Businesses Must Ensure Records Destroyed to Avoid Identity Theft

If you are throwing away any records or an old computer with consumer personal information, you must now take reasonable steps to ensure that the information is deleted or destroyed.

Under Federal Trade Commission rules effective June 1, 2005, any business that maintains or possess consumer information must take reasonable measures to prevent unauthorized access or use of consumer personal information in connection with its disposal. The purpose of the rule is to help prevent identity theft.

Consumer information means any record about an individual, whether in paper, electronic or other form that contains, for example, a person’s social security number, name, address and other information taken from a consumer report. Information in a blind, aggregate form is not covered. Failure to comply with the rule can result in a fine of $1,000 per violation and require payment of actual damages. The reasonable steps that must be taken include:

• Establishing and monitoring policies and procedures for the burning, pulverizing or shredding of paper documents so that the information cannot practicably be read or reconstructed.
• Monitoring compliance with the policies and procedures.
• Monitoring compliance by any third party hired to destroy the material. This may include reviewing an independent audit of the disposal company’s operation, obtaining information about the third party from several references and other sources and requiring the disposal company to be certified by a recognized trade association.