this rule in the information security program required by the safeguard rule. According to the FTC, the standard for the appropriate disposal of consumer report information is flexible and allows organizations and individuals subject to the rule to determine which measures are appropriate based on the sensitivity of the information, the costs and benefits of different disposal methods, and technological changes. The ultimate goal of disposal is “that the information cannot be read or reconstructed.” With paper documents, you can shred, burn or spray them. We recommend a cap crusher if you choose this route. Any business or person that uses a consumer report for commercial purposes is subject to the requirements of the disposal rule. The rule requires the appropriate disposal of information contained in consumer reports and records to protect them from “unauthorized access to or use of information.” The Federal Trade Commission, the national consumer protection agency, enforces the elimination rule. To protect the confidentiality of consumer information and reduce the risk of fraud and identity theft, federal regulations require businesses to take appropriate steps to remove sensitive information from consumer reports. (3) After due diligence, enter into and monitor compliance with a contract with another party engaged in the record destruction business to dispose of material specifically marked as consumer information in accordance with this rule. In this context, due diligence could include verification of an independent audit of the waste management company`s activities and/or compliance with this rule, collection of information on the waste management company from multiple references or other reliable sources, the requirement that the waste management company be certified by a recognised trade association or similar third party, Verification and evaluation of the include the waste management company`s information security policies or procedures.
or take other appropriate measures to determine the competence and integrity of the potential waste management undertaking. For more information, the FTC has put together an excellent website that provides recommendations on “appropriate” disposal. You can check it here: www.ftc.gov/tips-advice/business-center/guidance/disposing-consumer-report-information-rule-tells-how If you are interested, you can read the rule in its entirety here: www.ecfr.gov/cgi-bin/text-idx?SID=05ef5f2c86602203c40e44237833e01e&mc=true&node=pt16.1.682&rgn=div5. The Federal Trade Commission completed its regulatory review of its policy on the disposal of consumer reporting information and records as part of its systematic review of all current Commission regulations and directives and decided to maintain the rule in its current form.