The one stop source for all your human resource needs
Home • Request Info
Become a Members
Member Login
Products
Newsletter
Partners
HR One Source Staff
About Us
Services
HR Audits
Employee Hanbooks
Job Descriptions
Compensation
Investigations
Outplacement
Training / E-Learning
Executive Search
Labor Relations
Employee Assessments
Other Services

 

 Shredders Become Essential Office Equipment

As part of the battle against the growing problem of identity theft, the Federal Trade Commission (FTC) imposed a new rule regarding the proper disposal of confidential consumer information. The rule, which went into effect June 1, requires covered entities to take "reasonable measures" to keep "consumer information" out of the hands of those who are not authorized to see or use it. The law includes consumer information (or a compilation) in paper, electronic or other forms, but only if it is a consumer report or derived from a consumer report, as those terms are defined by the Fair Credit Reporting Act (FCRA).

The new regulation addresses the destruction of consumer information obtained about current employees, former employees, job applicants, customers and vendors through credit checks, background checks, or other business investigations, but only if the information is in the form of a consumer report or is derived from a consumer report. All information covered by the regulation must be disposed of in a way that reduces the chance it will be stolen by an identity thief.

The rule is a result of the Fair and Accurate Credit Transactions (FACT) Act that was signed into law December 2003 as part of the battle against the growing crimes of consumer fraud and identity theft. According to the FTC, in 2003, identity theft translated into nearly $48 billion in losses to businesses, nearly $5 billion in losses to individual victims and almost 300 million hours spent by victims trying to resolve the problem.

When it comes time to purge your employees' personnel files, you will want to ensure that your organization complies with the new regulations if it conducts credit checks, background checks or maintains any type of consumer report on employees.

The intent of this new regulation is to protect employees, applicants, prospective and former employees from the potential for identity theft resulting from consumer report information the employer may have obtained and stored. The regulations do not mandate specific procedures, such as shredding, for discarding the information, but the FTC does offer the following suggestions for employers and others covered by the requirements of the FACT Act:

What is 'proper' disposal?

The Disposal Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to - or use of - information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to:

1.  Burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;

2.  Destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;

3.  Conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the new rule. Due diligence could include:

a.  reviewing an independent audit of a disposal company's operations and/or its compliance with the rule;

b.  obtaining information about the disposal company from several references;

c.  requiring that the disposal company be certified by a recognized trade association;

d.  reviewing and evaluating the disposal company's information security policies or procedures.

Employers who do not comply with these regulations, and whose employees or job applicants ultimately are victimized by identity theft as a result, could face lawsuits seeking to enforce the remedies authorized by the FCRA. In the case of negligent violations, FCRA remedies are limited to actual damages and an award of attorney's fees and costs. Willful violators may be subject to statutory damages of up to $1,000 per violation or to an award of actual damages, whichever is greater, and may be required to pay a prevailing plaintiffs attorney's fees and costs.

Given the growing sensitivity to employee privacy issues and identity theft problems, all employers should review their records retention and destruction practices and create a "best practices" policy for retaining and disposing of necessary and unnecessary personnel-related documentation. As a general rule, employers should securely retain documents for a minimum of the longest period for which there is an applicable statute of limitations (generally three years), as well as for any period of ongoing litigation. While shredders now have become nearly as common as photocopiers in business operations, employers should carefully plan their security strategy for the proper storage and timely disposal of human resource information.

HR-OneSource's advice to clients is to act now to develop broad and clear policies regarding access to, lawful storage of and physical protection of all human resource-related documents, both electronic and paper, to establish a clear line of authority regarding custody of such documents, and to train all staff on the subject.

Contact Clint Davis, SPHR, at HR-One Source for assistance in the following areas:

-      Developing a records disposal policy

-      Record keeping training

-      Locating a reputable vendor to discard confidential documents

-      Records retention guidelines

-         FCRA and FACT laws

Back to the Newsletter

 
 Copyright © 2003-2007 HR-OneSource