CUNA Regulatory Comment Call
May 4, 2004
FTC Proposal on Disposal of Consumer Report Information
(Major Rule Applies to State-Chartered Credit Unions)
- The Fair and Accurate Credit Transactions (FACT) Act was enacted this past December and permanently extends the federal preemptions for credit reporting under the Fair Credit Reporting Act (FCRA). It also enhances the ability of consumers to combat identity theft, increases accuracy of credit reports, and allows consumers to exercise greater control regarding the marketing solicitations they receive. The FACT Act also restricts the use and disclosure of medical information.
- The FACT Act requires the Federal Trade Commission (FTC) and the financial institution regulators to issue comparable rules regarding the proper disposal of consumer report information and records that is also consistent with the Gramm-Leach-Bliley Act (GLBA) provisions on information security, as well as other similar provisions of federal law. The FTC rule will apply to state-chartered credit unions. NCUA will shortly issue a comparable rule that will apply to federal credit unions. The NCUA rule is expected to be an amendment to the rule that addresses guidelines for safeguarding of member information.
- Comments on the FTC proposed rule are due by June 15, 2004. Please submit your comments to CUNA by June 7, 2004. If you provide comments directly to the FTC, please refer to The FACT Act Disposal Rule, R-411007.
Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at firstname.lastname@example.org and to Assistant General Counsel Jeff Bloch at email@example.com; or mail them to Mary and Jeff in c/o CUNAs Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6732, if you would like a copy of the proposed rule, or you may access it on the Internet at the following address: http://www.ftc.gov/os/2004/04/040415factafrn.pdf.
President Bush this past December signed into law the FACT Act that permanently extends the federal preemptions for credit reporting under the FCRA. The new law also creates a number of important new consumer protections designed to help prevent identity theft and assist consumers who become victims of this rapidly growing crime. It also contains new restrictions on information sharing and creates a new federal commission that will coordinate financial education efforts at the national, state, and local levels.
The FACT Act will be implemented through a number of new rules that will be issued this year. Access below for a special issue of RegWatch that describes the significant provisions of the FACT Act: http://www.cuna.org/reg_advocacy/member/regwatch/regwatch.html.
DESCRIPTION OF THE PROPOSED RULE
The proposed rule will require state-chartered credit unions, as well as other businesses, that possess consumer information derived from consumer reports for business purposes to dispose of the information in a proper manner. The purpose is to prevent unauthorized disclosures and to reduce the risk of fraud and similar crimes, such as identity theft. The rule is intended to be similar to the rules that will be issued by the other financial institution regulators, including the rules for federal credit unions that will be issued by NCUA, as well as similar to the information security provisions of the GLBA and other comparable federal laws.
The term consumer information means any record of an individual in any form, paper or electronic, that is a consumer report or derived from a consumer report. The definition of consumer report is the same as currently used under FCRA, which generally means credit, reputation, personal, or mode of living information used to establish eligibility for credit, employment, and for certain other purposes. Information that is derived from consumer reports but does not identify any specific consumers would not be covered under the proposed rule.
The term disposal means the discarding or abandonment of consumer information, as well as the sale, donation, or transfer of any medium, including computers, upon which consumer information is stored. By itself, the sale, donation, or transfer of consumer information would not be considered disposal for purposes of this rule.
The following two criteria determine if one is covered under the proposed rule:
- Whether the business maintains or otherwise possesses the consumer information for a business purpose.
- Whether the record being disposed of contains consumer information, or any compilation of consumer information. This includes consumer reports, as well as records containing consumer information, or any compilation of consumer information, that is derived from consumer reports.
The rule is likely to cover any entity that possesses or maintains consumer information, but will not cover an individual who has obtained his or her consumer report. The rule will also include affiliates that receive the information under the FCRA provisions that refer to the sharing of such information after the consumer has an opportunity to opt out of the sharing.
Regarding the disposal of information, those covered under the rule will be required to take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. This does not require perfect destruction of consumer information in every situation. Determining reasonable measures is expected to include consideration of the sensitivity of the information, the nature and size of the entitys operations, the costs and benefits of different disposal methods, and relevant technological changes. Implementing reasonable measures will very likely require policies and procedures that address disposal, as well as employee training.
The proposed rule is intended to be flexible so businesses may make decisions on disposing information that is appropriate to their particular circumstance, which should minimize disruption of existing practices if such practices already provide appropriate protections for consumers. This is intended to minimize burdens for smaller entities, such as credit unions.
The proposed rule includes the following examples of reasonable disposal measures (these are intended to serve as guidance; entities covered under the rule may choose other appropriate measures):
- Burning, pulverizing, or shredding of papers containing consumer information so it cannot be read or reconstructed.
- Destruction or erasure of electronic media containing consumer information so it cannot be read or reconstructed.
- After due diligence, entering into and monitoring a written contract with a third party engaged in the business of record destruction to dispose of consumer information in a manner consistent with this rule. Due diligence could include the following:
- Reviewing an independent audit of the companys operations and/or its compliance with this rule.
- Obtaining information from several references or other reliable sources.
- Requiring certification by a recognized trade association or similar third party.
- Reviewing the companys information security policies or procedures.
- Taking other measures to determine the competency or integrity of the company.
- For companies hired to dispose of consumer information, policies and procedures that protect against unauthorized access or use of consumer information during collection and transportation and disposing of such information in accordance with the first two examples described above.
- For garbage collectors, the disposing of garbage in accordance with standard procedures.
QUESTIONS TO CONSIDER REGARDING THE FTCS PROPOSAL ON DISPOSAL OF CONSUMER INFORMATION (The FTC has specifically requested comment on most of the issues raised in these questions.)
- Are the definitions for consumer information and disposal clear? Do they need further
clarification, either by example or otherwise?
- Do the burdens of the rule exceed the benefits for consumers? Are there alternative standards for
the disposal of consumer information that would reduce burdens?
- Are the standards for disposal flexible enough and do they minimize burdens for smaller entities,
such as credit unions? Should any entities be exempt from these rules?
- Are the examples provided in the rule of reasonable record disposal measures appropriate and useful?
Are there other examples or standards that should be included?
- Other comments?
Eric Richard General Counsel (202) 508-6742 firstname.lastname@example.org |
Mary Mitchell Dunn SVP & Associate General Counsel (202) 508-6736 email@example.com
Jeffrey Bloch Assistant General Counsel (202) 508-6732 firstname.lastname@example.org
Catherine Orr Senior Regulatory Counsel (202) 508-6743 email@example.com