logo for Iron Mountain
Iron Mountain - Knowledge Center - FACTA Disposal Rule Enforcement is NOW - Are You Compliant?
this is a spacing image
this is a spacing image
compliance header image

FACTA Disposal Rule Enforcement is NOW - Are You Compliant?

In 2004, nearly 70% of all identity thefts occurred offline*. The reason? Lack of proper information disposal and inadequate document shredding programs within organizations.

To address the responsibility of businesses to better police their procedures for destroying personal information, the federal government enacted the Disposal Rule. Effective June 1, 2005, the Disposal Rule states that “any person who maintains or otherwise possesses consumer information for a business purpose” is required to properly dispose of the information, whether in electronic or paper form, by “taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”

This broad regulation impacts all U.S. businesses - regardless of size or industry - that possess consumer information. The regulation defines acceptable methods of consumer information disposal and assigns penalties when a company is non-compliant. Businesses are now compelled to assess the effectiveness of security procedures related to information disposal to meet federal compliance guidelines. To ignore or fail to fully comply with the law exposes you and your company to serious risk.

Irreparable damage to your corporate reputation.

For most companies, this is by far the greatest liability. If charged with non-compliance, your company could risk:

  • Loss of investor confidence and shareholder value
  • Loss of revenue, market share and customers

Other costs of non-compliance:

  • Significant fines
  • Expensive litigation that drains precious capital, time and productivity

Does your company have an information destruction policy in place to meet the Disposal Rule requirements? Are you taking the steps necessary to rapidly ensure federal compliance? If not, you may be exposing your customers, your company and your employees to tremendous liability.

How Can Your Company Become FACTA Compliant?

Disposal Rule compliance demands the design and implementation of new, stricter policies that better manage how consumer information flows from your employees to its final, non-recoverable form. How does the information get created? How does it move within your organization? How does it get removed from your site? How does it get destroyed?

The compliance solution you select must ensure that security principles are applied throughout all phases of the information's life cycle. One weak link could jeopardize your whole program. Steps you must take include:

  • Create or modify existing policies regarding the disposal of consumer information.
  • Identify any new procedures, training and involvement of necessary personnel.
  • Select, after investigation, an appropriate information management partner if needed.
  • Establish service agreements with this partner that specify frequent monitoring of procedures to ensure ongoing compliance.
  • Educate and train employees.
  • Audit the process to identify and address “weak links” or performance gaps.

Companies already governed by industry-specific legislation, such as HIPAA and the Gramm-Leach-Bliley Act, cannot become complacent. They too must review internal policies and procedures to ensure Disposal Rule compliance.

How Do You Build a Compliant Program?

Today's challenge is to develop a defensible program that clearly shows the “reasonable measures” a company has taken to manage and demonstrate compliance. Keys to creating this type of successful program include:

  • Reasonable Measures. The Disposal Rule does not define “reasonable measures,” although it furnishes examples of what constitutes reasonable measures. Until the FTC expands upon the definition of “reasonable measures,” companies have an ongoing duty to protect all consumer information during the disposal process. Other laws and regulations set requirements for security of personal information prior to disposal for many industries.
  • Consistent disposal practices and procedures company-wide that establish a standardized approach to compliance.
  • Management accountability: maintaining an unbroken chain of custody. This ensures the highest level of security, from the moment the information is created until its disposal. Remember, one weak link can jeopardize your entire program.
  • Employee adoption. Employees should understand how to comply and should have the knowledge to make decisions in the best interest of your company.
  • An efficient and cost-effective program. Information should be stored and disposed of with consideration for your company's workflow, workforce and workplace environment.
  • Minimal organizational impact. Implementation of compliance policies should be transparent and non-disruptive.
  • An ability to measure the success of your compliance program. This allows for correction of any failure points or modifications as changes in work patterns, work force and new laws require.

Depending on the nature and size of your company, the sensitivity of the information held and the costs/benefits of different disposal methods, your FACTA Disposal Rule compliance solution could be as simple as instituting a few basic in-house procedures. However, for most companies, a more secure alternative - and one the FTC recognizes - is to contract with a reputable information management and destruction partner.

*Javelin Strategy & Research, Copyright 2004, Pleasanton, CA

 
If you have questions about our services or solutions call us at 800-899-IRON.
Copyright © Iron Mountain 2001 - 2008. All rights reserved.