What is FACTA?
FACTA is the Fair and Accurate Credit Transaction Act. Passed by Congress in 2003, it is one of several recent laws (including HIPAA for the healthcare industry and Gramm-Leach-Bliley for the financial services industry) that seeks to protect businesses and consumers from fraud and identity theft. The USAToday article referred to a new section (section 216) that requires any person who maintains consumer information to dispose of it properly.

Who does it affect?
The law affects any person or business that possesses consumer information. This includes consumer reporting agencies, lenders, employers, landlords, government agencies, mortgage brokers, and automobile dealers — just to name a few. The law applies to any business over which the FTC has jurisdiction. The FTC’s jurisdiction does not extend to several areas of the banking and finance industry, but the financial services industry has its own law called the Gramm-Leach-Bliley Act that has very similar requirements.

What exactly is this consumer information?
Consumer information is any record about an individual, whether in paper, electronic, or other form that is contained in a credit report and can identify the individual. Examples of identifying information include social security numbers, driver’s license numbers, phone numbers, physical addresses, and email addresses. This information could be on a mortgage application, an insurance policy, a loan scoring sheet — anything that could be found in a credit report. Aggregate information (without identifiers) is not affected by the rule.

What do I have to do?
You have to take reasonable measures to protect the information from unauthorized access or use once you have disposed of it. Disposal is defined as the “discarding or abandonment of consumer information” as well as the sale of any medium (computer equipment) on which that information is stored. So before you toss that old computer that has customer records on it, you have to erase or destroy the hard drive.

Do I have to shred everything?
Nope. The law says you just have to take a “reasonable measure” to destroy anything that could identify an individual and might contain information in a credit report. Shredding is one method — you could also take it out back, throw gasoline on it and toss a match (though you might want to check with your local fire department before doing this).

For other business information, we ask a simple question: would we want a competitor to see this? If not, it gets shredded. See our “Why Shred?” page for what the law says about trash being private.

What exactly is a “reasonable measure”?
For paper, the FTC uses the example of shredding, burning, or pulverizing paper to prevent its use. This could mean purchasing a small office shredder or burning it in your fireplace at home — either one would work. Another example is hiring an outside firm that specializes in records destruction. For electronic media, they recommend destruction or erasure. In addition to the actual destruction, the FTC said that reasonable measures are likely to require establishing policies and procedures for destroying information, and training employees on what needs to be done.

Can I contract with an outside firm to do my destruction?
Yes, in fact the rule specifically mentions contracting with a document destruction business as “reasonable measure”. But you have to perform some due diligence on the outside firm to make sure they do what they say they do. This due diligence could include reviewing an independent audit of the disposal company’s operations, obtaining information about the disposal company from several independent references, and requiring the company to be certified by a recognized trade association or similar third party. Note that Tri-State Shred has the highest certificate rating possible from the National Association for Information Destruction.

What happens if I don’t?
Violations of FACTA and its parent, the Fair and Accurate Credit Reporting Act, carry penalties of actual damages plus statutory damages up to $1,000 per customer for willful violations (with no cap on class-action damages), punitive damages, attorneys’ fees, and civil penalties.