[Federal Register Volume 69, Number 76 (Tuesday, April 20, 2004)]
[Proposed Rules]
[Pages 21388-21392]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-8904]



[[Page 21387]]

-----------------------------------------------------------------------

Part III





Federal Trade Commission





-----------------------------------------------------------------------



16 CFR Part 682



Disposal of Consumer Report Information and Records; Proposed Rule

  Federal Register / Vol. 69, No. 76 / Tuesday, April 20, 2004 / 
Proposed Rules  

[[Page 21388]]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 682

RIN 3084-AA94


Disposal of Consumer Report Information and Records

AGENCY: Federal Trade Commission (FTC).

ACTION: Notice of proposed rulemaking; request for public comment.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') is 
proposing a rule regarding the proper disposal of consumer report 
information and records. The Fair and Accurate Credit Transactions Act 
of 2003 (``FACT Act'' or ``Act'') requires the Federal Reserve Board, 
Office of the Comptroller of the Currency, Federal Deposit Insurance 
Corporation, Office of Thrift Supervision (collectively, the ``Federal 
banking agencies''), National Credit Union Administration, Securities 
and Exchange Commission, and Federal Trade Commission, in coordination 
with one another, to adopt consistent and comparable rules regarding 
such disposal.

DATES: Written comments must be received on or before June 15, 2004.

ADDRESSES: Interested parties are invited to submit written comments. 
Comments should refer to ``The FACT Act Disposal Rule, R-411007'' to 
facilitate the organization of comments. A comment filed in paper form 
should include this reference both in the text and on the envelope, and 
should be mailed or delivered to the following address: Federal Trade 
Commission/Office of the Secretary, Room 159-H (Annex H), 600 
Pennsylvania Avenue, NW., Washington, DC 20580. Comments containing 
confidential material must be filed in paper form. The FTC is 
requesting that any comment filed in paper form be sent by courier or 
overnight service, if possible, because U.S. postal mail in the 
Washington area and at the Commission is subject to delay due to 
heightened security precautions.
    An electronic comment can be filed by (1) clicking on http://www.regulations.gov; (2) selecting ``Federal Trade Commission'' at 
``Search for Open Regulations;'' (3) locating the summary of this 
Notice; (4) clicking on ``Submit a Comment on this Regulation;'' and 
(5) completing the form. For a given electronic comment, any 
information placed in the following fields--``Title,'' ``First Name,'' 
``Last Name,'' ``Organization Name,'' ``State,'' ``Comment,'' and 
``Attachment''--will be publicly available on the FTC Web site. The 
fields marked with an asterisk on the form are required in order for 
the FTC to fully consider a particular comment. Commenters may choose 
not to fill in one or more of those fields, but if they do so, their 
comments may not be considered.
    Comments on any proposed filing, recordkeeping, or disclosure 
requirements that are subject to paperwork burden review under the 
Paperwork Reduction Act should additionally be submitted to: Office of 
Information and Regulatory Affairs, Office of Management and Budget, 
Attention: Desk Officer for the Federal Trade Commission. Comments 
should be submitted via facsimile to (202) 395-6974 because U.S. postal 
mail at the Office of Management and Budget is subject to lengthy 
delays due to heightened security precautions. Such comments should 
also be sent to the following address: Federal Trade Commission/Office 
of the Secretary, Room 159-H (Annex H), 600 Pennsylvania Avenue, NW., 
Washington, DC 20580.
    The FTC Act and other laws the Commission administers permit the 
collection of public comments to consider and use in this proceeding as 
appropriate. All timely and responsive public comments, whether filed 
in paper or electronic form, will be considered by the Commission, and 
will be available to the public on the FTC Web site, to the extent 
practicable, at http://www.ftc.gov. As a matter of discretion, the FTC 
makes every effort to remove home contact information for individuals 
from the public comments it receives before placing those comments on 
the FTC Web site. More information, including routine uses permitted by 
the Privacy Act, may be found in the FTC's privacy policy, at http://www.ftc.gov/ftc/privacy.htm.

FOR FURTHER INFORMATION CONTACT: Ellen Finn or Susan McDonald, 
Attorneys, (202) 326-3224, Division of Financial Practices, Bureau of 
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, 
NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: This notice contains the following sections:

I. Introduction
II. Summary of Proposed Rule
III. Invitation to Comment
IV. Communications by Outside Parties to Commissioners or Their 
Advisors
V. Paperwork Reduction Act
VI. Regulatory Flexibility Act
 Proposed Rule

I. Introduction

    The FACT Act was signed into law on December 4, 2003. Fair and 
Accurate Credit Transactions Act of 2003, Pub. L. No. 108-159 (2003). 
In general, the Act amends the Fair Credit Reporting Act (``FCRA'') to 
enhance the accuracy of consumer reports and to allow consumers to 
exercise greater control regarding the type and amount of marketing 
solicitations they receive. To promote increasingly efficient national 
credit markets, the FACT Act also establishes uniform national 
standards in key areas of regulation regarding consumer report 
information. Finally, the Act contains a number of provisions intended 
to combat consumer fraud and related crimes, including identity theft, 
and to assist its victims.
    Section 216 of the FACT Act requires the Commission, Federal 
banking agencies, National Credit Union Administration, and Securities 
and Exchange Commission (the ``Agencies''), to issue regulations 
requiring ``any person that maintains or otherwise possesses consumer 
information, or any compilation of consumer information, derived from 
consumer reports for a business purpose to properly dispose of any such 
information or compilation.'' The purpose of this section is to prevent 
unauthorized disclosure of consumer information and to reduce the risk 
of fraud or related crimes, including identity theft, by ensuring that 
records containing sensitive financial or personal information are 
appropriately redacted or destroyed before being discarded. The 
Agencies are required to consult and coordinate with each other so 
that, to the extent possible, regulations implementing this section are 
consistent and comparable. In addition, the Agencies' regulations must 
be consistent with the Gramm-Leach-Bliley Act (``GLBA'') and other 
provisions of Federal law. The Commission has conferred with the 
Agencies and now offers for public comment this proposed rule regarding 
the disposal of consumer report information and records (``Disposal 
Rule'' or ``Rule'').\1\
---------------------------------------------------------------------------

    \1\ The Federal banking agencies, SEC, and NCUA propose to 
implement section 216 of the FACT Act by amending their existing 
guidelines and rules on information security previously issued to 
implement section 501(b) of the GLBA. However, because the entities 
subject to the FTC's jurisdiction under the FACT Act and the GLBA 
are overlapping but not coextensive, the Commission is proposing a 
separate rule to implement section 216 of the FACT Act.
---------------------------------------------------------------------------

II. Summary of Proposed Rule

    The following is a section-by-section summary of the Commission's 
proposed Rule.

[[Page 21389]]

Proposed Section 682.1: Definitions

    This section defines terms for purposes of the proposed Disposal 
Rule. Proposed section 682.1(a) makes clear that, unless otherwise 
stated, terms used in the Disposal Rule have the same meaning as set 
forth in the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. Thus, 
for example, the term ``consumer report'' as used in the Disposal Rule 
has the same meaning as the term ``consumer report'' elsewhere in the 
FCRA. See 15 U.S.C. 1681a(d) (defining ``consumer report''). The 
proposed Disposal Rule also defines two new terms: ``consumer 
information'' and ``disposal.''
    Proposed section 682.1(b) defines ``consumer information'' as any 
record about an individual, whether in paper, electronic, or other 
form, that is a consumer report or is derived from a consumer report. 
The Commission believes a broad definition of the term, which includes 
all types of records that are consumer reports, or contain consumer 
information derived from consumer reports, will best effectuate the 
purpose of the Act. However, under this definition, information that is 
derived from consumer reports but does not identify any particular 
consumers would not be covered under the proposed Rule. The Commission 
believes that limiting ``consumer information'' to information that 
identifies particular consumers is consistent with current law relating 
to the scope of the term ``consumer report'' under the FCRA and the 
purposes of section 216.
    Proposed section 682.1(c) defines ``disposing'' or ``disposal'' to 
include the discarding or abandonment of consumer information, as well 
as the sale, donation, or transfer of any medium, including computer 
equipment, upon which consumer information is stored. By itself, the 
sale, donation, or transfer of consumer information would not be 
considered ``disposal'' under the proposed Rule.
    The Commission requests comment on both of these proposed 
definitions.

Proposed Section 682.2: Purpose and Scope

    Proposed section 682.2(a) sets forth the purpose of the proposed 
Disposal Rule, which is to reduce the risk of consumer fraud and 
related harms, including identity theft, created by improper disposal 
of consumer information. See Cong. Rec. S13889 (Nov. 4, 2003) 
(Statement of Sen. Nelson).
    Proposed section 682.2(b) sets forth the scope of the proposed 
Disposal Rule, which applies to ``any person over which the Federal 
Trade Commission has jurisdiction, that, for a business purpose, 
maintains or otherwise possesses consumer information, or any 
compilation of consumer information.''\2\ This section, which tracks 
the language of section 216 of the FACT Act, creates two criteria for 
determining whether a person would be required to comply with the 
Disposal Rule. First, does the person maintain or otherwise possess the 
consumer information for a business purpose? Second, does the record 
being disposed of contain consumer information, or any compilation of 
consumer information?
---------------------------------------------------------------------------

    \2\ ``Person'' is defined in the FCRA, 15 U.S.C. 1681a(b), as 
``any individual, partnership, corporation, trust, estate, 
cooperative, association, government or governmental subdivision or 
agency, or other entity.''
---------------------------------------------------------------------------

    As to the first criterion, the Commission reads ``for a business 
purpose'' broadly to include all business reasons for which a person 
may possess or maintain consumer information. Thus, the Rule would 
likely cover any person that possesses or maintains consumer 
information other than an individual consumer who has obtained his or 
her own consumer report. Among the entities that possess or maintain 
consumer information for a business purpose are consumer reporting 
agencies, including resellers of consumer reports, that are in the 
business of selling consumer information, as well as lenders, insurers, 
employers, landlords, government agencies, mortgage brokers, automobile 
dealers, and other users of consumer reports.\3\ Companies that possess 
consumer information in connection with the provision of services to 
another entity are also directly covered by the proposed Rule to the 
extent that they dispose of the consumer information. \4\
---------------------------------------------------------------------------

    \3\ As these examples illustrate, the Commission views a 
``business purpose'' as broader than a ``permissible purpose'' as 
defined in section 604 of the FCRA. See 15 U.S.C. 1681b (outlining 
permissible uses of consumer reports). Although ``permissible 
purposes'' are generally ``business purposes,'' there are a variety 
of business purposes for which persons maintain or possess 
``consumer information'' beyond those listed as ``permissible'' for 
users of consumer reports.
    \4\ Examples of such companies could include records management 
or waste disposal companies.
---------------------------------------------------------------------------

    As to the second criterion, the FACT Act and proposed Rule make 
clear that the disposal requirements apply not only to consumer 
reports, but also to records containing ``consumer information, or any 
compilation of consumer information, derived from consumer reports.'' 
FACT Act, section 628(a)(1). The Commission believes that the phrase 
``derived from consumer reports'' covers all of the information about a 
consumer that is taken from a consumer report, including information 
that results in whole or in part from manipulation of information from 
a consumer report or information from a consumer report that has been 
combined with other types of information.\5\ Thus, any person that 
possesses such information, including an affiliate that has received it 
pursuant to section 603(d)(2)(A)(iii) of the FCRA, would be obligated 
to properly dispose of it.
---------------------------------------------------------------------------

    \5\ Information that does not identify particular consumers 
would not be covered, even if the information was originally 
``derived from consumer reports,'' since that information would no 
longer be ``about a consumer.''
---------------------------------------------------------------------------

    The Commission requests comment on the scope of the proposed Rule 
and the costs and benefits of covering the entities and information 
proposed. The Commission also seeks comment on whether the definition 
of covered ``consumer information'' should be further clarified, by 
example or otherwise. Finally, the Commission requests comment on 
whether there are any persons or classes of persons covered by the 
proposed Rule that it should consider exempting from the Rule's 
application pursuant to section 216(a)(3) of the FACTA.

Proposed Section 682.3: Proper Disposal of Consumer Information

    Regarding the standard for disposal, the proposed Rule would 
require that any person that maintains or otherwise possesses consumer 
information ``take reasonable measures to protect against unauthorized 
access to or use of the information in connection with its disposal.'' 
The Commission recognizes that there are few foolproof methods of 
record destruction. Accordingly, the proposed Rule does not require 
covered persons to ensure perfect destruction of consumer information 
in every instance; rather, it requires covered entities to take 
reasonable measures to protect against unauthorized access to or use of 
the information in connection with its disposal.
    In determining what measures are ``reasonable'' under the Rule, the 
Commission expects that entities covered by the proposed Rule would 
consider the sensitivity of the consumer information, the nature and 
size of the entity's operations, the costs and benefits of different 
disposal methods, and relevant technological changes. ``Reasonable 
measures'' are very likely to require elements such as the 
establishment of policies and procedures governing disposal, as well as 
appropriate employee training.

[[Page 21390]]

    The flexible standard for disposal in the proposed Rule would allow 
covered persons to make decisions appropriate to their particular 
circumstances and should minimize the disruption of existing practices 
to the extent that they already provide appropriate protections for 
consumers. It is also intended to minimize the burden of compliance for 
smaller entities. In addition, a ``reasonable measures'' standard would 
harmonize the Disposal Rule with the Commission's Safeguards Rule, 16 
CFR part 314, implementing section 501(b) of the GLBA, so that entities 
subject to both rules will not face conflicting requirements.\6\ An 
entity subject to the Safeguards Rule is required to address the 
disposal of customer information as one part of a larger, written 
information security program reasonable and appropriate for that 
entity. An entity that incorporates proper disposal measures for 
consumer information, as defined in the FACT Act Disposal Rule, into 
the broader information security program required by the Safeguards 
Rule would easily be able to comply with both rules.\7\
---------------------------------------------------------------------------

    \6\ The coverage of the proposed Disposal Rule is different from 
that of the Commission's Safeguards Rule. Although some entities may 
be subject to both rules, there are a variety of entities subject to 
the proposed Disposal Rule that are not subject to the Safeguards 
Rule because they are not ``financial institutions'' under GLBA. 
This differential coverage was specifically intended by Congress. 
See Cong. Rec. S13889 (Nov. 4, 2003) (Statement of Sen. Nelson). In 
addition, the proposed Disposal Rule and the Safeguards Rule apply 
to different sets of information. See 16 CFR 314.1(b) (describing 
scope of ``customer information'' covered by Safeguards Rule); 
Proposed Disposal Rule Sec. Sec.  682.1(b) & 682.2(b) (defining 
scope of ``consumer information'' subject to proposed Disposal 
rule).
    \7\ As noted above, in addition to the entities that own 
consumer information, waste disposal companies and other companies 
that obtain consumer information in connection with the provision of 
services would be directly covered by the Disposal Rule. By 
contrast, such entities are generally deemed ``service providers'' 
under the Safeguards Rule. To the extent that such entities 
undertake disposal measures that comply with the Disposal Rule, such 
measures would also be appropriate disposal measures under the 
service provider provisions of the Safeguards Rule. See 16 CFR 
314.4(d). However, such disposal measures would only be one part of 
the broader security program required of both financial institutions 
and, indirectly, their service providers under the Safeguards Rule.
---------------------------------------------------------------------------

    Despite the many benefits of a flexible ``reasonableness'' 
standard, the Commission recognizes that such a standard can leave 
covered persons with some uncertainty about compliance. Accordingly, 
the proposed Rule includes examples intended to provide guidance on 
disposal measures that would be deemed reasonable under the Rule. These 
examples are illustrative only, not exhaustive, and because they cannot 
take into account a particular entity's unique circumstances, they are 
intended merely to provide general guidance.
    The Commission invites comment on the proposed standard for record 
disposal. In particular, the Commission invites comment on: (1) The 
costs and benefits of the proposed standard; (2) the costs and benefits 
of any alternative standards; (3) the appropriateness and usefulness of 
providing examples in the Rule of reasonable record disposal measures; 
(4) the merits of the examples included in this notice, as well as any 
other standards or examples that the Commission might consider to 
provide guidance on appropriate record disposal.

Proposed Section 682.4: Relation to Other Laws

    The proposal makes clear that nothing in the proposed Rule is 
intended to create a requirement that a person maintain or destroy any 
record pertaining to a consumer. Nor is the Rule intended to affect any 
requirement imposed under any other provision of law to maintain or 
destroy such records.

Proposed Section 682.5: Effective Date

    The Commission proposes to make the Disposal Rule effective 3 
months after the publication of the final Rule.

III. Invitation To Comment

    The Commission invites interested members of the public to submit 
written data, views, facts, and arguments addressing the issues raised 
by this Notice. Written comments must be received on or before June 15, 
2004. Comments should refer to ``The FACT Act Disposal Rule, R-411007'' 
to facilitate the organization of comments. A comment filed in paper 
form should include this reference both in the text and on the 
envelope, and should be mailed or delivered to the following address: 
Federal Trade Commission/Office of the Secretary, Room 159-H (Annex H), 
600 Pennsylvania Avenue, NW., Washington, DC 20580. If the comment 
contains any material for which confidential treatment is requested, it 
must be filed in paper (rather than electronic) form, and the first 
page of the document must be clearly labeled ``Confidential.'' \8\ The 
FTC is requesting that any comment filed in paper form be sent by 
courier or overnight service, if possible, because U.S. postal mail in 
the Washington area and at the Commission is subject to delay due to 
heightened security precautions.
---------------------------------------------------------------------------

    \8\ Commission Rule 4.2(d), 16 CFR 4.2(d). The comment must be 
accompanied by an explicit request for confidential treatment, 
including the factual and legal basis for the request, and must 
identify the specific portions of the comment to be withheld from 
the public record. The request will be granted or denied by the 
Commission's General Counsel, consistent with applicable law and the 
public interest. See Commission Rule 4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    An electronic comment can be filed by (1) clicking on http://www.regulations.gov; (2) selecting ``Federal Trade Commission'' at 
``Search for Open Regulations;'' (3) locating the summary of this 
Notice; (4) clicking on ``Submit a Comment on this Regulation;'' and 
(5) completing the form. For a given electronic comment, any 
information placed in the following fields--``Title,'' ``First Name,'' 
``Last Name,'' ``Organization Name,'' ``State,'' ``Comment,'' and 
``Attachment''--will be publicly available on the FTC Web site. The 
fields marked with an asterisk on the form are required in order for 
the FTC to fully consider a particular comment. Commenters may choose 
not to fill in one or more of those fields, but if they do so, their 
comments may not be considered.
    Comments on any proposed filing, recordkeeping, or disclosure 
requirements that are subject to paperwork burden review under the 
Paperwork Reduction Act should additionally be submitted to: Office of 
Information and Regulatory Affairs, Office of Management and Budget, 
Attention: Desk Officer for the Federal Trade Commission. Comments 
should be submitted via facsimile to (202) 395-6974 because U.S. postal 
mail at the Office of Management and Budget is subject to lengthy 
delays due to heightened security precautions. Such comments should 
also be sent to the following address: Federal Trade Commission/Office 
of the Secretary, Room 159-H (Annex H), 600 Pennsylvania Avenue, NW., 
Washington, DC 20580.
    The FTC Act and other laws the Commission administers permit the 
collection of public comments to consider and use in this proceeding as 
appropriate. All timely and responsive public comments, whether filed 
in paper or electronic form, will be considered by the Commission, and 
will be available to the public on the FTC Web site, to the extent 
practicable, at http://www.ftc.gov. As a matter of discretion, the FTC 
makes every effort to remove home contact information for individuals 
from the public comments it receives before placing those comments on 
the FTC Web site. More information, including routine uses permitted by 
the Privacy Act, may be found in the FTC's privacy policy, at http://www.ftc.gov/ftc/privacy.htm.

[[Page 21391]]

IV. Communications by Outside Parties to Commissioners or Their 
Advisors

    Written communications and summaries or transcripts of oral 
communications respecting the merits of this proceeding from any 
outside party to any Commissioner or Commissioner's advisor will be 
placed on the public record. See 16 CFR 1.26(b)(5).

V. Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C. 
3506) (PRA), the Commission has reviewed the proposed rule. The 
proposed rule explicitly provides that it is not intended ``(1) to 
require a person to maintain or destroy any record pertaining to a 
consumer that is not imposed under other law; or (2) to alter or affect 
any requirement imposed under any other provision of law to maintain or 
destroy such a record.'' As such, the proposed rule does not impose any 
recordkeeping requirement or otherwise constitute a ``collection of 
information'' as it is defined in the regulations implementing the PRA. 
See 5 CFR 1320.3(c).

VI. Regulatory Flexibility Act

    The Regulatory Flexibility Act (``RFA''), 5 U.S.C. 601-612, 
requires an agency to provide an Initial Regulatory Flexibility 
Analysis (``IRFA'') with a proposed rule and a Final Regulatory 
Flexibility Analysis (``FRFA'') with the final rule, if any, unless the 
agency certifies that the rule will not have a significant economic 
impact on a substantial number of small entities. See 5 U.S.C. 603-605. 
The Commission has determined that it is appropriate to publish an IRFA 
in order to inquire into the impact of the proposed Rule on small 
entities. Therefore, the Commission has prepared the following 
analysis.

A. Reasons for the Proposed Rule

    Section 216 of the FACT Act requires the Commission to issue 
regulations regarding the proper disposal of consumer information in 
order to prevent sensitive financial and personal information from 
falling into the hands of identity thieves or others who might use the 
information to victimize consumers. The requirements of the proposed 
Rule are intended to fulfill the obligations imposed by section 216.

B. Statement of Objectives and Legal Basis

    The objectives of the proposed Rule are discussed above. The legal 
basis for the proposed Rule is section 216 of the FACT Act.

C. Description of Small Entities to Which the Proposed Rule Will Apply

    The proposed Disposal Rule, which tracks the language of section 
216 of the FACT Act, applies to ``any person that, for a business 
purpose, maintains or otherwise possesses consumer information, or any 
compilation of consumer information.'' As discussed above, the entities 
covered by the Rule would include consumer reporting agencies, 
resellers of consumer reports, lenders, insurers, employers, landlords, 
government agencies, mortgage brokers, automobile dealers, waste 
disposal companies, and any other business that possesses or maintains 
consumer information. Although it is not readily feasible to determine 
a precise number of small entities that will be subject to the proposed 
Rule, it is clear that numerous small entities across almost every 
industry could potentially be subject to the Rule.
    For example, any employer, regardless of industry or size, that 
obtains a consumer report (whether a full credit report or a pre-
employment background check of public records) would be subject to the 
proposed Rule. Indeed, any company, regardless of industry or size, 
that obtains consumer reports for a business purpose would be subject 
to the proposed Rule. In addition, a variety of consumer reporting 
agencies and resellers of consumer reports may qualify as small 
businesses, as could a number of waste disposal companies, all of which 
would be subject to the proposed Rule.
    Given the diversity of the entities potentially subject to the 
Rule, determining a precise estimate of the number of small entities 
that will be subject to the proposed Rule, or describing those 
entities, is not possible. The Commission invites comment and 
information on this issue.

D. Projected Reporting, Recordkeeping and Other Compliance Requirements

    The proposed Rule would not impose any reporting or any specific 
recordkeeping requirements within the meaning of the Paperwork 
Reduction Act, discussed above. The proposed Rule would require covered 
entities, when disposing of consumer information, to take reasonable 
measures to protect against unauthorized access to or use of the 
information in connection with its disposal. What is considered 
``reasonable'' will vary according to an entity's nature and size, the 
costs and benefits of available disposal methods, and the sensitivity 
of the information involved. This flexibility is intended to reduce the 
burden that might otherwise be imposed on small entities by a more 
rigid, prescriptive rule. Nonetheless, the Commission is concerned 
about the potential impact of the proposed Rule on small entities, and 
invites comment on the costs of compliance for such parties.

E. Identification of Other Duplicative, Overlapping, or Conflicting 
Federal Rules

    The FTC has not identified any other Federal statutes, rules, or 
policies that would conflict with the proposed Rule's requirement that 
covered persons take reasonable measures to protect against 
unauthorized access to or use of the information in connection with its 
disposal. However, the Commission is requesting comment on the extent 
to which other federal standards involving privacy or security of 
information may duplicate, satisfy, or inform the proposed Rule's 
requirements. In addition, the FTC seeks comment and information about 
any statutes or rules that may conflict with the proposed requirements, 
as well as any other state, local, or industry rules or policies that 
require covered entities to implement practices that comport with the 
requirements of the proposed Rule.

F. Discussion of Significant Alternatives

    Section 216 of the FACT Act requires the Commission to issue 
regulations regarding the proper disposal of consumer information. The 
Act also requires that the regulations cover ``any person who possesses 
or maintains'' consumer report information. This broad coverage is 
consistent with the section's purpose of preventing identity theft 
because the risks created by improper disposal of consumer information 
are the same regardless of the nature of the entity disposing of the 
records. However, the standards in the proposed Rule are flexible, and 
take account of a covered entity's size and sophistication, as well as 
the costs and benefits of alternative disposal methods. The FTC 
welcomes comment on any significant alternatives, consistent with the 
purposes of the FACT Act, that would minimize the impact on small 
entities.

List of Subjects in 16 CFR Part 682

    Consumer reports, Consumer reporting agencies, Credit, Fair Credit 
Reporting Act, Trade practices.
    Accordingly, the Commission proposes to add part 682 of title 16 of 
the Code of Federal Regulations as follows:

[[Page 21392]]

PART 682--DISPOSAL OF CONSUMER REPORT INFORMATION AND RECORDS

Sec.
682.1 Definitions.
682.2 Purpose and scope.
682.3 Proper disposal of consumer information.
682.4 Relation to other laws.
682.5 Effective date.

    Authority: Pub. L. 108-159, sec. 216.

Sec.  682.1  Definitions.

    (a) In general. Except as modified by this part or unless the 
context otherwise requires, the terms used in this part have the same 
meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681 
et seq.
    (b) As used in this part, ``consumer information'' means any record 
about an individual, whether in paper, electronic, or other form, that 
is a consumer report or is derived from a consumer report.
    (c) As used in this part, ``disposing'' or ``disposal'' includes:
    (1) the discarding or abandonment of consumer information, and
    (2) the sale, donation, or transfer of any medium, including 
computer equipment, upon which consumer information is stored.


Sec.  682.2  Purpose and scope.

    (a) Purpose. This part (``rule'') implements section 216 of the 
Fair and Accurate Credit Transactions Act of 2003, which is designed to 
reduce the risk of consumer fraud and related harms, including identity 
theft, created by improper disposal of consumer information.
    (b) Scope. This rule applies to any person over which the Federal 
Trade Commission has jurisdiction, that, for a business purpose, 
maintains or otherwise possesses consumer information or any 
compilation of consumer information.


Sec.  682.3  Proper disposal of consumer information.

    (a) Standard. Any person who maintains or otherwise possesses 
consumer information, or any compilation of consumer information, for a 
business purpose must properly dispose of such information by taking 
reasonable measures to protect against unauthorized access to or use of 
the information in connection with its disposal.
    (b) Examples. Reasonable measures to protect against unauthorized 
access to or use of consumer information in connection with its 
disposal would include:
    (1) Implementing and monitoring compliance with policies and 
procedures that require the burning, pulverizing, or shredding of 
papers containing consumer information so that the information cannot 
practicably be read or reconstructed.
    (2) Implementing and monitoring compliance with policies and 
procedures that require the destruction or erasure of electronic media 
containing consumer information so that the information cannot 
practicably be read or reconstructed.
    (3) After due diligence, entering into and monitoring compliance 
with a written contract with another party engaged in the business of 
record destruction to dispose of consumer information in a manner 
consistent with this rule. In this context, due diligence could include 
reviewing an independent audit of the disposal company's operations 
and/or its compliance with this rule, obtaining information about the 
disposal company from several references or other reliable sources, 
requiring that the disposal company be certified by a recognized trade 
association or similar third party, reviewing and evaluating the 
disposal company's information security policies or procedures, or 
taking other appropriate measures to determine the competency and 
integrity of the potential disposal company.
    (4) (a) For disposal companies explicitly hired to dispose of 
consumer information: implementing and monitoring compliance with 
policies and procedures that protect against unauthorized access to or 
use of consumer information during collection and transportation, and 
disposing of such information in accordance with examples (1) and (2) 
above.
    (b) For traditional garbage collectors engaged in the normal course 
of business: disposing of garbage in accordance with standard 
procedures.


Sec.  682.4  Relation to other laws.

    Nothing in this rule shall be construed--
    (a) to require a person to maintain or destroy any record 
pertaining to a consumer that is not imposed under other law; or
    (b) to alter or affect any requirement imposed under any other 
provision of law to maintain or destroy such a record.


Sec.  682.5  Effective date.

    This rule is effective 3 months from the date on which a final rule 
is published in the Federal Register.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 04-8904 Filed 4-19-04; 8:45 am]
BILLING CODE 6750-01-P