Gone are the days in which companies could simply discard documentation in a wastebasket and have it thrown out with the rest of the trash. Clever and unscrupulous thieves will find a way to sift through the information contained in these documents and steal the identity of consumers. Due to the rising threat of identity theft, the Federal Trade Commission (FTC) issued a rule under the Fair and Accurate Credit Transactions Act (FACTA) detailing how businesses must dispose of their consumer information. Effective as of June 1, 2005, the rule still has businesses scrambling in order to comply.
The rule refers specifically to the disposal of information in consumer reports and records. This leads to a problem for many businesses because there is confusion over what constitutes a consumer report. According to the FTC, it includes credit reports, credit scores, reports on employment background, check writing history, insurance claims, residential or tenant history, or medical history. While this may not seem complicated, the rule also applies to any documents that were created using information obtained from any of these reports. Now imagine how difficult it must be for a company to determine the source of consumer information contained in a document!
In order to protect consumers further, the FTC also recommends that any company disposing of records that include a consumer’s personal or financial information to follow the rule. But what exactly does the FTC consider proper disposal? Well… the FTC leaves that up to each company to determine, which makes compliance even more difficult.
Document Destruction According to FACTA
For its part, the FTC does provide a list of measures that it considers reasonable for the destruction of consumer information. These include burning, pulverizing, or shredding the information so that it is unreadable and can’t be reassembled. In addition, electronic files and media need to be destroyed or erased.
For a company that’s not used to dealing with the proper disposal of documentation, this can be a daunting task. If it’s a small operation, the most cost effective approach can be to purchase a shredder and handle everything in-house. But when the volume of paper increases, the drain on resources can be overwhelming. More staff has to be dedicated to document destruction rather than having these resources focus on the company’s core competencies. Instead of overburdening staff, the solution can be as easy as turning to a records management company.
Why Turn to a Records Management Provider for Compliance
Records management providers have expertise in helping organizations comply with FACTA as well as other regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Gramm-Leach-Bliley (GLB) Act. The right provider should empower companies to manage the document lifecycle from source to shred, offering a range of services such as secure document storage and retrieval, delivery, indexing, destruction, and consulting.
When utilizing these destruction services, companies need to specify in the contract with their vendor that the documents contain consumer information and must be destroyed in accordance with the FTC’s rule. For additional security purposes, organizations should select a records destruction vendor that follows a process that includes a written report and authentication of records that are ready for destruction, prior written approval, final verification, certified shredding, and the creation of a Certificate of Destruction as proof of compliance.
If a company also stores its documents with a records management provider, compliance can be an even easier process. The provider should be able to incorporate the company’s existing retention policies along with compliance guidelines to determine how long different documents and files should be retained. Upon the destruction date, the provider should ask for final verification before proceeding with certified shredding.
Regardless of the path a company follows, ensuring that it complies with all existing rules and regulations takes a lot of work. If a company decides to handle everything internally, it has to gain a core competency that it may not have had previously. But by turning to a records management provider, the company is able to focus on its core competencies while gaining a valuable partner in the world of compliance.