The Disposal of Consumer Report Information and Records Rule (the “Rule”) is a federal regulation promulgated by the Fair Trade Commission (FTC) under Section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Section 216 was intended to reduce the risk of consumer fraud and related harms, including identity theft, created by improper disposal of consumer information

Applicability

The Rule applies to entities over which the FTC has jurisdiction that maintain or otherwise possess consumer information for a business purpose. Also covered are entities that merely maintain consumer information on behalf of another entity. Consumer information is any record about an individual that is, or derived from, a consumer report.

Requirements

Covered entities must properly dispose of consumer information by taking reasonable measures to protect against unauthorized access or use of the information. Under the Rule, the term “dispose” covers both, the disposal of the consumer information, and the disposal of the equipment on which consumer information is stored.

The Rule provides examples of reasonable measures including:

  1. policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information
  2. policies and procedures that require the destruction or erasure of electronic media containing consumer information
  3. After due diligence, entering into and monitoring compliance with a contract with a third party, engaged in the business of record destruction, to dispose of consumer information

Enforcement & Liability

The FTC is authorized to enforce the Rule through administrative enforcement actions or a civil action in federal court.