Rule Requires Destruction of Consumer Data
Thursday, June 2, 2005
Be careful how you -- or your company -- dispose of sensitive consumer information.
A new federal rule that took effect yesterday requires all businesses and individuals to destroy private consumer information obtained from credit bureaus and other information providers in determining whether to grant credit, hire employees or rent an apartment.
Issued under orders from Congress, which was trying to crack down on identity theft, the Federal Trade Commission's new rule requires that personal information be burned, pulverized, shredded or destroyed in such a way that the information cannot be read or reconstructed. The rule also applies to electronic files, which must be erased or destroyed, and covers credit report data, credit scores, employment histories, insurance claims, check-writing histories, residential or tenant history and medical information.
An FTC official said failure to properly dispose of the data could draw a $2,500 federal penalty per violation, as well as lawsuits from people who could seek damages if personal information was misused as a result of improper disposal.
The rule applies to large and small companies -- to lenders and insurers, as well as landlords, car dealers, attorneys and private investigators. Individuals who use credit reports -- to hire nannies or contractors, for example -- also are subject to the new rule.
The agency does not set a time limit for when the data must be destroyed, only ground rules for disposing of it. Nor does the agency set rules on how securely data must be kept until it is destroyed, although some laws already provide such rules for financial and medical institutions.
Privacy advocates applauded the new rules. "This requirement is long overdue and will hopefully make companies think twice about how valuable this information is" in all of their conduct, said Evan Hendricks, editor and publisher of Privacy Times newsletter.