In the Fair and Accurate Credit Transactions Act of 2003 (FACTA), Congress required the adoption of rules for the proper disposal of consumer report information and records. The legislation was prompted by the growing risk of consumer fraud and related problems, including identity theft, that arise from the improper disposal of consumer information for which there is no longer a business need or purpose. FACTA and the rule stemming from it are meant to make it tougher for dumpster divers and miners of computer data to profit from sloppy disposal methods.

The Federal Trade Commission's Disposal Rule went into effect June 1, 2005, but affected businesses will have six months from that time to come into compliance. After that, failure to comply could trigger a range of civil enforcement actions by the Government or affected consumers.

While there is room for interpretation of the Disposal Rule's meaning, and how it should be applied as circumstances change, the Rule's essential standard is all in one sentence:

Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.

Consumer information covered by the Rule means any record about an individual, in any form, that is a consumer report or is derived from a consumer report. The definition includes a compilation of such records. If the information does not in some fashion identify individuals, however, such as information in aggregate form, the Disposal Rule does not apply. The obvious ways in which individuals may be identified are names, Social Security numbers, driver's license numbers, telephone numbers, physical addresses, and e-mail addresses. But even pieces of information that, by themselves, do not identify someone can, in combination, be regarded as identifying information.

The Rule was intentionally written broadly to apply essentially to any "person" maintaining or possessing consumer information other than an individual who has obtained his own consumer report. Some entities that commonly obtain consumer credit information include consumer reporting agencies, lenders, insurers, employers, landlords, government agencies, mortgage brokers, financial institutions, and automobile dealers. This is far from an exhaustive list. If an entity can obtain a consumer report for one or more of the business purposes mentioned in the Fair Credit Reporting Act, it is safe to assume that the entity and the information it obtained are subject to the Disposal Rule. Disposal and records management companies also fall under the Rule.

The Rule uses the flexible term "reasonable measures" to describe the duty regarding disposal because perfect destruction of consumer information in every instance is unattainable. Variables that may be taken into account include the sensitivity of the information, the nature and size of the entity's operations, the costs and benefits of different disposal methods, and ongoing changes in technologies. It is also noteworthy that the concept of "disposal" also covers the sale, donation, or transfer of any medium on which consumer information is stored.

The Rule provides a nonexhaustive set of examples of "reasonable measures." To prevent the reading or reconstruction of records in paper form, policies should be adopted, and their implementation monitored, for the burning, pulverizing, or shredding of such papers. The same approach is advisable for policies on destruction or erasure of electronic media. Since simply deleting information stored on a computer is usually insufficient to safeguard the information, use of some low-tech methods of destruction on some high-tech methods of storing information may be in order. For example, the Federal Trade Commission has suggested, at least for small businesses, the nearly cost-free method of disposing of electronic media by smashing the material with a hammer.

A covered person's due diligence also should extend outside the office when disposal of information is contracted out to a provider of such a service. One of the "reasonable measures" mentioned in the Rule refers to taking steps to determine the competency and integrity of the disposal company, such as reviewing an independent audit of the company, getting references, requiring that the company be certified by a trade association, or reviewing and evaluating the disposal company's policies and procedures on information security.