The FTC has set a June 15 deadline for comments on two sets of proposed rules that, while they arise from the Fair and Accurate Credit Transactions Act (FACT Act or the Act), should be followed closely because of their broader implications for authentication and data destruction issues and their potential effect on virtually all companies that interact directly or indirectly with consumers. For example, just as the Gramm-Leach-Bliley financial privacy safeguard standards have been used more broadly outside of the financial context by the FTC as the standard of care for procedures to ensure the protection of consumer information (such as in connection with the Tower Records and Guess Inc. FTC security enforcement actions; see previous published article, "Check Your Privacy Policies And Implement Data Security Programs" - link provided at bottom of page), the requirements articulated in these rules are likely to have broader implications for data destruction and authentication in non-credit reporting contexts. We describe both of these rules in turn below.
Disposal Proposed Rule
This proposed rule would apply to essentially any organization that possesses consumer data that, if disclosed improperly, could be used by identity thieves. This would include consumer reporting agencies, resellers of consumer reports, lenders, insurers, employers, landlords, government agencies, mortgage brokers, auto dealers, and waste disposal companies. This proposal emerges from the FTC’s obligation under the FACT Act to issue final regulations requiring any person who maintains or otherwise possesses consumer information or any compilation of consumer information derived from consumer reports for a business purpose to properly dispose of any such information.
Specifically, the proposed rule would require that "reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal" be taken by any person who possesses "any record about an individual . . . that is . . . derived from a consumer report," including information from a consumer report that has been combined with other types of information. Thus, the commentary notes, "any person that possesses such information, including an affiliate that has received it under the affiliate sharing provisions of the Fair Credit Reporting Act, would be properly required to dispose of it."
The commentary to the proposal also provides guidance with respect to what constitutes "reasonable measures," stating that these measures would require elements such as the establishment of policies and procedures governing disposal, as well as appropriate training.
The proposed rule would not request covered entities to "ensure perfect destruction in every instance." Rather, covered entities would be required to develop data destruction policies commensurate with the sensitivity of the data and the size of the business. The FTC stated that this approach would afford covered entities the flexibility to "make decisions appropriate to their particular circumstances" and minimize disruption of existing procedures, assuming appropriateness of existing procedures.
The proposed rule includes specific examples of disposal measures that would satisfy the reasonable measures standard set out in the proposal. Among these examples are: (1) implementing and monitoring compliance with policies and procedures requiring the shredding of papers containing consumer information or the destruction or erasure of electronic media consumer information so that the information cannot practically be read or reconstructed; and (2) due diligence in entering into and monitoring compliance with a written contract with another party engaged in the business of record destruction to dispose of consumer information consistent with the rule. For traditional garbage collectors, the proposed rule would require disposal of garbage in accordance with standard procedures.
For financial industries covered by the Gramm-Leach-Bliley Act (GLBA), the proposed rule attempts to harmonize disposal with the Safeguards rule implementing Section 510(b) of GLBA. The proposal recommends incorporation of policies that comply with the disposal rule into the broader information security program mandated by the Safeguards rule. This is significant in part because the FTC has repeatedly extended its GLBA safeguard requirements to entities that are not "financial institutions," such as online merchants guess.com and TowerRecords.com. Thus, the FTC is likely to incorporate the final disposal rule into future consent orders settling enforcement actions arising from alleged security-related violations.
The FTC invites comment on all aspects of the rule, including: (1) the costs and benefits of the proposed standard; (2) the costs and benefits of any alternative standards; (3) the appropriateness and usefulness of providing examples in the rule of reasonable record disposal measures; and (4) the merits of the examples included in the Federal Register notice, as well as any other standards or examples that the FTC should consider to provide guidance on appropriate record disposal.
The full proposal can be found at
Proposed Rule Regarding Identity Theft and Requirements for Credit Report Fraud Alerts
The second rulemaking arises from provisions in the FACT Act that arguably preempt similar provisions in state laws. These FACT Act provisions confer certain rights on victims of identity theft to assist them in resolving problems caused by identity theft. Specifically, identity theft victims have new rights to place "fraud alerts" on their credit reports, and to work with creditors and credit bureaus to block negative information from appearing in their files that results from identity theft. The Act also allows consumers to request that a credit bureau truncate their social security number when disclosing their credit report.
Moreover, the Act creates certain requirements designed to reduce the occurrence of identity theft. Thus, the definition of identity theft is critical because it defines who is a victim entitled to take advantage of the rights under the Act, as well as the scope of the fraudulent conduct against which entities must take preventive measures.
This proposal would define the term "identity theft" as a fraud, committed or attempted, using a person’s identifying information without lawful authority. The term "identifying information" would be defined as "any name or number that may be used, alone, or in conjunction with any other information, to identify a specific individual, including any name, SSN, date of birth, driver’s license or identification number, passport or tax id number, unique biometric identifier, unique electronic identification number, or telecommunication identifying information."
The proposed rule also would require "identity theft reports" in order to obtain an extended fraud alert on a consumer credit file and to block negative information resulting from identity theft from appearing in a consumer’s credit file.
The proposal also addresses the issue of "appropriate proof of identity" to block a fraudulent trade line, place or remove a fraud alert, or obtain a file disclosure containing a truncated social security number. Under the proposal, credit bureaus would be required to develop "reasonable requirements" (1) to ensure that each consumer is matched with his or her file; and (2) to adjust the information requested to prevent identifiable risks of harm.
With respect to the consumer file match, the FTC recommends that the identification information include full name (first, middle initial, last, suffix), full address (street number and name, apartment number, city, state, and ZIP code), full nine-digit social security number, and/or date of birth. For additional proof of identity, the FTC recommends copies of government-issued identification cards, utility bills, and/or other current authentication methods, such as answers to questions only the consumer would know.
The full proposal can be found at here.
This article is intended to provide information on recent legal developments. It should not be construed as legal advice or legal opinion on specific facts. Pursuant to applicable Rules of Professional Conduct, it may constitute advertising.