August 11, 2020

Before getting into the specifics of record disposal, it is important to first understand what constitutes an employment record.

Consumer Report
A consumer report is any information which comes from a consumer report agency, including credit reports, credit cores, and background checks.  This information is governed by the Fair Credit Reporting Act. 15 U.S. Code section 1681a(d)(1) defines a consumer report as:

any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under section 1681b of this title.

Disposal Rule
An employer with information from a consumer report must ensure that the information is properly disposed of, by taking reasonable measures.  [Title 16, part 682.3(a)]

In an effort to protect the privacy of consumer information and reduce the risk of fraud and identity theft, the Federal Trade Commissions began enforcing the Disposal Rule as of June 2005.  Businesses are now liable to employees for failure to protect their personal information from unauthorized access.

To whom does the Disposal Rule apply?
The Disposal Rule affects any business or individual who uses, maintains, or otherwise possesses consumer information for a business purpose, such as evaluating an individual for employment, promotion, reassignment, or retention as an employee.

What information is covered by the Disposal Rule?
The Disposal Rule applies to consumer reports or information derived from consumer reports.  A consumer report includes any information provided by a consumer reporting agency bearing on an individual’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.  The rule does not apply to records that do not identify individuals, such as aggregate information or blind data.

What are proper disposal measures?
The Disposal Rule requires that businesses take steps that are reasonable and appropriate to prevent unauthorized access to sensitive information.  The standard for proper disposal of consumer information is a flexible one, which takes into account the sensitivity of the information, nature and size of the company, costs and benefits of different disposal methods, and changes in technology.  The Federal Trade Commission finds burning, pulverizing, and shredding to be considered reasonable measures.  [https://www.shrednations.com/2019/05/what-is-facta-disposal-rule (August 3, 2020).]

When can you dispose?
While the disposal rule does not have a specific time frame, the guidelines set out by the Equal Employment Opportunity Commission (“EEOC”) regarding personnel and employment records.  The EEOC Regulations require that the employer retain all personnel and employment records for a minimum of one year . [https://www.eeoc.gov/employers/recordkeeping-requirements (August 5, 2020).]

Penalties
A violation comes with a hefty fine.  Penalties can range from actual damages, to statutory damages of up to $1,000 per customer.  If a class action were to be filed, damage claims could easily become millions of dollars, and include punitive damages. Each violation brings with it a federal penalty of $2,500 and a state penalty of up to $1,000.  [https://www.shrednations.com/2019/05/what-is-facta-disposal-rule (August 3, 2020).]

Protecting Your Company
There are several ways to protect your company from committing a violation of the disposal rule.  An employer should establish security policies and procedures for the maintenance and destruction of sensitive information and monitor compliance.  This can include mobile shredding, off-site shredding, drop-off shredding, and hard drive shredding.

In addition, an employer should educate and train employees regularly on security policies and proper disposal procedures.  This includes destroying unneeded reports when you no longer have a legitimate business reason for keeping them.  Also, an employer should establish a purge date for every file and destroy the reports routinely.

Need more information?
ESKRIDGE LAW may be contacted by phone (310/303-3951), by fax (310/303-3952) or by email (geskridge@eskridgelaw.net).  Please visit our website at eskridge.hv-dev.com.

This article is based on the law as of the date posted at the top of the article.  This article does not constitute the provision of legal advice, and does not by itself create an attorney-client relationship with Eskridge Law.