Special Feature! FACTA: Compliance and Liability Basic FACTA Facts |
FACTA: What Is "Consumer Information"
Created by the FTC to reduce the risk of identity theft and consumer fraud, FACTA proposes to enforce the full destruction of consumer information by businesses.
According to FACTA, "consumer information" is considered to be "any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report." 16 C.F.R. 682.1(b).
This would include "information that results in whole or in part from manipulation of information taken from a consumer report, and information that has been combined with other types of information."
The rule is now limited to "information that identifies particular individuals," and includes "a variety of personal identifiers beyond simply a person’s name…, including, but not limited to, a social security number, driver’s license number, phone number, physical address, and e-mail address."
The definition has intentionally been left flexible because "depending on the circumstances, data elements that are not inherently identifying can, in combination, identify particular individuals."
Consumer information also means any employee background reports or similar reports that have been prepared by an outside agency or company. The FACTA disposal rules apply to all of these records.
Note that in addition to the actual reports, FACTA also covers any of your own company's records that are "derived" from a consumer credit report or employee background report. This means that if your company copies or uses any information from a consumer credit report or employee background report then that document or data is also subject to FACTA disposal rules.
The FTC acknowledges that businesses may not always know whether the information they receive was derived from a consumer report. There is considerable grey area around this issue of the "information derived from" rule, and it has a strong potential to cause unforseen problems for businesses that handle a large amount of consumer information received from a number of different sources.
If you don't know whether the information in your records was derived from a consumer report it doesn't make any difference. FACTA still holds your business responsible for the proper storage and disposal of those records.
On June 16th, 2005 the FTC issued the first ruling against a company under FACTA (BJ's Wholesale Club). This case already seems to show that the FTC is expanding the definition of "consumer information" beyond its original parameters.
Even though initially the FTC defined personal information as that taken from a credit report, the details of this latest ruling demonstrate that companies are now responsible for safely collecting, holding and disposing of any personally identifiable information - not just information related to credit reports or information derived from credit reports.
It seems like the writing is on the wall... any personal information of consumers or employees must be properly destroyed by businesses in a timely manner.
As Deborah Platt Majoras, Chairman of the FTC has said; "Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security. This case demonstrates our intention to challenge companies that fail to protect adequately consumers' sensitive information."
By "challenge", it seems clear that she means that they will pursue legal measures that will potentially cost businesses a great deal of money.
|