[2005; R-2013 | Keywords: Business, Operations, Consumer Information]
In order to protect against the growing problem of “dumpster diving” and the resulting identity theft and other consumer fraud, all dealers will be required to properly dispose of certain consumer information they maintain or possess, including credit reports regarding individual customers, and even the results of background checks in connection with their hiring process. This new law, which is part of the federal Fair and Accurate Credit Transaction Act (“FACTA”), took effect June 1, 2005.
“Consumer information” is defined broadly as “any record about an individual, whether in paper, electronic, or other form that is a consumer report or is derived from a consumer report” or any compilation of such records. Consumer information does not include information that does not identify specific individuals.
Disposal of consumer information occurs when the consumer information is discarded or abandoned, or when any medium on which the consumer information is stored, including computer equipment, is sold, donated or transferred. Importantly, this new law does not require that dealers dispose of consumer information in their possession, or that records containing consumer information only be maintained for a limited period of time. If any federal, state or local law sets forth requirements regarding the maintenance or destruction of records that contain consumer information, those requirements must be followed. Further, this new law will not require dealers to develop new record retention policies – it only imposes new obligations with respect to the proper disposal of such records.
As a general rule under FACTA, any person that possesses or maintains consumer information must take reasonable measures to protect against unauthorized access to or use of such information in connection with its disposal. What constitutes “reasonable measures” will vary depending on: (1) the sensitivity of the consumer information; (2) the size and nature of the entity’s operations; (3) the costs and benefits of different disposal methods; and (4) the relevant technological changes. “Reasonable measures” should, however, always include the establishment of policies and procedures regarding disposal of consumer information, monitoring of compliance, and employee training on disposal of consumer information.
When a dealer disposes of any paper records that contain consumer information, then the dealer should shred, pulverize or burn these documents so that the information can no longer be read or reconstructed. When a dealer disposes of consumer information stored in an electronic form (e.g. on a computer hard drive or computer disk), then the dealer should destroy or erase the electronic media containing the consumer information so that the information cannot practicably be read or reconstructed. These are not, however, the only proper means of destruction or disposal. It is only necessary that dealers ensure no one will be able to read, gain access to or use the information once the dealer disposes it.
Dealers may, at their option, contract with companies engaged in the business of record destruction to properly dispose of these records for them. If a dealer decides to contract with such a company, however, then the dealer must take appropriate measures to determine the competency and integrity of the company, and its ability to dispose of the consumer information in compliance with the law.
Further, the dealer must monitor the third party’s compliance with the requirements of the law.
Severe penalties may apply for violations of this new law, including fines, statutory damages and any actual damages that result from identity theft. If you have any questions regarding this new law, call the Association at 800.622.0016.