August 29, 2021

5 Best Practices to Consistently Stay FACTA Complaint

Identity theft affects about 1 in 20 Americans each year, leading to $17 billion in fraud-related losses. As the incidents of this type of crime continue to rise, businesses must remain vigilant about protecting consumer information. Complying with legislation that aims to safeguard confidential consumer data is critical. The following explains the Fair and Accurate Credit Transactions Act (FACTA)—a crucial regulation that advances the fight against consumer fraud and identity theft.

What Is FACTA?

FACTA is an amendment to the Fair Credit Reporting Act (FCRA) that expands consumers’ access to credit reports and requires companies to engage in activities to limit the risk of identity theft. The first part of the legislation went into effect in 2003 and gave consumers the right to obtain a free copy of their credit report annually from credit reporting agencies. Consumers may also purchase, for a small fee, a credit score, along with information about how that score is calculated. In addition, the Act includes a section that enables consumers to place fraud alerts in their credit files. In 2005, the Federal Trade Commission (FTC) introduced the Disposal Rule as part of FACTA to further address the risks of identity theft.

What Does the FACTA Disposal Rule Entail?

FACTA’s Disposal Rule is one of the most important elements of the legislation. It requires businesses to properly dispose of and destroy sensitive consumer information when it is no longer needed. The goal of the rule is to protect against unauthorized access to or use of confidential consumer data. More specifically, the rule reduces the risk of nefarious characters accessing discarded business records and using that information for identity theft.

Who Must Comply with the FTC's Disposal Rule?

Unlike other privacy laws that affect just one industry, FACTA’s Disposal Rule applies to nearly every business and private employer. Any company or individual that uses a consumer report for a business purpose is subject to the Disposal Rule’s requirements. In this context, a consumer report could include credit reports, credit scores, employment background reports, check-writing histories, insurance claims, residential or tenant records, and medical histories. The FTC also encourages companies that throw away records containing a consumer’s personal or financial information to follow the tenets of the Disposal Rule, even though this is not explicitly required.

Who Enforces FACTA?

The Federal Trade Commission (FTC) enforces FACTA, including the Disposal Rule.

What Are the Financial Implications of Non-compliance?

Failing to meet the legislation can result in federal penalties of up to $2,500 for each violation. A business may incur state penalties as well. Violations may also result in civil or class action lawsuits. Statutory damages for civil cases can extend up to $1,000 per customer. Should a violation be included within a class-action lawsuit, the damages can easily reach the millions. 

5 Best Practices for Complying with FACTA’s Disposal Rule?

According to the FTC, companies must take reasonable and appropriate measures to protect information from unauthorized access during and after disposal. There is some flexibility in how entities can meet the FACTA requirements, based on the sensitivity of the information, the costs and benefits of different secure disposal methods, and changing technology. That said, there are several best practices your company should consider.

1. Address proper document disposal in information security policies.

Details to outline include how documents will be destroyed and the method your company will use to track the material from disposal through destruction. Note that an information security policy should also cover e-media and hard drive destruction as these items, along with paper, can present risks for data access and identity theft.

2. Train staff on FACTA and their role in compliance.

The Disposal Rule and other information security legislation should be covered in any data security training, whether at orientation or periodically throughout the year. Staff should know what the legislation covers, how it relates to their day-to-day work, and their responsibilities regarding document disposal.

3. Consider professional shredding as the preferred disposal method.

Many security experts recommend shredding documents to ensure that information cannot be read or reconstructed. Note that do-it-yourself shredding can still expose a company to risk because most standard shredders cut paper into vertical or horizontal strips that can be reassembled without too much difficulty. When paper is shredded in this fashion, thieves can potentially recover and reconstruct documents.

On the other hand, an experienced, professional shredding service like Shred-It will use industrial shredders to turn paper documents into confetti-like pieces or cross cut that cannot be reconstructed, limiting the chances of theft. Such a partner can supply secure waste containers that keep sensitive information locked until shredding can occur. These containers can be placed conveniently around your business to encourage proper disposal. 

4. Check that your document destruction partner meets FACTA requirements

Before partnering with a document destruction company, be sure to do your due diligence, checking that the vendor is licensed and certified by a recognized trade association. For example, if the shredding company is NAID AAA certified, it will follow document destruction best practices and comply with all known data protection laws, including FACTA. To receive the AAA designation, a company must undergo scheduled and surprise audits conducted by trained, accredited security professionals. The vendor should guarantee a chain of custody that demonstrates how it safeguards documents from pick-up through disposal. A Certificate of Destruction (or proof of service) verifies that any material was correctly handled and fully destroyed, giving you peace of mind regarding compliance. As part of the vetting process, you may also want to review the vendor’s information security policies and procedures and check references with existing and former customers.

5. Follow a regular cadence for document destruction.

If your company generates large volumes of sensitive information covered by FACTA, you may want to set up a recurring shredding service. By having a licensed professional come on-site at regular intervals to retrieve and securely destroy confidential papers, you can rest assured that your company is protecting consumer data and maintaining FACTA compliance.

Learn more about how Shred-It can help you with secure, compliant document and media destruction services.