[Federal Register Volume 69, Number 226 (Wednesday, November 24, 2004)]
[Rules and Regulations]
[Pages 68690-68697]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-25937]



[[Page 68689]]

-----------------------------------------------------------------------

Part V





Federal Trade Commission





-----------------------------------------------------------------------



16 CFR Part 682



Disposal of Consumer Report Information and Records; Final Rule

  Federal Register / Vol. 69 , No. 226 / Wednesday, November 24, 2004 / 
Rules and Regulations  

[[Page 68690]]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 682

RIN 3084-AA94


Disposal of Consumer Report Information and Records

AGENCY: Federal Trade Commission (FTC or Commission).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Fair and Accurate Credit Transactions Act of 2003 (``FACT 
Act'' or ``Act'') requires the Federal Reserve Board, Office of the 
Comptroller of the Currency, Federal Deposit Insurance Corporation, 
Office of Thrift Supervision, National Credit Union Administration, 
Securities and Exchange Commission, and Federal Trade Commission, in 
coordination with one another, to adopt consistent and comparable rules 
regarding the proper disposal of consumer report information and 
records. This final rule implements this requirement.

DATES: This rule is effective on June 1, 2005.

FOR FURTHER INFORMATION CONTACT: Ellen Finn or Susan McDonald, 
Attorneys, (202) 326-3224, Division of Financial Practices, Bureau of 
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, 
NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

Statement of Basis and Purpose

I. Background

    The Fair and Accurate Credit Transactions Act of 2003, Public Law 
108-159, 117 Stat. 1952 (``FACT Act'' or ``Act'') was signed into law 
on December 4, 2003. In part, the Act amends the Fair Credit Reporting 
Act (``FCRA''), 15 U.S.C. 1681 et seq., by imposing a new requirement 
on persons who possess or maintain, for a business purpose, consumer 
information derived from consumer reports. The Act requires that ``any 
person that maintains or otherwise possesses consumer information, or 
any compilation of consumer information, derived from consumer reports 
for a business purpose[,] properly dispose of any such information or 
compilation.'' \1\
---------------------------------------------------------------------------

    \1\ FACT Act section 216, 15 U.S.C. 1681w(a)(1).
---------------------------------------------------------------------------

    The FACT Act directs the Commission to consult and coordinate with 
other agencies in connection with promulgating rules regarding the 
proper disposal of consumer report information and records. 
Specifically, the Act directs the Commission to consult and coordinate 
with the Federal banking agencies,\2\ the National Credit Union 
Administration (``NCUA''), and the Securities and Exchange Commission 
(``SEC'') so that the regulations prescribed by each agency are 
consistent and comparable.\3\ Further, the Act directs the Commission 
to ensure that the regulations are consistent with the requirements of 
the Gramm-Leach-Bliley Act (``GLBA''), 15 U.S.C. 6081 et seq.\4\
---------------------------------------------------------------------------

    \2\ The Federal Reserve Board of Governors, Office of the 
Comptroller of the Currency, Federal Deposit Insurance Corporation, 
and Office of Thrift Supervision.
    \3\ 15 U.S.C. 1681w(a)(2)(A).
    \4\ 15 U.S.C. 1681w(a)(2)(B).
---------------------------------------------------------------------------

    The Commission has conferred and coordinated extensively with the 
Federal banking agencies, the NCUA, and SEC to ensure that the agencies 
promulgate regulations that are comparable and consistent with each 
other and with the requirements of the GLBA.\5\ On April 16, 2004, the 
Commission issued and sought comment on a proposed Rule implementing 
the requirements of section 216 of the FACT Act (the proposed Rule).\6\ 
On July 8, 2004, the Commission supplemented its initial notice of 
proposed rulemaking (NPR), and sought comment on, a supplemental 
initial regulatory flexibility analysis (supplemental IRFA).\7\ The 
supplemental IRFA was intended to provide additional information to 
assist small businesses in commenting on the impact, if any, the final 
Rule will have on such businesses. In response to both the NPR and the 
supplemental IRFA, the Commission received 58 comments from a variety 
of trade associations, businesses, consumer advocacy groups, and 
individuals. After carefully considering the comments received, the 
Commission adopts the proposed rule with only minor modifications 
described later in this notice.
---------------------------------------------------------------------------

    \5\ The Federal banking agencies, NCUA, and SEC have proposed to 
implement Sec.  216 of the FACT Act by amending their existing 
guidelines and rules on information security previously issued to 
implement section 501(b) of the GLBA. However, because the entities 
subject to the FTC's jurisdiction under the FACT Act and the GLBA 
are overlapping but not coextensive, the Commission has chosen to 
adopt a separate rule to implement Sec.  216 of the FACT Act. 
Despite this difference in form, the substance of the rules is 
comparable and consistent.
    \6\ The notice of proposed rulemaking and proposed Rule were 
published in the Federal Register on April 20, 2004. 69 FR 21387.
    \7\ The supplemental IRFA was published in the Federal Register 
on July 8, 2004. 69 FR 41219.
---------------------------------------------------------------------------

    Like the proposed rule, the final rule requires that persons over 
which the FTC has jurisdiction who maintain or otherwise possess 
consumer information for a business purpose properly dispose of such 
information by taking reasonable measures to protect against 
unauthorized access to or use of the information in connection with its 
disposal. It also includes several examples, including one new and two 
slightly revised examples, of what the Commission believes constitute 
reasonable measures to protect consumer information in connection with 
its disposal. These examples are intended to provide covered entities 
with guidance on how to comply with the rule but are not intended to be 
safe harbors or exclusive methods for complying with the rule.
    In addition, the final rule maintains the flexible ``reasonable 
measures'' standard of the proposed rule. The FTC realizes that there 
are few foolproof methods of records destruction and that entities 
covered by the rule must consider their own unique circumstances when 
determining how to best comply with the rule.
    Finally, the final rule extends the effective date of the rule from 
three months to six months following publication in the Federal 
Register.

II. Overview of Comments Received

    The Commission received 58 comments on the proposed rule, five of 
which were in response to the supplemental IRFA.\8\ The vast majority 
of these comments were from industry trade organizations \9\ and the 
business community.\10\ Consumer advocacy

[[Page 68691]]

groups,\11\ individual consumers, and one Senator \12\ also submitted 
comments on the proposed rule.
---------------------------------------------------------------------------

    \8\ The public comments relating to this rulemaking may be 
viewed at http://www.ftc.gov/os/comments/disposal/index.htm 
(proposed Rule) and at http://www.ftc.gov/os/comments/disposal-supplement/index.htm (supplemental IRFA). The Commission considered 
all comments received on or before the close of the comment periods 
on June 15, 2004, for the proposed rule and on July 30, 2004, for 
the supplemental analysis. Citations to comments filed in this 
proceeding are made to the name of the organization (if any) or the 
last name of the commenter, and the comment number of record.
    \9\ These included the Consumer Data Industry Association (CDIA) 
(the trade association that represents the nationwide consumer 
reporting agencies and a variety of other consumer reporting 
agencies), the American Insurance Association, America's Community 
Bankers, ACA International (representing debt collection agencies 
and other accounts receivable professionals), ARMA International 
(the association of information management professionals), the 
National Association of Realtors, the Consumers Bankers Association, 
the Credit Union National Association (CUNA), the Michigan Credit 
Union League, the National Independent Automobile Dealer's 
Association, the Software & Information Industry Association (SIIA), 
the Pennsylvania Credit Union Association, the National Association 
of Profession Background Screeners, the National Association for 
Information Destruction, Inc. (NAID) (a trade association for the 
information destruction industry) and the Coalition to Implement the 
FACT Act (representing trade associations and companies that 
furnish, use, collect, and disclose consumer information).
    \10\ These included financial institutions, such as Bank of 
America Corporation, Countrywide Home Loans, Elgin Bank of Texas, 
MasterCard International Incorporated, MBNA America Bank, N.A., 
Virginia Credit Union, Inc. and Visa U.S.A.; credit reporting 
agencies, such as Equifax Information Services LLC, Experian 
Information Solutions, Inc., and Trans Union LLC; and information 
management and destruction firms, including AccuShred, LLC, Allshred 
Services, Inc., Community Shredders, IndyShred, PRISM International, 
Reclamere, Inc., SECURE Eco Shred, and Shred-it Orlando.
    \11\ These included Consumers Union and the Privacy Rights 
Clearinghouse, which was joined in its comments by Consumer Action, 
the Consumer Federation of California, the Identity Theft Resource 
Center, Privacy Activism, and the Worldwide Privacy Forum.
    \12\ Senator Bill Nelson (D-FL).
---------------------------------------------------------------------------

    The Commission received comments on nearly all of the provisions 
contained in the proposed rule. Most commenters, including consumers, 
businesses, and industry representatives, expressed general support for 
a rule requiring the proper disposal of consumer information. Many 
commenters noted that numerous companies that possess or maintain 
consumer report information already have programs in place to ensure 
the information's proper disposal, either as a matter of sound business 
practice or pursuant to other legal requirements. In general, 
commenters stated that they believed that the proposed rule would help 
combat fraud, such as identity theft. Indeed, some commenters urged the 
Commission to adopt provisions that extend beyond what the FACT Act 
provides in order to combat identity theft by, for example, expanding 
the scope of information covered under the rule to include payroll 
records and credit card receipts \13\ or all information stored in the 
same file as consumer report information.\14\
---------------------------------------------------------------------------

    \13\ See Comment, IndyShred 15
    \14\ See Comment, NAID 48.
---------------------------------------------------------------------------

    The majority of commenters focused on the proposed rule's standard 
for disposal and definitions of ``consumer information'' and 
``disposal.'' Most commenters expressed support for the proposed rule's 
``reasonable measures'' standard for disposal. Commenters supporting 
the standard noted that its flexibility would allow covered persons to 
make decisions appropriate to their particular circumstances and that a 
more specific or uniform standard would be unrealistic, unnecessarily 
costly, and insufficiently flexible to deal with the broad range of 
entities subject to the final rule.\15\ One consumer advocacy group 
stated that a more specific minimum standard is needed to ensure that 
all businesses implement adequate disposal practices; \16\ another 
commenter suggested that the final rule should require covered persons 
to adopt formal, written information retention and disposal 
programs.\17\
---------------------------------------------------------------------------

    \15\ See, e.g., Comment, Equal Employment Advisory Council 
26; National Automobile Dealers Association 52; 
Comment, Mastercard 29; Comment, Equifax 54; 
Comment, Consumer Bankers Association 53; Comment, 
Coalition to Implement the FACT Act 64.
    \16\ See, Comment, Consumers Union 8; see also Comment, 
Gercken 14.
    \17\ See Comment, ARMA International 35.
---------------------------------------------------------------------------

    In general, commenters also approved of the definitions of 
``consumer information'' and ``disposal,'' \18\ but some suggested 
minor clarifications.\19\ These comments are addressed more fully 
below.
---------------------------------------------------------------------------

    \18\ See, e.g., Comment, CUNA 22; Comment, Visa U.S.A. 
23 ; Comment, Consumer Bankers Association 53; 
Comment, CDIA 46.
    \19\ See, e.g., Comment, CUNA 22; Comment, Equifax 
54; Comment, Michigan Credit Union League 58; 
Comment, TransUnion 44; Comment, Mastercard 29; 
Comment, Consumer Bankers Association 53; Comment, 
Coalition to Implement the Fact Act 64; Comment, MBNA 
19; Comment, Visa U.S.A. 23; Comment, American 
Financial Services Association 33; Comment, CDIA 
46; Comment, Bank of America 51.
---------------------------------------------------------------------------

    In addition, the Commission received comments from industry 
representatives and financial institutions on the scope of the proposed 
rule. In general, these commenters stated that, for various reasons, 
consumer reporting agencies and other entities already subject to the 
Gramm-Leach-Bliley Act and the Commission's implementing Safeguards 
Rule \20\ should not also be subject to the Disposal Rule.\21\ Among 
other things, these commenters expressed concern that attempting to 
comply with multiple standards would engender uncertainty and possibly 
higher costs among persons covered by both rules. Commenters 
representing the records management and disposal industries \22\ also 
expressed concern that the proposed rule would impose direct liability 
on such service providers for failing to properly dispose of records 
even when they have no contractual arrangements with the record owners 
requiring or paying them to do so. The Commission also received a 
comment from the U.S. Senator who introduced Section 216,\23\ which 
stated that the scope of the proposed rule closely followed 
Congressional intent. These comments are addressed more fully below.
---------------------------------------------------------------------------

    \20\ 16 CFR part 314.
    \21\ See, e.g., Comment, Experian 59; Comment, 
TransUnion 44; Comment, Mastercard 29; Comment, 
Equifax 54.
    \22\ See, e.g., Comment, PRISM International 21; 
Comment, NAID 49.
    \23\ See Comment, Senator Bill Nelson 55.
---------------------------------------------------------------------------

    Overall, commenters were in favor of including examples of proper 
disposal methods in the final rule. Some commenters requested further 
clarification regarding the example involving garbage collectors.\24\ 
Other commenters requested clarification as to whether the examples are 
minimum requirements, safe harbors, or simply illustrative 
guidance.\25\ The Commission also received comments that discussed the 
effective date of the proposed rule. Numerous commenters requested that 
the period between issuance of the final rule and the effective date be 
lengthened.\26\
---------------------------------------------------------------------------

    \24\ See, e.g., Comment, CDIA 46; Comment, Equifax 
54; Comment, NAID 49.
    \25\ See, e.g., Comment, Mastercard 29; Comment, 
American Insurance Association 50.
    \26\ See, e.g., Comment, Experian 59 (6 months); 
Comment, TransUnion 44 (6 months); Comment, Equifax 
54 (6 months), Comment, American Financial Services 
Association 33 (6 months); Comment, American Insurance 
Association 50 (12 months); Consumer Bankers Association 
53 (12 months); Comment, CDIA 46 (6 months); 
Comment, National Automobile Dealers Association 52 (9 
months); Comment, Coalition to Implement the FACT Act 64 (6 
months).
---------------------------------------------------------------------------

    Finally, most commenters who addressed small business concerns 
stated that the proposed rule would not create any undue burden for 
small businesses. These commenters cited the proposed rule's flexible 
``reasonable methods'' standard, which would allow covered persons to 
minimize costs, and the fact that the proposed rule would not impose 
new record keeping requirements, as the major factors that would 
alleviate any burdens on small businesses.\27\
---------------------------------------------------------------------------

    \27\ See, e.g., Comment, National Automobile Dealers Association 
52; Comment, Mastercard 29; Comment, Consumer 
Bankers Association 53; Comment, Coalition to Implement the 
FACT Act 64.
---------------------------------------------------------------------------

III. Section-by-Section Analysis

Section 682.1: Definitions

    Section 682.1(a) provides that, unless otherwise stated, terms used 
in the Disposal Rule have the same meaning as set forth in the Fair 
Credit Reporting Act, 15 U.S.C. 1681 et seq. Thus, for example, the 
term ``consumer report'' as used in the Disposal Rule has the same 
meaning as the term ``consumer report'' elsewhere in the FCRA. See 15 
U.S.C. 1681a(d) (defining ``consumer report''). The Commission received 
no comments suggesting changes to this provision, and it is adopted as 
proposed.

Consumer Information

    The proposed rule defined ``consumer information'' as any record 
about an individual, whether in paper, electronic, or other form, that 
is a consumer report or is derived from a consumer report. The NPR 
stated that the phrase ``derived from consumer reports'' would cover 
all

[[Page 68692]]

of the information about a consumer that is derived from any consumer 
report(s), including information taken from a consumer report, 
information that results in whole or in part from manipulation of 
information taken from a consumer report, and information that has been 
combined with other types of information. Further, the NPR explained 
that because the definition of ``consumer information'' refers to 
records ``about an individual,'' information that does not identify 
particular consumers would not be covered under the rule. The 
Commission received a variety of comments requesting clarification or 
modification of this definition of consumer information.
    One consumer advocacy group requested that the definition include 
compilations of consumer information.\28\ Although the proposed rule 
already proposed to cover compilations of consumer information by 
referring to compilations in the scope and standard sections of the 
rule, the Commission agrees that it would be clearer to include 
compilations in the definition of consumer information itself. 
Therefore, it has modified the definition of consumer information to 
include compilations.
---------------------------------------------------------------------------

    \28\ Comment, Consumers Union 8.
---------------------------------------------------------------------------

    Commenters were uniformly supportive of the proposed rule's 
application only to information that identifies particular 
individuals,\29\ but many requested that the rule be more explicit on 
this point.\30\ In response to these comments, and in order to provide 
additional guidance and clarity, the Commission has added language to 
the rule emphasizing that information that does not identify 
individuals, such as aggregate information or blind data, is not 
covered by the definition of consumer information.\31\
---------------------------------------------------------------------------

    \29\ See, e.g., Comment, MBNA 19; Comment, Visa U.S.A. 
23; Comment, Equal Employment Advisory Council 26; 
Comment, TransUnion 44; Comment, Mastercard 29; 
Comment, Equifax 54; Comment, American Financial Services 
Association 33; Comment, Consumer Bankers Association 
53; Comment, CDIA 46; Comment, Bank of America 
51; Comment, Coalition to Implement the Fact Act 
64.
    \30\ See, e.g., Comment, MBNA 19; Comment, Visa U.S.A. 
23; Comment, TransUnion 44; Comment, Equifax 
54; Comment, American Financial Services Association 
33; Comment, CDIA 46; Comment, Bank of America 
51.
    \31\ The terms ``aggregate information'' and ``blind data'' as 
used in the rule are intended to have the same meaning as in Sec.  
313.3(o)(2)(ii)(B) of the Commission's GLBA Rule regarding the 
Privacy of Consumer Financial Information, 16 CFR part 313.
---------------------------------------------------------------------------

    Commenters also sought guidance on the kinds of information that 
would be considered to identify particular individuals.\32\ The 
Commission believes that there are a variety of personal identifiers 
beyond simply a person's name that would bring information within the 
scope of the rule, including, but not limited to, a social security 
number, driver's license number, phone number, physical address, and e-
mail address. The Commission has not included a rigid definition in the 
final rule, however, because, depending upon the circumstances, data 
elements that are not inherently identifying can, in combination, 
identify particular individuals.\33\
---------------------------------------------------------------------------

    \32\ See, e.g., Comment, Consumers Union 8; Comment, 
MBNA 19; Comment, Equifax 54; Comment, Senator 
Bill Nelson 55; Comment, Privacy Rights Clearinghouse 
39; Comment, Michigan Credit Union League 58.
    \33\ See Comment, Consumers Union 8; Comment, Privacy 
Rights Clearinghouse 39.
---------------------------------------------------------------------------

    A number of commenters also requested that certain categories of 
information be excluded from the definition of consumer information. 
These include credit header information,\34\ publicly available 
information,\35\ and ``non-sensitive'' information.\36\ Although credit 
header information, which includes name, address, and social security 
number, is not itself a consumer report, it is generally derived from a 
consumer report and, therefore, within the universe of information 
covered by section 216 of the FACT Act. Similarly, public record 
information is often part of consumer reports and therefore falls 
within the scope of information Congress intended to cover. With 
respect to ``non-sensitive'' information, the Commission notes that 
persons subject to the Disposal Rule may always consider the 
sensitivity of the consumer information at issue in determining what 
disposal measures are reasonable under the circumstances.
---------------------------------------------------------------------------

    \34\ See, e.g., Comment, Equifax 54.
    \35\ See, e.g., Comment, National Independent Automobile Dealers 
Association 53.
    \36\ See, e.g., Comment, America's Community Bankers 
24; Comment, Mastercard 29.
---------------------------------------------------------------------------

    Finally, some commenters suggested that recipients of information 
about consumers may not always know whether the information they 
receive was derived from a consumer report.\37\ They suggested, 
therefore, that the definition of ``consumer information'' be limited 
to information that a person knows to be derived from a consumer 
report.\38\
---------------------------------------------------------------------------

    \37\ See, e.g., Comment, Consumer Bankers Association 
53; Comment, Coalition to Implement the Fact Act 
64.
    \38\ See, e.g., Comment, Mastercard 29; Comment, 
American Financial Services Association 33; Comment, 
Consumer Bankers Association 53; Comment, Coalition to 
Implement the Fact Act 64.
---------------------------------------------------------------------------

    In response to these comments, the Commission notes that knowledge 
is not an element or a prerequisite to the duty to comply with either 
the FACT Act or the Disposal Rule. Nevertheless, the Commission also 
notes that in most, if not all, circumstances covered by the rule, 
covered entities will or should know if they possess consumer 
information. First, in most circumstances under the FCRA, a person who 
obtains a consumer report may use that information only for the 
specific permissible purpose for which it was obtained. In such 
circumstances, the person who possesses the information should clearly 
be aware that it is a consumer report.
    Second, when consumer information is transferred to a service 
provider or shared between affiliates following consumer notice and 
opportunity to opt-out,\39\ the Commission believes that, in light of 
the nature of the relationship and information sharing practices 
between such parties, service providers and affiliates generally will 
or should know when they have been provided with covered consumer 
information. Moreover, the Commission believes that, for persons 
subject to the rule, identifying consumer information when providing it 
to service providers or affiliates is one ``reasonable measure'' to 
ensure that the information will be disposed of properly in accordance 
with the rule.\40\ For these reasons, the Commission has not modified 
the definition as requested by the comments.
---------------------------------------------------------------------------

    \39\ See FCRA Sec.  603(d)(2)(A)(iii), 15 U.S.C. 
1681a(d)(2)(A)(iii).
    \40\ Example 3 of the final rule, which is discussed further 
below, illustrates this point as to service providers.
---------------------------------------------------------------------------

Disposal

    Proposed section 682.1(c) defined ``disposing'' or ``disposal'' to 
include the discarding or abandonment of consumer information, as well 
as the sale, donation, or transfer of any medium, including computer 
equipment, upon which consumer information is stored. The NPR noted 
that the sale, donation, or transfer of consumer information, by 
itself, would not be considered ``disposal'' under this definition.\41\
---------------------------------------------------------------------------

    \41\ A number of industry commenters requested an explicit 
statement to this effect in the rule. See, e.g., Comment, America's 
Community Bankers 24; Comment, TransUnion 44; 
Comment, Mastercard 29; Comment, Consumer Bankers 
Association 53; Comment, NAID 49; Comment, 
Coalition to Implement the Fact Act 64. The Commission has 
not added such a statement to the final Rule because of its clear 
statement in the NPR, which it reaffirms here, that the sale, 
donation, or transfer of consumer information, by itself, does not 
constitute ``disposal'' under the Rule's definition. Of course, the 
FCRA's restrictions on the sale and use of consumer information are 
still applicable even when such information is sold, donated, or 
transferred in a manner that would not amount to ``disposal'' under 
this Rule.

---------------------------------------------------------------------------

[[Page 68693]]

    Some commenters suggested that the definition should state what 
disposal ``means'' as opposed to what it ``includes.''\42\ The 
Commission agrees and has adopted this change in the final rule.
---------------------------------------------------------------------------

    \42\ See, e.g., Comment, TransUnion 44; Comment, 
Mastercard 29; Comment, Consumer Bankers Association 
53; Comment, Coalition to Implement the Fact Act 
64.
---------------------------------------------------------------------------

    One commenter also suggested that the definition of disposal as 
``the sale, donation, or transfer of any medium, including computer 
equipment, upon which consumer information is stored'' is not 
sufficiently broad with respect to the media and equipment covered.\43\ 
This commenter suggested adding language specifically including 
computer media and other non-paper media and equipment. The Commission 
believes that the definition of disposal as proposed, which includes 
``any medium * * * upon which consumer information is stored,'' is 
sufficiently broad to capture the materials of concern to the 
commenter.
---------------------------------------------------------------------------

    \43\ See Comment, Consumers' Union 8.
---------------------------------------------------------------------------

Section 682.2: Purpose and Scope

    Proposed section 682.2(a) set forth the purpose of the proposed 
Disposal Rule, which is to reduce the risk of consumer fraud and 
related harms, including identity theft, created by improper disposal 
of consumer information. The Commission received no comments suggesting 
changes to this provision, and it is adopted as proposed.
    Proposed section 682.2(b), which tracks the language of section 216 
of the FACT Act, sets forth the scope of the proposed Disposal Rule. 
The rule applies to ``any person over which the Federal Trade 
Commission has jurisdiction, that, for a business purpose, maintains or 
otherwise possesses consumer information, or any compilation of 
consumer information.'' The preamble to the proposed rule noted that 
the Commission reads ``for a business purpose'' broadly to include all 
business reasons for which a person may possess or maintain consumer 
information. As a result, the rule covers any person that possesses or 
maintains consumer information other than an individual consumer who 
has obtained his or her own consumer report or file disclosure.
    As noted in the preamble to the proposed rule, among the entities 
that possess or maintain consumer information for a business purpose 
are consumer reporting agencies, as well as lenders, insurers, 
employers, landlords, government agencies, mortgage brokers, automobile 
dealers, and other users of consumer reports. In fact, all of the 
permissible purposes listed in Sec.  604 of the FCRA would be 
considered business purposes under the rule.
    The Commission received a number of financial industry comments 
arguing that the Disposal Rule should not apply to financial 
institutions subject to the Gramm-Leach-Bliley Act and the Commission's 
implementing Safeguards Rule.\44\ These commenters' primary argument is 
that because the Safeguards Rule already covers information disposal, 
subjecting financial institutions to the Disposal Rule is unnecessary. 
Additionally, commenters expressed concern that attempting to comply 
with multiple standards would engender uncertainty and possibly higher 
costs among persons covered by both rules.
---------------------------------------------------------------------------

    \44\ See, e.g. Comment, Experian 59; Comment, 
TransUnion 44; Comment, Mastercard 29; Comment, 
Equifax 54.
---------------------------------------------------------------------------

    As the Commission stated in its Notice of Proposed Rulemaking, the 
coverage of the proposed Disposal Rule is different from that of the 
Commission's Safeguards Rule. In addition to covering a different (but 
overlapping) set of entities, the proposed Disposal Rule and the 
Safeguards Rule apply to different sets of information. Compare 16 CFR 
314.1(b) (describing scope of ``customer information'' covered by 
Safeguards Rule) with Proposed Disposal Rule Sec. Sec.  682.1(b) & 
682.2(b) (defining scope of ``consumer information'' subject to 
proposed Disposal Rule).\45\ As a result, the Commission believes that 
it is important to cover financial institutions under the Disposal Rule 
in order to ensure that the full range of information covered by 
section 216 of the FACT Act is properly protected in connection with 
its disposal. In addition, the plain language of section 216 of the 
FACT Act supports coverage of financial institutions.
---------------------------------------------------------------------------

    \45\ For example, a consumer who applies for a loan from a 
financial institution, but is rejected based on information in her 
credit report is not a ``customer'' of the financial institution 
under the GLBA and her credit report would therefore not be 
protected by the Safeguards Rule; however, her credit report would 
be ``consumer information'' under the Disposal Rule. Credit reports 
obtained about employees or prospective employees are also not 
``customer'' information covered under the GLBA, but would be 
``consumer information'' under the Disposal Rule.
---------------------------------------------------------------------------

    In response to the commenters' concerns about the potential burdens 
imposed on persons covered by both the Safeguards Rule and Disposal 
Rule, the Commission notes that the substantive requirements of both 
rules are consistent with respect to disposal. Although the Safeguards 
Rule focuses on comprehensive information security and the Disposal 
Rule more narrowly on disposal, both incorporate flexible, risk-based 
standards that require reasonable measures to protect against 
unauthorized access to or use of information. As a result, compliance 
with the standards of the Disposal Rule will constitute compliance with 
the disposal obligations under the Safeguards Rule. Thus, companies 
should easily be able to develop approaches that satisfy the 
requirements of both rules without undue burdens or costs.\46\ 
Accordingly, section 682.2(b) is adopted as proposed.
---------------------------------------------------------------------------

    \46\ Example 5 also illustrates that, for financial institutions 
subject to the Safeguards Rule, incorporation of the requirements of 
this rule into the information security program required by the 
Safeguards Rule constitutes compliance with this rule.
---------------------------------------------------------------------------

Section 682.3: Proper Disposal of Consumer Information

    Under the proposed rule, any person that maintains or otherwise 
possesses consumer information would be required to ``take reasonable 
measures to protect against unauthorized access to or use of the 
information in connection with its disposal.'' Recognizing that there 
are few foolproof methods of record destruction, the NPR stated that 
the proposed rule would not require covered persons to ensure perfect 
destruction of consumer information in every instance; rather, it 
requires covered entities to take reasonable measures to protect 
against unauthorized access to or use of the information in connection 
with its disposal. In determining what measures are ``reasonable'' 
under the rule, the Commission stated in the NPR that it expects that 
entities covered by the rule would consider the sensitivity of the 
consumer information, the nature and size of the entity's operations, 
the costs and benefits of different disposal methods, and relevant 
technological changes. The Commission also noted that ``reasonable 
measures'' are very likely to require elements such as the 
establishment of policies and procedures governing disposal, as well as 
appropriate employee training.
    The vast majority of commenters supported this flexible standard 
for disposal.\47\ Commenters noted that the

[[Page 68694]]

standard will allow covered persons to make decisions appropriate to 
their particular circumstances; \48\ minimize the costs of compliance, 
particularly for small businesses; \49\ and harmonize the Disposal Rule 
with the requirements of the Commission's Safeguards Rule.\50\ 
Accordingly, the basic standard for disposal has been adopted as 
proposed.
---------------------------------------------------------------------------

    \47\ See, e.g., Comment, National Association of Professional 
Background Screeners 7; Comment, MBNA 19; Comment, 
Experian 59; Comment, CUNA 22; Comment, Visa 
U.S.A. 23; Comment, Equal Employment Advisory Council 
26; Comment, TransUnion 44; Comment, National 
Independent Automobile Dealers Association 53; Comment, 
Mastercard 29; Comment, Equifax 31; Comment, 
Consumer Bankers Association 53; Comment, CDIA 46; 
Comment, NAID 49; Comment, Bank of America 51; 
Comment, National Automobile Dealers Association 52; 
Comment, SIIA 56; Comment, Michigan Credit Union League 
58; Comment, Coalition to Implement the FACT Act 
64.
    \48\ See, e.g., Comment, National Independent Automobile Dealers 
Association 53; Comment, Mastercard 29; Comment, 
Consumer Bankers Association 36; Comment, Coalition to 
Implement the FACT Act 64.
    \49\ See, e.g., Comment, Equal Employment Advisory Council 
26; Comment, Equifax 31.
    \50\ See, e.g., Comment, MBNA 19; Comment, Visa U.S.A. 
23; Comment, Coalition to Implement the FACT Act 
64.
---------------------------------------------------------------------------

    In order to provide additional clarity, the proposed rule also 
included examples intended to provide guidance on disposal measures 
that would be reasonable under the rule. Generally, commenters found 
the examples to be helpful. Although some commenters suggested treating 
the examples as minimum requirements,\51\ many commenters approved of 
the examples remaining as illustrative guidance only and, in fact, 
requested a more explicit statement to that effect in the rule 
itself.\52\ The Commission continues to believe that these examples 
should be illustrative only, not exhaustive, because they cannot take 
into account a particular entity's unique circumstances. In order to 
make this clear, the Commission has added language to the rule stating 
explicitly that ``These examples are illustrative only and are not 
exclusive or exhaustive methods for complying with this rule.''
---------------------------------------------------------------------------

    \51\ See, e.g., Comment, Consumers Union 8; Comment, 
NAID 49; Comment, Privacy Rights Clearinghouse 39.
    \52\ See, e.g., Comment, CUNA 22; Comment, Mastercard 
29; Comment, Countrywide Home Loans 43; Comment, 
Michigan Credit Union League 58.
---------------------------------------------------------------------------

    Finally, commenters expressed concern that the final example, which 
addresses what would be ``reasonable measures'' for a disposal service 
provider or traditional garbage collector, is confusing with respect to 
the obligations of both service providers and the record owners who 
transfer consumer information to them.\53\ In particular, commenters 
representing the records management and disposal industries pointed out 
that service providers are frequently not in a position to make 
independent determinations as to whether information they possess is, 
or was derived from, a consumer report.\54\ In addition, these 
commenters argued that imposing direct liability for disposal on a 
service provider may allow, and even create incentives for, record 
owners to ``dump'' covered materials on service providers without 
paying for the proper destruction required by the rule.\55\ These 
commenters suggest that service providers should be liable for 
violations of the rule only if the service provider (1) has been 
notified that the information it possesses is consumer information as 
defined in the rule; and (2) has entered into a written contract to 
dispose of such information in accordance with this rule.\56\
---------------------------------------------------------------------------

    \53\ See, e.g., Comment, CDIA 46; Comment, Equifax 
54; Comment, NAID 49.
    \54\ Comment, PRISM International 21; Comment, NAID 
49.
    \55\ Comment, PRISM International 21; Comment, NAID 
49.
    \56\ Comment, PRISM International 21; Comment, NAID 
49.
---------------------------------------------------------------------------

    The Commission has addressed these commenters' concerns by revising 
the rule's examples to clarify what the ``reasonable measures'' 
standard requires when information is transferred or otherwise provided 
to service providers. First, the Commission has deleted the ``garbage 
collector'' example that caused some confusion. Second, the Commission 
has revised Example 3 so that it explicitly contemplates that a record 
owner would tell a service provider when it is providing the service 
provider with consumer information.\57\ Thus, as revised, Example 3 
illustrates that, if a record owner transfers or otherwise provides 
consumer information to a service provider, the ``reasonable measures'' 
standard will generally require a record owner to take reasonable steps 
to select and retain a service provider that is capable of properly 
disposing of the consumer information at issue; notify the service 
provider that such information is consumer information; and enter into 
a contract that requires the service provider to dispose of such 
information in accordance with this rule. This example clarifies record 
owners' responsibilities with respect to service providers while also 
ensuring that service providers have the information required, and make 
the arrangements needed, to fulfill their responsibilities under the 
rule. The Commission also notes that Example 3 harmonizes this aspect 
of the Disposal Rule with the Commission's GLBA Safeguards Rule which 
contains analogous requirements.
---------------------------------------------------------------------------

    \57\ Although the example involves a disposal service provider, 
the measures it contemplates would also generally be reasonable with 
respect to other types of services providers.
---------------------------------------------------------------------------

    Under the final rule, service providers continue to be covered, 
and, therefore, along with the record owner, bear responsibility for 
proper disposal of consumer information that they maintain or otherwise 
possess. In evaluating a service provider's compliance with this rule, 
however, a record owner's failure to provide notice or contract for 
disposal in accordance with the requirements of the rule will be 
strongly considered. Other factors relevant to a service provider's 
liability and the ``reasonableness'' of its action include actual or 
constructive knowledge of the nature of the consumer information, the 
course of dealing between the service provider and record owner, and, 
consistent with the rule's overall ``reasonableness'' standard, the 
sensitivity of the consumer information, the nature and size of the 
service provider's operations, and the costs and benefits of different 
disposal methods.
    The Commission also received a number of comments concerning the 
relationship between the Disposal Rule and Safeguards Rule. Many of 
these commenters requested an explicit statement in the rule that, for 
financial institutions subject to the Safeguards Rule, incorporation of 
the requirements of this rule into the information security program 
required by the Safeguards Rule constitutes compliance with this 
rule.\58\ The Commission has added an Example 5 to illustrate this 
point.
---------------------------------------------------------------------------

    \58\ See, e.g., Comment, MBNA 19; Comment, America's 
Community Bankers 24; Comment, American Financial Services 
Association 33; Comment, Bank of America 51.
---------------------------------------------------------------------------

    Lastly, one commenter expressed concern that the phrase ``in 
connection with its disposal'' could be read to require reasonable 
measures to protect against unauthorized access or use of consumer 
information during the disposal process, but not following it.\59\ The 
Commission intends the phrase ``in connection with its disposal'' to 
mean both during and after the disposal process.
---------------------------------------------------------------------------

    \59\ Comment, Consumers Union 8.
---------------------------------------------------------------------------

Section 682.4: Relation to Other Laws

    Proposed section 682.4(a) made clear that nothing in the rule is 
intended to create a requirement that a person maintain or destroy any 
record pertaining to a consumer. The proposed rule also stated that the 
rule is not intended to affect any requirement imposed under any other 
provision of law to maintain or destroy such records. The Commission 
received no comments

[[Page 68695]]

suggesting changes to this provision, and it is adopted as proposed.

Section 682.5: Effective Date

    The Commission initially proposed to make the Disposal Rule 
effective 3 months after the publication of the final rule. Although 
some commenters supported a 3-month effective date,\60\ the majority of 
commenters requested a longer effective date in order to allow covered 
entities to develop and implement appropriate disposal procedures or to 
research and contract with service providers.\61\ These commenters 
suggested time periods ranging from 6 to 12 months after the 
publication of the final rule. After considering the comments and 
balancing the need for protections against the need to allow covered 
entities sufficient time to come into compliance, the Commission has 
extended the effective date to be 6 months after publication of the 
final rule.
---------------------------------------------------------------------------

    \60\ See, e.g., Comment, CUNA 22.
    \61\ See, e.g., Comment, Experian 59; Comment, 
TransUnion 44; Comment, National Independent Automobile 
Dealers Association 53; Comment, Equifax 54; 
Comment, American Financial Services Association 33; 
Comment, American Insurance Association 50; Consumer 
Bankers Association 53; Comment, CDIA 46; Comment, 
National Automobile Dealers Association 52; Comment, 
Coalition to Implement the FACT Act 64.
---------------------------------------------------------------------------

IV. Final Regulatory Flexibility Analysis

    The Regulatory Flexibility Act (``RFA''), 5 U.S.C. 601-612, 
requires that the Commission provide an Initial Regulatory Flexibility 
Analysis (``IRFA'') with a proposed rule and a Final Regulatory 
Flexibility Analysis (``FRFA''), with the final rule, unless the 
Commission certifies that the Rule will not have a significant economic 
impact on a substantial number of small business entities. For the 
majority of entities subject to the rule, a small business entity is 
defined by the Small Business Administration as one whose average 
annual receipts do not exceed $6 million or that has fewer than 500 
employees.\62\
---------------------------------------------------------------------------

    \62\ 5 U.S.C. 603-605. These numbers represent the size 
standards for most retail and service industries ($6 million total 
receipts) and manufacturing industries (500 employees). A list of 
the SBA's size standards for all industries can be found at http://www.sba.gov/size/summary-whatis.html.
---------------------------------------------------------------------------

    The Commission hereby certifies that the final rule will not have a 
significant economic impact on a substantial number of small business 
entities. The rule applies to ``any person that, for a business 
purpose, maintains or otherwise possesses consumer information, or any 
compilation of consumer information.'' As discussed in the NPR and in 
the supplemental IRFA, any company, regardless of industry or size, 
that possesses or maintains consumer information for a business purpose 
would be subject to the rule. Therefore, small entities across almost 
every industry could potentially be subject to the rule. However, as 
discussed in more detail below, many small entities subject to the rule 
are already subject to the GLBA Safeguards Rule,\63\ which contains 
requirements similar to those in the rule. As a result, the marginal 
cost of compliance with the Disposal Rule for these businesses is 
likely to be minimal.
---------------------------------------------------------------------------

    \63\ 16 CFR part 314.
---------------------------------------------------------------------------

    The Commission is unaware of any data concerning the frequency with 
which other small businesses obtain consumer reports. As a result, it 
is not possible to determine precisely how often small businesses would 
be required to undertake compliance efforts. In the July 8, 2004, 
supplemental IRFA, 69 FR 41219, the Commission asked several questions 
related to the existence, number, and nature of small business entities 
covered by the proposed rule, as well as the economic impact of the 
proposed rule on such entities. The Commission received five comments 
in response to its supplemental IRFA,\64\ three of which addressed the 
small business issues raised. These comments, which are discussed in 
more detail below, were generally supportive of the rule as it applies 
to small businesses.\65\
---------------------------------------------------------------------------

    \64\ Supplemental Comments were received from the NAID, the 
National Association of Realtors (NAR), the American Bankers' 
Association, ACRAnet, and an individual commenter.
    \65\ See, e.g., Supp. Comment, NAID 6; Supp. Comment, 
Ms. Lisa Beavers 2; Supp. Comment, NAR 3.
---------------------------------------------------------------------------

    The Commission continues to believe that a precise estimate of the 
number of small entities that fall under the rule is not currently 
feasible. However, based on the comments received and the Commission's 
own experience and knowledge of industry practices, the Commission also 
continues to believe that the cost and burden to small business 
entities complying with the rule is minimal and that the final rule 
will not have a significant impact on a substantial number of small 
entities. This document serves as notice to the Small Business 
Administration of the Commission's certification of no effect. 
Nonetheless, the Commission has decided to publish a Final Regulatory 
Flexibility Analysis with this final Rule. Therefore, the Commission 
has prepared the following analysis:

A. Need for and Objectives of the Rule

    Section 216 of the FACT Act requires the Commission to issue 
regulations regarding the proper disposal of consumer information in 
order to prevent sensitive financial and personal information from 
falling into the hands of identity thieves or others who might use the 
information to victimize consumers. In this action, the Commission 
promulgates a final rule to fulfill the statutory mandate. The rule is 
authorized by and based upon section 216 of the FACT Act.

B. Significant Issues Raised by Public Comments.

    On July 8, 2004, the Commission published a supplemental initial 
regulatory flexibility analysis for notice of proposed rulemaking, 69 
FR 41219, in which the Commission asked several questions related to 
the existence, number, and nature of small business entities covered by 
the proposed rule, as well as the economic impact of the proposed rule 
on such entities. The Commission received five comments in response to 
its supplemental IRFA,\66\ three of which addressed the small business 
issues raised.\67\ These commenters all agreed that the rule should 
apply to small businesses. One commenter praised the proposed rule's 
reasonableness standard as ``provid[ing] ample flexibility for all 
covered entities, large and small.''\68\ Another commenter cited the 
low cost of compliance.\69\
---------------------------------------------------------------------------

    \66\ The NAID, the NAR, the American Bankers' Association, and 
two individual commenters.
    \67\ The other two comments raised issues already considered 
with respect to the rule generally.
    \68\ Supp. Comment, NAID 6.
    \69\ Supp. Comment, Beavers 2.
---------------------------------------------------------------------------

    The Commission also received comments in response to the initial 
NPR that addressed small business concerns. These comments were also 
generally supportive of the proposed rule as it would apply to small 
businesses. Many commenters supported the purpose for promulgating the 
rule, and cited both the rule's flexible standard and the low costs of 
shredders and disposal services as evidence that the compliance costs 
to small businesses will be low.\70\
---------------------------------------------------------------------------

    \70\ Comment, Virginia Credit Union, Inc. 10; Comment, 
IndyShred 15; Comment, NAR 60; Comment, AccuShred, 
LLC 45.
---------------------------------------------------------------------------

C. Small Entities to Which the Rule Will Apply

    The Disposal Rule, which tracks the language of section 216 of the 
FACT Act, applies to ``any person that, for a business purpose, 
maintains or otherwise possesses consumer information, or any 
compilation of consumer information.'' The entities

[[Page 68696]]

covered by the rule would include consumer reporting agencies, 
resellers of consumer reports, lenders, insurers, employers, landlords, 
government agencies, mortgage brokers, automobile dealers, waste 
disposal companies, and any other business that possesses or maintains 
consumer information. As explained in the NPR and supplemental IRFA, 
any company, regardless of industry or size, that possesses or 
maintains consumer information for a business purpose will be subject 
to the rule. Therefore, numerous small entities across almost every 
industry could potentially be subject to the rule.
    Although it is impossible to identify every industry that may 
possess or maintain consumer information \71\ for business purposes, 
the Commission anticipates that, at a minimum, the small entities 
within the finance and insurance industries are likely to be subject to 
the rule. According to the Small Business Administration, there are 
approximately 231,000 small businesses within these industries.\72\ 
Generally, these entities are already subject to the GLBA's Safeguards 
Rule, which contains requirements similar to those in the rule. As a 
result, as discussed further below, the marginal cost of compliance 
with the Disposal Rule for these businesses is likely to be minimal.
---------------------------------------------------------------------------

    \71\ ``Consumer Information'' is defined in the proposed rule as 
any ``record about an individual, whether in paper, electronic, or 
other form, that is a consumer report or is derived from a consumer 
report.''
    \72\ This number represents 2001 totals as reported by the SBA. 
See http://www.sba.gov/advo/stats/.
---------------------------------------------------------------------------

    In addition, any business, regardless of industry, that obtains a 
consumer report, or information derived from a consumer report, will be 
subject to the rule. Among businesses that might fall into this 
category are landlords, utility companies, telecommunications 
companies, and any business that obtains consumer reports for 
employment screening purposes. The Commission is unaware of any data 
concerning the frequency with which small businesses such as these 
obtain consumer reports. As a result, it is not possible to determine 
precisely how many small businesses outside the finance and insurance 
industries will be subject to the rule, or how often these entities 
will be required to undertake compliance efforts.

D. Projected Reporting, Recordkeeping and Other Compliance Requirements

    The final Disposal Rule does not impose any specific reporting, 
recordkeeping, or disclosure requirements within the meaning of the 
Paperwork Reduction Act. The rule requires covered entities, when 
disposing of consumer information, to take reasonable measures to 
protect against unauthorized access to or use of the information in 
connection with its disposal. What is considered ``reasonable'' will 
vary according to an entity's nature and size, the costs and benefits 
of available disposal methods, and the sensitivity of the information 
involved. In formulating the rule, the Commission considered 
alternatives to this approach, and determined that the flexibility 
afforded by the rule reduces the burden that might otherwise be imposed 
on small entities by a more rigid, prescriptive rule.
    As noted above, entities already subject to the Commission's 
Safeguards Rule should incur few, if any, additional compliance costs. 
Among other things, the Safeguards Rule already requires covered 
entities to develop and implement policies that require the proper 
disposal of ``customer information'' (as defined in the GLBA), as well 
as employee training programs and mechanisms to update its information 
security program on a periodic basis. In light of these existing 
measures, modifying policies to address the disposal of ``consumer 
information'' (as defined in the rule), and training employees on these 
changes, should be possible at little or no cost. In fact, because the 
definitions of ``consumer information'' and ``customer information'' 
overlap, many entities may already be in substantial compliance with 
the rule's requirements.
    For small businesses not already subject to the GLBA Safeguards 
Rule, compliance costs may be greater. Because the rule does not 
mandate specific disposal measures, a precise estimate of compliance 
costs is not feasible. However, there are certain basic steps that are 
likely to be appropriate for many small entities. For example, 
shredding or burning paper records containing consumer information will 
generally be appropriate. Depending upon the volume of records at issue 
and the office equipment available to the small entity, this method of 
disposal may be accomplished by the small entity itself at no cost, may 
require the purchase of a paper shredder (available at office supply 
stores for as little as $25), or may require the hiring of a document 
disposal service on a periodic basis (the costs of which will vary 
based on the volume of material, frequency of service, and geographic 
location).
    If a small entity has stored consumer information on electronic 
media (for example, computer discs or hard drives), disposal of such 
media could be accomplished by a small entity at almost no cost by 
simply smashing the material with a hammer. In some cases, appropriate 
disposal of electronic media might also be accomplished by overwriting 
or ``wiping'' the data prior to disposal. Utilities to accomplish such 
wiping are widely available for under $25; indeed, some such tools are 
available for download on the Internet at no cost. Whether ``wiping,'' 
as opposed to destruction, of electronic media is reasonable, as well 
as the adequacy of particular utilities to accomplish that ``wiping,'' 
will depend upon the circumstances.
    The Commission did not receive any information on the amount of 
employee time, measured in labor hours or costs, that might be incurred 
by compliance with the Disposal Rule. The Commission believes that all 
businesses, regardless of size, will need to educate and train their 
employees on proper disposal. The actual amount of time it will take to 
ensure that consumer report information is properly disposed will vary, 
depending on a variety of circumstances, including the amount and 
nature of covered records. However, the Commission believes many 
businesses may already be following industry best practices, which may 
include disposing of documents through shredders, using waste disposal 
companies, or other confidential disposal methods; and continuing to do 
so would not impose additional costs on such businesses.
    As the above discussion illustrates, although it is not possible to 
estimate small businesses' compliance costs precisely, such costs are 
likely to be quite modest for most small entities.

E. Steps Taken To Minimize Significant Economic Impact of the Rule on 
Small Entities

    The Commission considered whether to exempt any persons or classes 
of persons from the rule's application pursuant to section 216(a)(3) of 
the FACT Act. The FTC asked for comment on this issue, as well as any 
significant alternatives, consistent with the purposes of the FACT Act, 
that could further minimize the rule's impact on small entities. The 
Commission received no information or suggestions in response to this 
request; rather, commenters specifically voiced support for application 
of the rule to small businesses.\73\
---------------------------------------------------------------------------

    \73\ See Supp. Comment, NAID 6; Supp. Comment, Ms. Lisa 
Beavers 2; Supp. Comment, NAR 3.

---------------------------------------------------------------------------

[[Page 68697]]

    The Commission also requested comment on the need to adopt a 
delayed effective date for small entities in order to provide them with 
additional time to come into compliance. The Commission received no 
comments on this issue; however, the Commission has decided to extend 
the effective date for all entities subject to the rule, from 3 months 
to 6 months following publication of this rule. This additional time 
will allow small entities to carefully assess their compliance 
obligations and make cost-sensitive decisions concerning how to best 
comply with the rule.

V. Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act of 1995, 44 U.S.C. 
3506 (PRA), the Commission reviewed the proposed and final rules. The 
rule explicitly provides that it is not intended ``(1) to require a 
person to maintain or destroy any record pertaining to a consumer that 
is not imposed under any other law; or (2) to alter or affect any 
requirement imposed under any other provision of law to maintain or 
destroy such a record.'' As such, the rule does not impose any 
recordkeeping requirement or otherwise constitute a ``collection of 
information'' as it is defined in the regulations implementing the PRA. 
See 5 CFR 1320.3(c).

VI. Final Rule

List of Subjects in 16 CFR Part 682

    Consumer reports, Consumer reporting agencies, Credit, Fair Credit 
Reporting Act, Trade practices.

0
Accordingly, for the reasons stated in the preamble, the Federal Trade 
Commission amends 16 CFR chapter I, to add new part 682 as follows:

PART 682--DISPOSAL OF CONSUMER REPORT INFORMATION AND RECORDS

Sec.
682.1 Definitions.
682.2 Purpose and scope.
682.3 Proper disposal of consumer information.
682.4 Relation to other laws.
682.5 Effective date.

    Authority: Pub. L. 108-159, sec. 216.


Sec.  682.1  Definitions.

    (a) In general. Except as modified by this part or unless the 
context otherwise requires, the terms used in this part have the same 
meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681 
et seq.
    (b) ``Consumer information'' means any record about an individual, 
whether in paper, electronic, or other form, that is a consumer report 
or is derived from a consumer report. Consumer information also means a 
compilation of such records. Consumer information does not include 
information that does not identify individuals, such as aggregate 
information or blind data.
    (c) ``Dispose,'' ``disposing,'' or ``disposal'' means:
    (1) The discarding or abandonment of consumer information, or
    (2) The sale, donation, or transfer of any medium, including 
computer equipment, upon which consumer information is stored.


Sec.  682.2  Purpose and scope.

    (a) Purpose. This part (``rule'') implements section 216 of the 
Fair and Accurate Credit Transactions Act of 2003, which is designed to 
reduce the risk of consumer fraud and related harms, including identity 
theft, created by improper disposal of consumer information.
    (b) Scope. This rule applies to any person over which the Federal 
Trade Commission has jurisdiction, that, for a business purpose, 
maintains or otherwise possesses consumer information.


Sec.  682.3  Proper disposal of consumer information.

    (a) Standard. Any person who maintains or otherwise possesses 
consumer information for a business purpose must properly dispose of 
such information by taking reasonable measures to protect against 
unauthorized access to or use of the information in connection with its 
disposal.
    (b) Examples. Reasonable measures to protect against unauthorized 
access to or use of consumer information in connection with its 
disposal include the following examples. These examples are 
illustrative only and are not exclusive or exhaustive methods for 
complying with the rule in this part.
    (1) Implementing and monitoring compliance with policies and 
procedures that require the burning, pulverizing, or shredding of 
papers containing consumer information so that the information cannot 
practicably be read or reconstructed.
    (2) Implementing and monitoring compliance with policies and 
procedures that require the destruction or erasure of electronic media 
containing consumer information so that the information cannot 
practicably be read or reconstructed.
    (3) After due diligence, entering into and monitoring compliance 
with a contract with another party engaged in the business of record 
destruction to dispose of material, specifically identified as consumer 
information, in a manner consistent with this rule. In this context, 
due diligence could include reviewing an independent audit of the 
disposal company's operations and/or its compliance with this rule, 
obtaining information about the disposal company from several 
references or other reliable sources, requiring that the disposal 
company be certified by a recognized trade association or similar third 
party, reviewing and evaluating the disposal company's information 
security policies or procedures, or taking other appropriate measures 
to determine the competency and integrity of the potential disposal 
company.
    (4) For persons or entities who maintain or otherwise possess 
consumer information through their provision of services directly to a 
person subject to this part, implementing and monitoring compliance 
with policies and procedures that protect against unauthorized or 
unintentional disposal of consumer information, and disposing of such 
information in accordance with examples (b)(1) and (2) of this section.
    (5) For persons subject to the Gramm-Leach-Bliley Act, 15 U.S.C. 
6081 et seq., and the Federal Trade Commission's Standards for 
Safeguarding Customer Information, 16 CFR part 314 (``Safeguards 
Rule''), incorporating the proper disposal of consumer information as 
required by this rule into the information security program required by 
the Safeguards Rule.


Sec.  682.4  Relation to other laws.

    Nothing in the rule in this part shall be construed:
    (a) To require a person to maintain or destroy any record 
pertaining to a consumer that is not imposed under other law; or
    (b) To alter or affect any requirement imposed under any other 
provision of law to maintain or destroy such a record.


Sec.  682.5  Effective date.

    The rule in this part is effective on June 1, 2005.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 04-25937 Filed 11-23-04; 8:45 am]
BILLING CODE 6250-01-P