Along with the Fair Credit Reporting Act (FCRA), creditors, accountants, lawyers, financial institutions, and other organizations dealing with consumer credit information must follow the regulations set by the Fair and Accurate Credit Transactions Act (FACTA). FACTA is an addendum to the FCRA and limits how consumer information can be shared as well as controls how this private data is disposed of, to ensure protection of the individual in which the information pertains from identity theft.
FACTA-Compliant Data Disposal
When it comes to the proper disposal of consumer information, FACTA stipulates that reasonable measures must be taken by the organization to prevent the theft or otherwise unauthorized access and use of the protected data.
The Rule mandates said data be destroyed by the pulverization, shredding, or burning of all papers in which the consumer information is printed, rendering the information unreadable and otherwise unable to be reconstructed in any manner. FACTA disposal policies also extend to the electronic media housing the protected consumer information. Appropriate disposal methods for electronic media include overwriting non-sensitive information with software or hardware to clear the data, degaussing the media and rendering the magnetic field permanently unusable, or destroying the media by shredding, melting, pulverization, disintegration, or incineration. As with the actual data, the electronic media must be rendered unreadable and otherwise unable to be reconstructed.
If you’re working with a third party data disposal company to comply with FACTA data destruction, you are required to conduct an independent audit of the process to ensure the integrity of the disposal and to ensure complete data destruction.
Lastly, you may need to incorporate your data disposal policies into your organization’s security information program as required by the Federal Trade Commission’s Standards for Safeguarding Customer Information, 16 CFR part 314 (“Safeguards Rule”) and for persons subject to the Gramm-Leach-Bliley Act.
Consequences of a FACTA Violation
Failure to comply with FACTA for either the data or the drive destruction can result in major damage to your company’s reputation and financial standing. If you become victim to a data breach and have not maintained FACTA regulations, the affected individuals of the breach can seek damages under the law. Your organization may face a class action lawsuit and fines up to $1,000 per individual violation, regardless of whether the persons suffered identity theft.
Moreover, the reputation of your company may be tarnished by the data breach and subsequent FACTA violations. This could mean the loss of existing customers and potential new business, furthering your organization’s financial loss and eroding economic stability.
When it comes to working with third-parties for data destruction, however, there is a reality of risk that needs to be considered. If your third-party experiences a breach, your organization maintains its sole liability for the data you have collected and stored; meaning you will still face civil penalties, and not the third-party.
It is therefore highly recommended that you partner with a vendor like SEM who can provide both data and drive destruction devices for your organization to use and keep in-house. By controlling who, where, when and how your data and drives are destroyed, you can better ensure data protection at every step during destruction.