The Disposal Rule
The Disposal Rule requires anyone using a consumer report for business to dispose of that information reasonably to prevent unauthorized access. It applies to organizations of all sizes and is enforced by the FTC, federal banking regulators and CFPB.
"Disposal" includes discarding, abandonment, donation, sale or transfer. The standard is reasonable practices, weighing sensitivity, costs/benefits of methods, and available technology. It covers CRAs, lenders, employers, insurers, landlords, car dealers, attorneys, debt collectors and government agencies.
- Burn, pulverize or shred papers so they cannot be read or reconstructed.
- Destroy or erase electronic files/media so they cannot be read or reconstructed.
- Conduct due diligence and hire a document-destruction contractor.
Institutions subject to both the FACTA Disposal Rule and the GLBA Safeguards Rule should fold disposal practices into the Safeguards Rule information security program, and watch for stricter state disposal rules.