FTC Disposal Rule

The Tip of the Night for March 18, 2021, discussed how the Fair and Accurate Credit Transactions Act (FACTA) provides for the secure disposal of consumer data. In response to the obligations imposed on it by the Act, the Federal Trade Commission has adopted a Disposal Rule, discussed here. See, 69 Fed. Reg. 68,690 (Nov. 24, 2004). The Rule directs organizations to evaluate the sensitivity of the information they hold, and take measures of a proportional cost to dispose of it, also taking into consideration how technology makes the information easy to distribute and eliminate.

The Disposal Rule is addressed to consumer reports obtained for the purpose of checking an individual's credit, and eligibility for employment or insurance. The FTC specifies the following measures as being reasonable ones to prevent the disclosure of consumer report data:

  1. Shredding paper records.

  2. Erasing electronic files so the data cannot be reconstructed.

  3. Auditing the operations of a company tasked with data destruction.

  4. Using a data disposal company that has proper certification.

  5. Checking the security policies of the data disposal vendor.

The FTC requires a business to be proactive in confirming that agents who use consumer data the business has collected comply with this Disposal Rule. The Statement of Basis and Purpose for the Rule states that, "if a record owner transfers or otherwise provides consumer information to a service provider, the 'reasonable measures’ standard will generally require a record owner to take reasonable steps to select and retain a service provider that is capable of properly disposing of the consumer information at issue; notify the service provider that such information is consumer information; and enter into a contract that requires the service provider to dispose of such information in accordance with this rule." Id. at 68,694.