Tuesday, September 06, 2005

Data Destruction Regulations

On June 1, 2005 the Federal Trade Commission adopted a new regulation concerning the disposal of consumer report information and records. The new regulation will be found at 16 CFR part 682. The FTC was required to adopt this regulation as a result of recent federal legislation addressing the problem of identity theft.

The key requirement is actually pretty simple: Anyone who has possession of a consumer report for a business purpose, must take reasonable measures against unauthorized accesss or disclosure when disposing of the information. This new regulation is specific to disposal of consumer information, and for example does not address how such information may be used, shared or stored.

The new regulation covers any information that is a consumer report or investigative consumer report within the meaning of the Fair Credit Reporting Act, as well as information "derived" from such reports. The new regulations do not apply, however, to records or data which contain no personally identifying information.

This new regulation will plainly apply to PEOs as employers if, for example, you have possession of any background check reports on the worksite employees. In most caes, a background check report used for employment purposes would be a "investigative consumer report" under the Fair Credit Reporting Act, and would thus be covered by this new regulation.

The regulation pretty clearly indicate that the FTC expects employers to "implement and monitor compliance with policies and procedures." The FTC comments are even more straightforward, "reasonable measures are also likely to require elements such as the establishment of policies and procedures governing disposal, as well as appropriate employee training."

The FTC's comments recognize that complete destruction of records is difficult. Instead, the regulations only require "reasonable measures" to ensure that the information "cannot practicably be read or reconstructed."

Computer data is notoriously difficult to competely destroy. The FTC 's comments to the final regulations suggest that covered entities may want to consider measures such as smashing computer hard disk drives with a hammer before disposal, or wiping or overwriting the data on a disk via software programs. However, the FTC noted that "whether wiping as opposed to destruction of electronic media is reasonable" will depend on the circumstances. In otherwords, if you choose to wipe disks electronically, you'd better make sure you do it right.

PEOs should review their existing business practices in light of this new regulation, and take this opportunity to ensure that you have a compliant data destruction process.

Possible action steps:
1. Do you have any reports or records falling within the new regulation? In particular, consider whether you have background check reports.

2. If so, you should evaluate your current policies and procedures for disposal of these records.

3. If necessary, update policies and commit them to writing.

4. Make very certain that unwanted or obsolete computers and electronic media are being checked for data and that data is destroyed or effectively wiped before disposal. Keep in mind that simply "deleting" files or formatting a disk under any version of Windows does not actually destroy the files. Consult with computer professionals as needed.

5. Establish a training process and internal quality control checks to ensure compliance with your policies.

6. Consider what guidance to give to client companies regarding their use and disposal of any consumer reports, such as employee background check reports.