September 09, 2014

What Businesses Need to Know About Complying With FACTA

When the Federal Trade Commission (FTC) issued a new rule in 2005 requiring businesses to properly dispose of and destroy sensitive consumer data, security experts considered it an important step forward in the fight against consumer fraud and identity theft.

The new rule was the Fair and Accurate Credit Transactions Act. Better known as FACTA, it made sense then... and it makes sense now.

As Robert Johnson, long-time executive director of the National Association for Information Destruction (NAID) said in a statement: “Shredding documents and properly destroying computer files and hard drives will help ensure that records containing sensitive personal and financial information don’t fall into the wrong hands.”

Identity theft is the top consumer complaint in the FTC’s national ranking of consumer complaints. The Commission received more than two million complaints overall in 2013 with 14% being identity theft related.

According to Javelin’s 2014 Identity Fraud Report, the number of identity fraud victims in America in 2013 climbed to 13.1 million, an increase of 500,000 compared to 2012.

FACTA is actually an amendment to the Fair Credit Reporting Act to allow consumers to obtain a copy of their credit reports every year and to provide tools to help reduce identity theft.  

The disposal rule section says that all companies or individuals who collect sensitive consumer information from a consumer report for a business purpose must properly destroy that information when it is no longer needed. The goal is to reduce the risk of dumpster divers finding discarded business records and using that information for identity theft.

Here is what businesses need to know:

  1. Unlike other privacy laws that affect just one industry, the law applies to nearly every business and private employer. For example, all of the following types of companies handle sensitive consumer information: consumer reporting agencies, resellers of consumer reports, lenders, insurers, employers, landlords, government agencies, mortgage lenders, automobile dealers, waste disposal companies, and real estate brokerages.
  2. Private information in the context of this law refers to documents such as credit reports, credit scores, employment background reports, check-writing histories, insurance claims, residential or tenant records, and medical histories.
  3. Companies must take ‘reasonable measures’ to protect information from unauthorized access in connection to its disposal. The FTC recommends that companies put an information security policy in place that ensures that sensitive data can’t be recreated by identity thieves. Many security experts recommend shredding documents. Here is information about document destruction best practices.   
  4. There are fines and punitive damages for non-compliance. 
  5. Documents that contain personally identifiable information should be tracked and clearly labeled with destruction dates as part of a comprehensive document management policy.
  6. Partnering with a reliable professional shredding service with a chain of custody will safeguard documents from the time they are discarded into locked high security containers to the time they are removed for secure shredding on or off site. 
  7. The information security policy should include e-media and hard drive destruction as well.

Here is a fact sheet about The Fair and Accurate Credit Transactions Act