[Federal Register Volume 69, Number 130 (Thursday, July 8, 2004)]
[Proposed Rules]
[Pages 41219-41221]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-15579]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 682

RIN 3084-AA94


Disposal of Consumer Report Information and Records

AGENCY: Federal Trade Commission (FTC).

ACTION: Supplemental initial regulatory flexibility analysis for notice 
of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') is 
publishing a supplemental initial regulatory flexibility analysis to 
aid the public in commenting upon the small business impact of its 
proposed rule implementing section 216 of the Fair and Accurate Credit 
Transactions Act of 2003 (``FACT Act'' or ``Act'').

DATES: Written comments must be received on or before July 30, 2004.

ADDRESSES: Interested parties are invited to submit written comments. 
Comments should refer to ``The FACT Act Disposal Rule, R-411007'' to 
facilitate the organization of comments. A comment filed in paper form 
should include this reference both in the text and on the envelope, and 
should be mailed or delivered to the following address: Federal Trade 
Commission/Office of the Secretary, Room 159-H (Annex H), 600 
Pennsylvania Avenue, NW., Washington, DC 20580. Comments containing 
confidential material must be filed in paper form clearly labeled 
``Confidential,'' and comply with the Commission Rule 4.9(c). 16 CFR 
4.9(c). The FTC is requesting that any comment filed in paper form be 
sent by courier or overnight service, if possible, because U.S. postal 
mail in the Washington area and at the Commission is subject to delay 
due to heightened security precautions.
    An electronic comment can be filed by (1) clicking on http://www.regulations.gov; (2) selecting ``Federal Trade Commission'' at 
``Search for Open Regulations;'' (3) locating the summary of this 
Notice; (4) clicking on ``Submit a Comment on this Regulation;'' and 
(5) completing the form. For a given electronic comment, any 
information placed in the following fields--``Title,'' ``First Name,'' 
``Last Name,'' ``Organization Name,'' ``State,'' ``Comment,'' and 
``Attachment''--will be publicly available on the FTC Web site. The 
fields marked with an asterisk on the form are required in order for 
the FTC to fully consider a particular comment. Commenters may choose 
not to fill in one or more of those fields, but if they do so, their 
comments may not be considered.
    The FTC Act and other laws the Commission administers permit the 
collection of public comments to consider and use in this proceeding as 
appropriate. All timely and responsive public comments, whether filed 
in paper or electronic form, will be considered by the Commission, and 
will be available to the public on the FTC Web site, to the extent 
practicable, at www.ftc.gov. As a matter of discretion, the FTC makes 
every effort to remove home contact information for individuals from 
the public comments it receives before placing those comments on the 
FTC Web site. More information, including routine uses permitted by the 
Privacy Act, may be found in the FTC's privacy policy, at http://www.ftc.gov/ftc/privacy.htm.

FOR FURTHER INFORMATION CONTACT: Ellen Finn or Susan McDonald, 
Attorneys, (202) 326-3224, Division of Financial Practices, Bureau of 
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, 
NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: This notice supplements the Commission's 
initial notice of proposed rulemaking, 69 FR 21388 (Apr. 20, 2004), for 
its proposed rule regarding Disposal of Consumer Report Information and 
Records, 16 CFR part 682, implementing section 216 of the FACT Act, 
Pub. L. 108-159 (2003). The Commission's notice of proposed rulemaking 
included an initial regulatory flexibility analysis pursuant to the 
Regulatory Flexibility Act (5 U.S.C. 603); however, the Commission has 
decided to publish the following supplemental analysis in order to 
provide additional information and opportunity for public comment on 
the small business impact, if any, of the proposed rule. The Commission 
notes that there has already been a substantial period for public 
comment on the proposed rule itself and that the public comments 
received are posted online at http://www.ftc.gov/os/comments/disposal/index.htm.

A. Reasons for the Proposed Rule

    Section 216 of the FACT Act requires the Commission to issue 
regulations regarding the proper disposal of consumer information in 
order to prevent sensitive financial and personal

[[Page 41220]]

information from falling into the hands of identity thieves or others 
who might use the information to victimize consumers. The requirements 
of the proposed Rule are intended to implement section 216.

B. Statement of Objectives and Legal Basis

    The objective of the proposed Rule, set forth in Proposed Section 
682.2(a), is to reduce the risk of consumer fraud and related harms, 
including identity theft, created by improper disposal of consumer 
information. See Cong. Rec. S13889 (Nov. 4, 2003) (Statement of Sen. 
Nelson). The legal basis for the proposed Rule is section 216 of the 
FACT Act.

C. Description of Small Entities to Which the Proposed Rule Will Apply

    The proposed Disposal Rule, which tracks the language of section 
216 of the FACT Act, applies to ``any person that, for a business 
purpose, maintains or otherwise possesses consumer information, or any 
compilation of consumer information.'' As discussed in the initial 
notice of proposed rulemaking, the entities covered by the proposed 
Rule would include consumer reporting agencies, resellers of consumer 
reports, lenders, insurers, employers, landlords, government agencies, 
mortgage brokers, automobile dealers, waste disposal companies, and any 
other business that possesses or maintains consumer information.
    As discussed in the initial notice of proposed rulemaking, any 
company, regardless of industry or size, that possesses or maintains 
consumer information for a business purpose would be subject to the 
proposed Rule. Therefore, numerous small entities across almost every 
industry could potentially be subject to the Rule. For the majority of 
entities subject to the proposed Rule, a small business is defined by 
the Small Business Administration as one whose average annual receipts 
do not exceed $6 million or who have fewer than 500 employees.\1\
---------------------------------------------------------------------------

    \1\ These numbers represent the size standards for most retail 
and service industries ($6 million total receipts) and manufacturing 
industries (500 employees). A list of the SBA's size standards for 
all industries can be found at http://www.sba.gov/size/summary-whatis.html.
---------------------------------------------------------------------------

    Although it is impossible to identify every industry that may 
possess or maintain consumer information \2\ for business purposes, the 
Commission anticipates that, at a minimum, the estimated 231,000 small 
entities within the finance and insurance industries are likely to be 
subject to the proposed Rule.\3\ Generally, these entities are already 
subject to the FTC's Gramm-Leach-Bliley Act Safeguards Rule,\4\ which 
contains requirements similar to those in the proposed Rule. As a 
result, as discussed further below, the marginal cost of compliance 
with the proposed Disposal Rule for these businesses is likely to be 
minimal.
---------------------------------------------------------------------------

    \2\ ``Consumer Information'' is defined in the proposed Rule as 
any ``record about an individual, whether in paper, electronic, or 
other form, that is a consumer report or is derived from a consumer 
report.''
    \3\ This number represents 2001 totals as reported by the SBA. 
See http://www.sba.gov/advo/stats/.
    \4\ 16 CFR part 314.
---------------------------------------------------------------------------

    In addition, any business, regardless of industry, that obtains a 
consumer report, or information derived from a consumer report, would 
be subject to the proposed Rule. Among businesses that might fall into 
this category are landlords, utility companies, telecommunications 
companies, and any business that obtains consumer reports for 
employment screening purposes. The Commission is unaware of any data 
concerning the frequency with which small businesses such as these 
obtain consumer reports. As a result, it is not possible to determine 
precisely how many small businesses outside the finance and insurance 
industries would be subject to the proposed Rule, or how often these 
entities would be required to undertake compliance efforts.
    Accordingly, the Commission continues to believe that a precise 
estimate of the number of small entities that fall under the proposed 
Rule is not currently feasible, and specifically requests information 
or comment on this issue.

D. Projected Reporting, Recordkeeping and Other Compliance Requirements

    The proposed Rule would not impose any specific reporting or 
recordkeeping requirements within the meaning of the Paperwork 
Reduction Act. The proposed Rule would require covered entities, when 
disposing of consumer information, to take reasonable measures to 
protect against unauthorized access to or use of the information in 
connection with its disposal. What is considered ``reasonable'' will 
vary according to an entity's nature and size, the costs and benefits 
of available disposal methods, and the sensitivity of the information 
involved. In formulating the proposed Rule, the Commission considered 
alternatives to this approach, and determined that the flexibility 
afforded by the Rule as proposed would reduce the burden that might 
otherwise be imposed on small entities by a more rigid, prescriptive 
rule.
    As noted above, entities already subject to the Commission's 
Safeguards Rule should incur few, if any, additional compliance costs. 
Among other things, the Safeguards Rule already requires covered 
entities to develop and implement policies that require the proper 
disposal of ``customer information'' (as defined in the GLB Act), as 
well as employee training programs and mechanisms to update its 
information security program on a periodic basis. Modifying these 
policies to address the disposal of ``consumer information'' (as 
defined in the proposed Rule), and training employees on these changes, 
should therefore be possible at little or no cost. In fact, because the 
definitions of ``consumer information'' and ``customer information'' 
overlap, many entities may already be in substantial compliance with 
the proposed Rule's requirements.
    For small businesses not already subject to the GLB Safeguards 
Rule, compliance costs may be greater. Because the proposed Rule does 
not mandate specific disposal measures, a precise estimate of 
compliance costs is not feasible. However, there are certain basic 
steps that are likely to be appropriate for many small entities. For 
example, shredding or burning paper records containing consumer 
information will generally be appropriate. Depending upon the volume of 
records at issue and the office equipment available to the small 
entity, this method of disposal may be accomplished by the small entity 
itself at no cost, may require the purchase of a paper shredder 
(available at office supply stores for as little as $25), or may 
require the hiring of a document disposal service on a periodic basis 
(the costs of which will vary based on the volume of material, 
frequency of service, and geographic location).
    If a small entity has stored consumer information on electronic 
media (for example, computer discs or hard drives), disposal of such 
media could be accomplished by a small entity at almost no cost by 
simply smashing the material with a hammer. In some cases, appropriate 
disposal of electronic media might also be accomplished by overwriting 
or ``wiping'' the data prior to disposal. Utilities to accomplish such 
wiping are widely available for under $25; indeed, some such tools are 
available for download on the Internet at no cost. Whether ``wiping,'' 
as opposed to destruction, of electronic media is reasonable, as well 
as the adequacy of particular utilities to

[[Page 41221]]

accomplish that ``wiping,'' will depend upon the circumstances.
    As the above examples illustrate, although it is not possible to 
estimate small businesses' compliance costs precisely, such costs are 
likely to be quite modest for most small entities. Nonetheless, because 
the Commission is concerned about the potential impact of the proposed 
Rule on small entities, it specifically invites comment on the costs of 
compliance for such parties. In particular, although the Commission 
does not expect that small entities will require legal assistance to 
develop an appropriate disposal plan, the Commission requests comment 
on whether small entities believe that they will incur such costs and, 
if so, what they will be. In addition, the Commission requests comment 
on the costs, if any, of training relevant employees regarding the 
proper disposal of consumer information, particularly for entities not 
subject to the Commission's Safeguards Rule.

E. Identification of Other Duplicative, Overlapping, or Conflicting 
Federal Rules

    The FTC has not identified any other Federal statutes, rules, or 
policies that would conflict with the proposed Rule's requirement that 
covered persons take reasonable measures to protect against 
unauthorized access to or use of the information in connection with its 
disposal. However, the Commission is requesting comment on the extent 
to which other Federal standards involving privacy or security of 
information may duplicate, satisfy, or inform the proposed Rule's 
requirements. In addition, the FTC seeks comment and information about 
any statutes or rules that may conflict with the proposed requirements, 
as well as any other State, local, or industry rules or policies that 
require covered entities to implement practices that comport with the 
requirements of the proposed Rule.

F. Discussion of Significant Alternatives

    Section 216 of the FACT Act requires the Commission to issue 
regulations regarding the proper disposal of consumer information. The 
Act also requires that the regulations cover ``any person who possesses 
or maintains'' consumer report information. This broad coverage 
furthers the section's purpose of preventing identity theft because the 
risks created by improper disposal of consumer information are the same 
regardless of the nature of the entity disposing of the records. In 
addition, the standards in the proposed Rule are flexible, and take 
into account a covered entity's size and sophistication, as well as the 
costs and benefits of alternative disposal methods. Nevertheless, the 
FTC seeks comment on any significant alternatives, consistent with the 
purposes of the FACT Act, that could further minimize the Rule's impact 
on small entities.
    In some situations, the Commission has considered adopting a 
delayed effective date for small entities subject to a new regulation 
in order to provide them with additional time to come into compliance. 
In this case, however, in light of the proposed Rule's flexible 
standard and modest compliance costs, the Commission believes that 
small entities should feasibly be able to come into compliance with the 
proposed Rule by the proposed effective date, three months following 
publication of the final Rule. Nonetheless, the Commission invites 
comment on whether small businesses might need additional time to come 
into compliance and, if so, why.
    In addition, the Commission has the authority to exempt any persons 
or classes of persons from the Rule's application pursuant to section 
216(a)(3) of the FACTA. As it did in the initial notice of proposed 
rulemaking, the Commission requests comment on whether there are any 
persons or classes of persons covered by the proposed Rule that it 
should consider exempting from the Rule's application pursuant to 
section 216(a)(3). However, the Commission notes that the statute's 
purpose of protecting consumers against identity theft could be 
undermined by the granting of a broad exemption to small entities.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 04-15579 Filed 7-7-04; 8:45 am]
BILLING CODE 6750-01-P