US Federal Disposal of Consumer Report Information and Records (16 CFR § 682.1 - § 682.5) (2005)

US Federal Disposal of Consumer Report Information and Records

16 CFR § 682.1 - § 682.5

 

SUMMARY:

This Rule requires businesses and individuals that maintain or otherwise possess consumer reports and records for a business purpose to take appropriate measures to dispose of sensitive information derived from such consumer reports and records.

 

CITATION:

Electronic Code of Federal Regulations (e-CFR) 

Title 16 - Commercial Practices 

Chapter I - Federal Trade Commission 

Subchapter F - Fair Credit Reporting Act 

Part 682 - Disposal of Consumer Report Information and Records 

§ 682.1 Definitions.

§ 682.2 Purpose and scope.

§ 682.3 Proper disposal of consumer information.

§ 682.4 Relation to other laws.

§ 682.5 Effective date.

 

§ 682.1 Definitions.

(a) In general.  Except as modified by this part or unless the context otherwise requires, the terms used in this part have the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. 

(b) “Consumer information” means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. Consumer information also means a compilation of such records. Consumer information does not include information that does not identify individuals, such as aggregate information or blind data. 

(c) “Dispose,” “disposing,” or “disposal” means: 

(1) The discarding or abandonment of consumer information, or 

(2) The sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored. 

 

§ 682.2 Purpose and scope.

(a) Purpose.  This part (“rule”) implements section 216 of the Fair and Accurate Credit Transactions Act of 2003, which is designed to reduce the risk of consumer fraud and related harms, including identity theft, created by improper disposal of consumer information. 

(b) Scope.  This rule applies to any person over which the Federal Trade Commission has jurisdiction, that, for a business purpose, maintains or otherwise possesses consumer information. 

 

§ 682.3 Proper disposal of consumer information.

(a) Standard.  Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. 

(b) Examples.  Reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal include the following examples. These examples are illustrative only and are not exclusive or exhaustive methods for complying with the rule in this part. 

(1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed. 

(2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed. 

(3) After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule. In this context, due diligence could include reviewing an independent audit of the disposal company's operations and/or its compliance with this rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company's information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company. 

(4) For persons or entities who maintain or otherwise possess consumer information through their provision of services directly to a person subject to this part, implementing and monitoring compliance with policies and procedures that protect against unauthorized or unintentional disposal of consumer information, and disposing of such information in accordance with examples (b)(1) and (2) of this section. 

(5) For persons subject to the Gramm-Leach-Bliley Act, 15 U.S.C. 6081 et seq., and the Federal Trade Commission's Standards for Safeguarding Customer Information, 16 CFR part 314 (“Safeguards Rule”), incorporating the proper disposal of consumer information as required by this rule into the information security program required by the Safeguards Rule. 

 

§ 682.4 Relation to other laws.

Nothing in the rule in this part shall be construed: 

(a) To require a person to maintain or destroy any record pertaining to a consumer that is not imposed under other law; or 

(b) To alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record. 

 

§ 682.5 Effective date.

The rule in this part is effective on June 1, 2005.

 

For more information, see here:  https://www.ecfr.gov/current/title-16/chapter-I/subchapter-F/part-682

 

These materials were obtained directly from the Federal Government public website and are posted here for your review and reference only.  No Claim to Original U.S. Government Works.  This may not be the most recent version.  The U.S. Government may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.