BRIDG: Researching Small Business and Entrepreneurship  
Missouri Business Development Program | Resource Library | Calendar | News
Small Business | Selling to the Government | SBIR/STTR
Career Options | Environmental | Film Office

BRIDG Main | About | Research Reports | Business Indicators | FAQ | Contact
  BRIDG:
Business Research and Information Development Group
Tuesday, January 06, 2009  5:29:35 AM CST      
 
 
line

When In Doubt, Shred It

"Burn! Pulverize! Shred!"

No, these are not the ravings of the latest movie super villain; they are now a necessity for your small business in dealing with consumer information. Congress has enacted the Fair and Accurate Credit Transactions Act (FACT Act), which amends the Fair Credit Reporting Act and applies to "any person that, for a business purpose, maintains or otherwise possesses consumer information, or any compilation of consumer information." 1

Identity theft is a growing concern in the United States. The protection of our social security numbers, PINs and credit history is crucial. In a 12-month period from 2004 to 2005, it is estimated that 9.3 million Americans were the victims of identity theft. 2 It is also estimated that once a person's identity is compromised it can take more than 600 man hours to recover from the crime. 3

Criminals perpetrating this crime will do anything from dumpster diving for discarded information to intricate e-mail and calling scams to get identity numbers. If these criminals get the information from your business' records, your business may be liable for damages.

Businesses regularly collect information on their potential employees, suppliers and customers. The FACT Act requires federal agencies, including the Federal Trade Commission (FTC), to provide rules to govern the issue. The FTC created proposed rules and received no adverse comments regarding the impact to small business. The FTC rules go into effect on June 1, 2005.

Rule 16 CFR 682.1(b) of the FTC protects and defines consumer information as:

"…any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. Consumer information also means a compilation of such records. Consumer information does not include information that does not identify individuals, such as aggregate information or blind data."

This requires that anyone possessing consumer information for a business purpose to take reasonable measures to protect against unauthorized use. Examples that a business may follow to be in compliance include:

  1. Creating and monitoring a plan for destruction of the information by burning, pulverizing, or shredding so that the information cannot be reconstructed;

  2. Creating a plan for destruction or erasure of electronic information such as hard disks, e-mails, diskettes, and compact disks before sale or disposal;

  3. Entering into a contract with a third party for destruction of information after checking on the credentials of the third party (due diligence); and

  4. Creating a plan for informing employees and monitoring employees' use of consumer information to prevent unauthorized use or dissemination of the information.

This law does not limit other laws that may apply to your business, whether state or federal. If you have questions about your business, consult your attorney.

Businesses may pay $1,000 of liability per person affected, or actual damages caused, and possible attorney's fees. 4 The business may also be fined by state and federal authorities for non-compliance.

What might this mean for your small business, and how might you implement a reasonable plan for destruction of consumer information? Here are some helpful thoughts on written document destruction policies. (Note: This information is likely good advice for any sensitive document.)

  1. If you collect any information for employment purposes, the law already requires that you inform the potential employee that you are collecting that information. 5

  2. If you don't need the information and don't use it, don't ask for it. For example, don't ask for your employee's credit information if a credit check is not needed and will not be created.

  3. Keep consumer information under lock and key and know who has use of the key(s). These people should be aware of your businesses policies on consumer information and the penalties for unlawful use of that information.

  4. Invest in a good shredder. The shredder should have a cross-cut or confetti cutter that makes the document next to impossible to reassemble. Many shredders are under $100 and can be found at most business products stores. Look at both business and personal shredders. A small office can probably use a personal shredder fitting up to four sheets at a time and may not need the sturdiness of a "business" shredder.

  5. Don't just put sensitive documents in the shredder bin or burn box; consider the safety of the information. Does the bin have limited access, and is it locked?

  6. Don't keep consumer information beyond its useful life to your business.
    1. Have a policy that says if a relationship is terminated you destroy the consumer information collected.
    2. Have a policy that says after a specific number of months you will destroy consumer information collected.
    3. Have a policy that says after more recent information is collected you will destroy the old consumer information.

  7. Consider simply giving information back to the consumer once your business no longer needs it. However, then you may have to mail the information, and you would need to have a policy in place if the person refused the documents.

  8. Your shredded paper is now unreadable and recyclable. Don't just throw it in with the rest of the trash. Shredded paper can have many uses such as packing material, cat litter, worm food, garden mulch, compost, etc.

In short, have a written policy for destruction of consumer information and follow through on that policy. It is good for your customers, and that makes it good for your business.

This article provides general coverage of its subject area. It is provided to the reader as a resource for understanding the status of the applicable law and is not intended to be legal advice or service. If legal advice is sought or required, the services of a competent professional attorney licensed in your state should be sought.

The actual text of the rules can be found in the last few pages of this PDF file: www.ftc.gov/os/2004/11/041118disposalfrn.pdf external PDF document; requires Adobe Reader

By Eric Anderson, the BRIDG business specialist located in the Center for Entrepreneurship & Outreach at the University of Missouri-Rolla.

1 FACT Act Section 216. There is the requirement that the business also be under the jurisdiction of the Federal Trade Commission, but with the broad overview of this Commission most businesses are likely to meet this requirement.
2 This is up from an estimated 7 million Americans from a 2002-2003 study. Source: Identity Theft Resource Center, 2005 study, www.privacyrights.org/ar/idtheftsurveys.htm link leads to an external site
3 Id.
4 15 USC 1681n & 1681o
5 15 USC 1681b(b)(2)

University of Missouri Extension  
Home | Sitemap | About | FAQ | Search | Help | Privacy | Jobs | Contact Us
© 2008 Curators of the University of Missouri. All rights reserved.
DMCA and other copyright information. bdpwebmaster@umsystem.edu
University of Missouri Extension is an equal opportunity/ADA institution