On June 1, 2005, the Federal Trade Commission issued new regulations requiring companies to destroy certain consumer records. The specific rule requires consumer information such as credit reports to be physically destroyed after it is used.
Records
The rule covers practically any consumer records. Examples include credit reports, court records, employment histories and rental histories to mention only a few.
Identity Theft
Heading complaints from constituents, Congress has been trying to figure out how to deal with growing identity theft problems. In response, the FTC rule requires all personal information to be:
1. Burned(!),
2. Pulverized,
3. Shredded, or
4. Destroyed.
Whether you shred the records or stand in the parking lot with a flamethrower, the rule requires the documents to be destroyed to the extent they cannot be read. Importantly, the rule also applies to electronic files.
As an agency rule, the new regulation does not result in any criminal penalties. Instead, the FTC penalty provisions call for a fine of up to $2,500 per violation. Individuals that have information misused can also seek damages in civil lawsuits.
Effective?
The FTC should be applauded for taking any step to help in the fight against identity theft. The flood of recent public disclosures by companies admitting to lost records is appalling. But does this new rule really help?
No.
The new regulation provides no provisions on how long the records can be held before being destroyed. This effectively neuters the regulation. Any claim of violation is going to be refuted by the defense of, We destroy records every xxx months. Even if you disagree with this assessment, consider the destruction of electronic files.
Electronic files are automatically backed up on hard drives. Merely deleting a file does not erase it from a hard drive. To comply with the regulations, are companies supposed to wipe all their hard drives every day or is deleting the records enough? Wiping the drives is incredibly burdensome while deleting files is useless. As you might imagine, the FTC provides no guidance on the issue.
Cutting to the chase, the FTC has issued this rule for one reason to satisfy Congress. It has little practical impact in protecting your private information and leaves companies with another vague regulatory requirement.
About the author:
Richard Chapo, Esq., is with
http://www.sandiegobusinesslawfirm.comoffering business law advice to California businesses. This article is for general education purposes and does not address every facet of the subject matter. Nothing in this article creates an attorney-client relationship.
