CUNA Regulatory Comment Call

May 4, 2004

FTC Proposal on Disposal of Consumer Report Information
(Major Rule – Applies to State-Chartered Credit Unions)


Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at and to Assistant General Counsel Jeff Bloch at; or mail them to Mary and Jeff in c/o CUNA’s Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. You may also contact us at 800-356-9655, ext. 6732, if you would like a copy of the proposed rule, or you may access it on the Internet at the following address:


President Bush this past December signed into law the FACT Act that permanently extends the federal preemptions for credit reporting under the FCRA. The new law also creates a number of important new consumer protections designed to help prevent identity theft and assist consumers who become victims of this rapidly growing crime. It also contains new restrictions on information sharing and creates a new federal commission that will coordinate financial education efforts at the national, state, and local levels.

The FACT Act will be implemented through a number of new rules that will be issued this year. Access below for a special issue of RegWatch that describes the significant provisions of the FACT Act:


The proposed rule will require state-chartered credit unions, as well as other businesses, that possess consumer information derived from consumer reports for business purposes to dispose of the information in a proper manner. The purpose is to prevent unauthorized disclosures and to reduce the risk of fraud and similar crimes, such as identity theft. The rule is intended to be similar to the rules that will be issued by the other financial institution regulators, including the rules for federal credit unions that will be issued by NCUA, as well as similar to the information security provisions of the GLBA and other comparable federal laws.

The term “consumer information” means any record of an individual in any form, paper or electronic, that is a consumer report or derived from a consumer report. The definition of “consumer report” is the same as currently used under FCRA, which generally means credit, reputation, personal, or mode of living information used to establish eligibility for credit, employment, and for certain other purposes. Information that is derived from consumer reports but does not identify any specific consumers would not be covered under the proposed rule.

The term “disposal” means the discarding or abandonment of consumer information, as well as the sale, donation, or transfer of any medium, including computers, upon which consumer information is stored. By itself, the sale, donation, or transfer of consumer information would not be considered “disposal” for purposes of this rule.

The following two criteria determine if one is covered under the proposed rule:

The rule is likely to cover any entity that possesses or maintains consumer information, but will not cover an individual who has obtained his or her consumer report. The rule will also include affiliates that receive the information under the FCRA provisions that refer to the sharing of such information after the consumer has an opportunity to “opt out” of the sharing.

Regarding the disposal of information, those covered under the rule will be required to take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. This does not require perfect destruction of consumer information in every situation. Determining “reasonable” measures is expected to include consideration of the sensitivity of the information, the nature and size of the entity’s operations, the costs and benefits of different disposal methods, and relevant technological changes. Implementing reasonable measures will very likely require policies and procedures that address disposal, as well as employee training.

The proposed rule is intended to be flexible so businesses may make decisions on disposing information that is appropriate to their particular circumstance, which should minimize disruption of existing practices if such practices already provide appropriate protections for consumers. This is intended to minimize burdens for smaller entities, such as credit unions.

The proposed rule includes the following examples of reasonable disposal measures (these are intended to serve as guidance; entities covered under the rule may choose other appropriate measures):

QUESTIONS TO CONSIDER REGARDING THE FTC’S PROPOSAL ON DISPOSAL OF CONSUMER INFORMATION (The FTC has specifically requested comment on most of the issues raised in these questions.)

Eric Richard • General Counsel • (202) 508-6742 •
Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 •
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 •
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 •