FTC to Small Employers: Shred — or Else!
May 2005One unnerving aspect of our fast-paced culture is the speed with which obscure facts assume earth-shaking importance. Take "Nannygate." Back in 1993, millions of Americans employed nannies, gardeners, and maids under the table without a second thought — no papers, no taxes, no problem. Then word got out that Zoe Baird, President Clinton's first choice to be Attorney General, had hired two undocumented immigrants to work in her home. The would-be top cop withdrew her name in a hurry — and householders nationwide started sweating about their own illegal hires.
Well, the heat is on again — but this time the issue isn't keeping documents, but destroying them. As of 1 June 2005, a new rule issued by the Federal Trade Commission (FTC) as part of the FACT Act requires any business or employer that uses consumer information derived from a credit report — even indirectly — to dispose of that information in a way that will keep it out of the hands of identity thieves. And if you employ even one person — whether you're running a business or just covering the gap between school day and work day — the new rule applies to you.
The facts behind FACTA
You may already know the Fair and Accurate Credit Transaction Act (the FACT Act, or FACTA) as the "free credit report law" now undergoing a four-phase rollout across the United States. The FACT Act extended the provisions of the Fair Credit and Reporting Act (FCRA) with an eye to reducing the risk of identity theft and consumer fraud. The FACTA Disposal Rule was developed by the FTC in November 2004 to further that goal by enforcing the proper destruction of consumer information.
The FACTA Disposal Rule applies to every U.S. business or employer that uses consumer information, from Fortune 500 corporations to the mom-and-pop corner store — or the soccer mom with a child care challenge. It's clearly a major step forward in the fight to give consumers greater control over their personal information and how it is used — or abused. But besides giving U.S. householders who play by the rules one more rule to worry about, it represents a big change in the way many small and medium-sized businesses do business. Some of them may be in for a serious shock.
What the rule requires
Under the new rule, "any person who maintains or otherwise possesses consumer information for a business purpose" must dispose of discarded consumer information — whether electronic or on paper — properly. According to the text of the law, that means "taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal."
In case you're wondering what "reasonable measures" might include, the Disposal Rule specifies three possible ways to comply:
- Burning, pulverizing, or shredding of physical documents
- Erasure or destruction of all electronic media
- Entering into a contract with a third party engaged in the business of information destruction
Among other things, this means that as of 1 June 2005, millions of small businesses had better have a shredder handy. In fact, many small business owners are referring to the new rule as the "shredder law" — and while that isn't a full description, it comes pretty close. Shredders already represent a $350 million annual market, and the market for personal shredders is growing especially fast. Industry analysts expect the pace to pick up rapidly as news of the FACTA Disposal Rule reaches the heartland.
Who is affected?
But are small businesses — and, for that matter, individuals who get a weekly visit from the cleaning lady — really likely to have this sort of information? You bet. For starters, small business owners who run credit reports or do background checks on potential employees possess precisely the data the new rule was designed to control. If you ran a credit check on your nanny before giving her the nod, you do, too.
Furthermore, if business owners use information from these sources in other ways — such as an email or written memo to a colleague commenting on the qualifications of a prospective hire — those electronic or paper documents must also be discarded properly. This means you'll need to have a systematic way of tagging and tracking such data — or risk running afoul of the new law.
A new challenge for small business
And there's the rub. Unlike that Fortune 500 corporation, the average mom-and-pop shop has no experience contending with the kind of privacy laws and other compliance issues the big boys deal with every day. What's more, small businesses typically lack the legal and financial resources that big companies take for granted (how many dry cleaners have in-house corporate counsel?). Finally, smaller companies are increasingly targeted by savvy identity thieves following the path of least resistance — and leveraging small operations' inexperience in handling sensitive data. One consequence is that the chances of a small business getting hit are going up — and with them, the likelihood that some employee will be victimized due to the employer's failure to dispose of data properly.
Mandates and lawsuits and fines, oh my!
You still may not feel like plopping down hundreds of dollars for a shredder just to comply with an obscure federal regulation — especially after calculating what you're shelling out for child care. Then again, when you weigh that cost against the prospect of being sued by an angry nanny whose identity data was plucked from your dumpster, that shredder starts looking like a bargain. Because this rule actually has teeth — and if you aren't careful, you could end up being bitten from several angles.
- Civil liability. An employee whose identity is stolen as a result of an employer's failure to comply with the new rule could be entitled to recover actual damages sustained — or the employer could be hit with statutory damages of up to $1,000 per employee.
- Class action. If large numbers of employees are affected, they could file a class action lawsuit under the new rule, and could be awarded punitive damages from their employer.
- Federal and state fines. An employer could be fined up to $2,500 for each violation by the U.S. government. In addition, states can fine up to $1,000 for each violation.
Doing the right thing
Of course, the most important reason for complying with the new FACTA Disposal Rule is that it gives us one more way to keep identity thieves from getting the sensitive information they need to do their dirty work. The fact is that everyone — consumers, individual employers, and businesses — needs to be more vigilant and more disciplined in dealing with identity and account information. If the new FTC rule brings us closer to that goal, it'll be well worth the effort.
