Protecting Background Check Information
Are you ready? Identity theft protection rule sneaks up on car dealers
A little-noticed provision of the FACT Act takes effect June 1, 2005.
A largely ignored provision of the 2003 Fair and Accurate Credit Transactions Act (FACT Act) now requires employers to dispose of consumer report and credit information “properly.”
Beginning June 1, 2005, any person who maintains or possesses “consumer information” must be prepared to dispose of these records in a way that ensures that the information will not be improperly accessed or used.
This requirement is one of many provisions in the FACT Act intended to protect consumer privacy and to prevent identity theft.
So, if you receive a credit report or any other investigative report regarding an applicant or employee, you should have a plan to dispose of that information in the future.
FACT Act
First, here is some background on the requirement.The FACT Act amended the Fair Credit Reporting Act (FCRA), which is the federal law that governs consumer credit reports.
Specifically, FCRA requires employers that use outside agencies to perform credit or other background checks (including criminal, reference, or driving record checks) to comply with comprehensive notice, consent, and disclosure obligations both prior to doing the checks and after the results are reported.
The FACT Act added an additional obligation to the FCRA ordering the Federal Trade Commission (FTC) to issue regulations to require “any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose to properly dispose of any such information or compilation.”
Without much fanfare, the FTC issued a final rule on November 24, 2004 addressing the disposal of consumer report information and records.
Disposal rules
The new rule is designed “to reduce the risk of consumer fraud and related harms, including identify theft, created by improper disposal of consumer information.”It applies to any person over whom the FTC has jurisdiction and who maintains or possesses consumer information for business purposes.
Accordingly, employers that collect consumer information to make hiring, promotion, or other employment decisions are covered.
The rule requires the proper disposal of consumer information.
Specifically, you now must take “reasonable measures” to protect against unauthorized access to, or use of, the information when you dispose of it.
“Consumer information” is defined by the rule to include any record about an individual that is a consumer report or is derived from a consumer report, as defined under the FCRA.
(Under the FCRA, a consumer report includes any written, oral, or other communication of any information by a consumer reporting agency regarding a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used as a factor to establish the consumer’s eligibility for employment.)
The record is covered if it is in paper, electronic, or other form.
The rule defines “dispose,” “disposing,” and “disposal” to mean the discarding or abandonment of the consumer information or the sale, donation, or transfer of any medium (such as computer equipment) that stores the information.
Proper disposal
The rule provides several examples of “reasonable measures” to prevent unauthorized access or use of the information when it is disposed.The examples are not intended to be all-inclusive, but they do illustrate how you can comply with the standard.
Implement and monitor policies that require your employees to burn, pulverize, or shred papers containing consumer information so that the information cannot practicably be read or reconstructed.
Implement and monitor policies that require your employees to destroy or erase electronic media containing consumer information so that the information cannot practicably be read or reconstructed.
Enter into a contract with another party engaged in the business of record destruction to dispose of the material properly.
You also must use “due diligence” to ensure that the company complies with the FACT Act and must identify which material is consumer information.
Some limitations
Although the FACT Act is intended to protect consumers against fraud and identity theft, it only addresses the disposal of narrowly defined consumer information, not all employee information.
It also does not address how records should be kept or maintained.
So, for example, it does not require you to restrict access to your consumer information files or keep them locked up.
Further, it does not stipulate when information must be destroyed, so it does not affect any current record keeping requirements imposed by other laws, such as Title VII of the Civil Rights Act or the Americans with Disabilities Act.
Still, it does require your compliance, or you will be subject to the FCRA’s fines and penalties, which can be substantial if a large number of files are involved.
Fortunately, the rule provides the examples above on how to dispose of the information properly, and they are fairly simple to apply.
But, the FACT Act disposal rule does not address a bigger issue – namely, your responsibility to protect your employees from workplace identity theft.
Recently publicized incidents of workplace-related identity theft have put employers on notice that they could be liable if they are negligent with their employees’ files.
And, a few states have enacted laws requiring employers to protect their employees’ private information.
So, make sure that your organization has taken appropriate steps not only to comply with the FACT Act, but also to safeguard and dispose of all sensitive employment information in a proper fashion.