Spoliation of Credit Reports: Crazy Defense

Administrator
Site Admin
Posts: 11757
Joined: Tue Jul 26, 2005 4:15 am

Spoliation of Credit Reports: Crazy Defense

Postby Administrator » Mon Sep 29, 2014 11:19 pm

Some collectors are trying to argue that the FACTA Disposal Law permits them to dispose of and destroy credit reports although the matter is in litigation. Below is an article on the FACTA Disposal Law. It does not allow or suggest to destroy evidence, credit reports or otherwise.

====================
Understanding the FACTA Disposal Rule


By Dennis Kiker


The Fair and Accurate Credit Transactions Act of 2003 (“FACTA” or the “Act”) became law in December, 2003. Section 216 of the Act required the Federal Trade Commission (“FTC”) and other federal agencies to issue regulations governing the disposal of consumer credit information. The FTC final rule went into effect June 1, 2005, and it creates broad responsibilities for companies that use or handle information subject to the rule. As is often the case, however, with responsibility comes opportunity, particularly for document management and destruction service providers. In order to minimize the risks and maximize the opportunities associated with the new rule, it is important to understand the entities to which the rule applies, the obligations created by the rule, and the penalties for non-compliance.


Background


As part of the ongoing federal effort to combat identify theft and other forms of consumer fraud, Congress in 2003 passed FACTA. Pursuant to the mandate in section 216 of the Act, and after consultation with Federal banking agencies, the National Credit Union Association, and the Securities and Exchange Commission, the FTC elected to adopt a new rule implementing the disposal requirements of the Act. In April, 2004, the FTC invited public comment on a proposed rule, and, in July, 2004, supplemented its initial notice of proposed rulemaking and sought additional public comment. In November, 2004, the Commission issued its final rule, codified at 16 C.F.R. § 682, which is now in effect.


The stated purpose of the rule is to “reduce the risk of consumer fraud and related harms, including identity theft, created by improper disposal of consumer information.” This purpose is implemented by the standard articulated in section 682.3(a) of the rule:


Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.


16 C.F.R. § 682.3(a). As with any law, the key to understanding the obligations imposed by the rule is found in the definitions of the key terms. In this case, it is important to understand (1) to whom the rule applies (what constitutes a “person”); (2) what information is covered (what is “consumer information”); (3) what conduct is covered (what constitutes “disposal”); and (4) what is required (what are “reasonable measures”). Finally, to assess the risks and opportunities, it is important also to understand the penalties of non-compliance.


What is a “person”?


According to the Commission, the rule “covers any person that possesses or maintains consumer information other than an individual consumer who has obtained his or her own consumer report of file disclosure.” 69 Fed. Reg. 68693. The Commission readily admits that “it is impossible to identify every industry that may possess or maintain consumer information for business purposes,” and therefore anticipates that “entities across almost every industry could potentially be subject to the Rule.” Id. at 68695-96. Examples cited in the commentary to the rule include consumer reporting agencies, lenders, insurers, employers, landlords, government agencies, mortgage brokers, automobile dealers, utility companies, telecommunications companies, and others. The FTC specifically included records management and disposal industries in its commentary, indicating that, together with the record owner, they “bear responsibility for proper disposal of consumer information they maintain or otherwise possess.” Id. at 68694.


What is “consumer information”?


Consumer information is defined in the rule as “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report.” 16 C.F.R. 682.1(b). This would include “information that results in whole or in part from manipulation of information taken from a consumer report, and information that has been combined with other types of information.” 69 Fed. Reg. 68692. The rule is clearly limited to “information that identifies particular individuals,” and “would clearly include “a variety of personal identifiers beyond simply a person's name…, including, but not limited to, a social security number, driver's license number, phone number, physical address, and e-mail address.” Id. at 68691. However, the definition has intentionally been left flexible because “depending on the circumstances, data elements that are not inherently identifying can, in combination, identify particular individuals.” Id.


This definition creates particular problems for service providers that “may not always know whether the information they receive was derived from a consumer report,” and, therefore, many commentators suggested that the Commission revise the rule to require knowledge that the information constitutes or is derived from a consumer report. Id. The Commission rejected this request, however, preferring to address the issue in examples related to the specific duties of entities covered by the rule (see discussion below).


What constitutes “disposal”?


Given that every business that touches “consumer information” will soon be under a duty to dispose of that information properly, a key question concerns what constitutes disposal. Of course, routine destruction of the records or information would be included, but the rule also includes “abandonment of consumer information” and “the sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored.” 16 C.F.R. § 682.1(c). Thus, businesses must be concerned not only with routine document retention and destruction policies and procedures covering consumer information, but also policies and procedures related to the transfer, donation, or other disposition of computer equipment and other media on which consumer information may be located.


Companies must also concern themselves with the method of destruction. The rule “does not mandate specific disposal measures,” and the Commission's commentary specifically notes that appropriate methods will often depend on the affected companies resources. For example, small companies could deal with paper records using an inexpensive paper shredder and dispose of electronic media “at almost no cost by simply smashing the material with a hammer.” 69 Fed. Reg. 68696. On the other hand, whether “'wiping,' as opposed to destruction, of electronic media is reasonable, as well as the adequacy of particular utilities to accomplish that 'wiping,' will depend on the circumstances,” presumably including the extent of the record owner's resources. Id.


Another factor that business and document destruction service providers must consider is that the rule requires companies to “protect against unauthorized access to or use of the information in connection with its disposal.” 16 C.F.R. § 682.3(a). The Commission has made clear that this requirement applies “both during and after the disposal process.” This requirement affects not only the processes and procedures employed, but also the personnel employed to implement them.


What are “reasonable measures”?


Having an understanding of what entities and information are governed by the rule, companies must also understand what measures would be considered reasonable under the rule in disposing of consumer information. The Commission intentionally left the language of the rule somewhat ambiguous, recognizing that “there are few foolproof methods of records destruction and that entities covered by the Rule must consider their own unique circumstances when determining how best to comply with the Rule.” 69 Fed. Reg. 68690. Rather than impose strict guidelines on disposal methods, the Commission offers several examples addressing specific industries and methodologies. 16 C.F.R. § 682.3(b). In addition to acknowledging accepted methods of document destruction, including “burning, pulverizing, or shredding of papers,” and “destruction or erasure of electronic media,” the Commission specifically addressed the relationship and responsibilities of record owners and document destruction service providers. Id.


As noted above, although the FTC acknowledged concerns that document destruction service providers are “frequently not in a position to make independent determinations as to whether information they possess is, or was derived from, a consumer report,” the Commission rejected the suggestion for an explicit requirement that service providers be specifically informed of the existence of consumer information and contracted to dispose of it. Instead, the rule includes two examples addressing the responsibilities of the record owner and its service provider. 16 C.F.R. 682.3(b)(3)-(4).


Generally, the examples suggest that the record owner must “take reasonable steps to select and retain a service provider that is capable of properly disposing of the consumer information at issue; notify the service provider that such information is consumer information; and enter into a contract that requires the service provider to dispose of such information in accordance with this Rule.” 69 Fed. Reg. 68694. The examples cited in the rule clearly place the burden of informing service providers that information entrusted to them is consumer information on the record owner, and the Commission notes that, in evaluating a service provider's compliance with the rule, “a record owner's failure to provide notice or contract for disposal in accordance with the requirements of the Rule will be strongly considered.” Id.


The FTC is careful to point out, however, that the examples provided in the rule “are intended to provide covered entities with guidance on how to comply with the Rule but are not intended to be safe harbors or exclusive methods for complying with the Rule.” Id. at 68690. Finally, the Commission emphasizes that “'reasonable measures' are very likely to require elements such as the establishment of policies and procedures governing disposal, as well as appropriate employee training.” Id. at 68693.


Conclusion


Willful or even negligent failure to comply with the rule could subject covered entities to civil liabilities and penalties. 15 U.S.C. §§ 1681(n)-(o), (s). Although, as the Commission notes, many companies may already be in compliance with the rule “either as a matter of sound business practice or pursuant to other legal requirements” (69 Fed. Reg. 68691), the broad reach of the rule to include a wide variety of small businesses, typically without sophisticated document management practices, creates an opportunity for service providers to educate and promote legal compliance to a very broad audience.
David A. Szwak
Bodenheimer, Jones & Szwak, LLC
416 Travis Street, Suite 1404, Mid South Tower
Shreveport, Louisiana 71101
318-424-1400 / Fax 221-6555
President, Bossier Little League
Chairman, Consumer Protection Section, Louisiana State Bar Association

Return to “Evidentiary Issues in FCRA Cases”

Who is online

Users browsing this forum: No registered users and 3 guests