FACTA: Fair and Accurate Credit Transactions Act.     Business Compliance Issues - Special Report

The FACTA Disposal Rule states that "any person who maintains or otherwise possesses consumer information for a business purpose" is required to dispose of discarded consumer information, whether in electronic or paper form.

But what constitutes "disposal" of any consumer information covered by FACTA?

The Disposal Rule clarifies the definition of compliance as "taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal."

These "reasonable measures" include:

Burning, pulverizing, or shredding of physical documents.
Erasing or physically destroying all electronic media.
Engaging a third party contract for the purpose of information destruction.

The rule "does not mandate specific disposal measures," and the FTC's commentary notes that what are considered "appropriate methods" will often depend on the affected companies resources.

Though providing no no hard and fast rules, the FTC does indicate that "reasonable measures are very likely to require elements such as the establishment of policies and procedures governing disposal, as well as appropriate employee training."

The FTC has issued a new publication, "New Rule Seeks to Protect Privacy by Requiring Proper Disposal of Sensitive Consumer Information,"
(available at www.ftc.gov/bcp/conline/pubs/alerts/disposalalrt.htm),
to educate businesses about the new requirements.

Every business should assure that it has developed its own internal policy regarding proper record keeping and disposal, which includes training and specific data destruction measures carried out and documented at regular intervals.

FACTA Compliance Policies