As part of the federal government’s fight against identity theft, effective June 1, 2005, employers who discard certain information about employees are required to make efforts to ensure that those records are actually destroyed. Under changes to the Fair Credit Reporting Act, employers and other entities that possess consumer report information for a business purpose – most commonly, in connection with a job applicant or employee background check – must take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.
The following is a series of questions and answers to help employers understand their new obligations under the rule.
What information is covered?
"Consumer information," which means any consumer reports or information based on consumer reports. "Consumer reports" means any information reported by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used or expected to be used to determine eligibility for employment, insurance, credit, or any other permissible business purpose.
The rule covers records in paper, electronic or any other form.
Does the new rule require a certain method of destruction?
No. The rule only requires that covered businesses "properly dispose" of consumer information by taking "reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal." The Federal Trade Commission, which developed the rule, acknowledges that there are no fool-proof methods of records destruction, that the rule does not require "perfection" in destruction and that each entity must consider their own unique circumstances for compliance with the rule.
The "reasonable measures" standard for disposal is intended to be flexible enough to allow covered businesses to consider the sensitivity of the information, the costs and benefits of different disposal methods, and relevant changes in technology over time. Some of the examples cited in the rule include: (1) implementing and monitoring compliance with policies and procedures that require burning, pulverizing, destroying or shredding of papers containing consumer information, including employee training on the policies; (2) implementing and monitoring compliance with policies and procedures that require erasing or destroying electronic media containing such information; and (3) contracting with a third party to dispose of consumer information in a manner consistent with the rule (and monitoring the performance of the records disposal).
Does this rule cover all employment records?
The rule only covers those reports provided by or through a consumer reporting agency or any records the employer possesses that contain information derived from "consumer reports."
Does the rule have any reporting requirements for employers?
No. The rule does not require that employers or entities report compliance or the method or timing of records destruction to any federal, state or local government.
Does the rule establish when an employer must destroy records or set any minimum retention time periods?
The FTC is clear that nothing in the rule is intended to create a requirement that records be maintained for a certain period of time or that records must be destroyed within a specific time period. However, all federal or state laws regarding records retention remain in place.
Given the increased attention on identity theft, fraud and other privacy issues, employers need to review or develop policies to ensure actual destruction of discarded records, particularly when those records contain sensitive information. Failure to ensure destruction could give rise to claims under the Fair Credit Reporting Act or even to novel negligence claims.
Michael Aldana is a partner in the Labor and Employment Group at Quarles & Brady LLP in Milwaukee.
July 8, 2005, Small Business Times, Milwaukee, WI