FTC Issues Revised Summary of Rights Under the Fair Credit Reporting Act and New Rule on Disposal of Consumer Information
The Fair Credit Reporting Act (“FCRA”), among other things, requires employers to obtain written authorization and disclose certain information whenever the employer uses an outside agency to conduct background checks, including criminal background checks, on employees and applicants. FCRA’s notice and authorization requirements are not applicable when the employer uses its own employees to directly obtain information from sources available to the public, such as a court or law enforcement agency, as opposed to engaging an outside entity to conduct the investigation. On December 4, 2003, President Bush signed into law the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”), which amended the FCRA. (See Fair Credit Reporting Act Amendments Signed by President Bush (Dec 10, 2003) ) Under FACTA, the Federal Trade Commission (FTC) was required to create new notices of rights under the FCTA. Accordingly, the FTC released the final version of its revised notices, which took effect on January 31, 2005. The “Summary of Rights Under the Fair Credit Reporting Act” (Summary of Rights) is the form which must be provided to applicants and employees when an employer uses an outside agency to conduct a background check.
The FTC also issued its final rule regarding the proper disposal of consumer report information and records under FACTA. The rule becomes effective on June 1, 2005. Employers will be required to comply with the new disposal rule when discarding background check information obtained from an outside agency.
Under the new disposal rule employers must take “reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” The disposal rule covers any record about an individual, whether in the paper, electronic, or another form, that is a consumer report or is derived from a consumer report. The disposal rule does not specifically define what “reasonable measures” means, but does provide illustrative examples for complying with the rule. These examples include:
(1) implementing and monitoring compliance with policies and procedures that require shredding or other forms of destruction of documents “so that the information cannot practicably be read or reconstructed;”
(2) implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information “so that the information cannot practicably be read or reconstructed;” and
(3) contracting with a third party disposal company, after conducting due diligence on the company, to properly dispose of consumer information and monitoring the contractor’s performance. Conducting due diligence on the disposal company could include reviewing an independent audit of the company, checking with several references or requiring that the disposal be certified by a recognized trade association.
The disposal rule does not require the destruction, or retention, of any record that is required to be maintained or destroyed under any other law. This means that the disposal rule only addresses documents that would fall within the FCRA definition of “consumer report” (i.e., background checks done by a CRA) and does not affect an employer’s obligation to maintain other types of information, such as payroll information, tax forms, I-9 forms, etc.