The FCRA amendment also requires that any person who maintains or possesses consumer information must be prepared to dispose of those records in a way that ensures that the information will not be accessed or used improperly. 16 C.F.R. § 682.3(a). This requirement is intended to protect consumer privacy and to prevent identity theft. It addresses only the disposal of consumer information, not all employment information. It also does not address retention schedules or how records should be kept or maintained.
Consumer information is covered if it is in paper, electronic or other forms. If a city acquires consumer information, the city must take “reasonable measures to protect against unauthorized access to or use of the information” (16 C.F.R. § 682.3(b)), when the city disposes of it. Disposal under the act means “the discarding or abandonment of consumer information or the sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored”. 16 C.F.R. § 682.1(c). Reasonable measures for disposing of consumer report information, as suggested by the act (16 C.F.R. § 682.3(b)(1-3)), could include establishing and complying with policies to:
- Burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed
- Destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed
- Conduct due diligence, and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the rule
Under the act (16 C.F.R. § 682.3(b)(3)), “due diligence” includes:
- Reviewing an independent audit of a disposal company’s operations and/or its compliance with the rule
- Obtaining information about the disposal company from several references
- Requiring that the disposal company be certified by a recognized trade association
- Reviewing and evaluating the disposal company’s security policies or procedures
The rules further define “dispose,” “disposing” and “disposal” to mean the discarding or abandonment of the consumer information or the sale, donation or transfer of any medium (such as computer equipment) that stores the information. 16 C.F.R. § 682.1(c). Legal consequences exist for employers who fail to get an applicant’s permission before requesting a consumer report or who fail to provide pre-adverse action disclosures and adverse action notices to unsuccessful job applicants. The FCRA allows individuals to sue employers for damages in federal court. A person who successfully sues is entitled to recover court costs and reasonable legal fees (15 U.S.C. §§ 616) and (15 U.S.C. §§ 617). The law also allows individuals to seek punitive damages for deliberate violations. In addition, the Federal Trade Commission (FTC), other federal agencies, and he states may sue employers for non-compliance and obtain civil penalties. 15 U.S.C. §§ 621(a),15 U.S.C. §§ 621(b) and 15 U.S.C. §§ 621(c).
NOTE: The Fair Credit Reporting Act has been amended to establish "Red Flag and Identity Theft" provisions 15 U.S.C. § 605A and 15 U.S.C. § 605B.