FR Doc 04-8904

[Federal Register: April 20, 2004 (Volume 69, Number 76)]
[Proposed Rules]
[Page 21387-21392]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr20ap04-29]

[[Page 21387]]

-----------------------------------------------------------------------

Part III

Federal Trade Commission

-----------------------------------------------------------------------

16 CFR Part 682

Disposal of Consumer Report Information and Records; Proposed Rule

[[Page 21388]]

-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 682

RIN 3084-AA94

Disposal of Consumer Report Information and Records

AGENCY: Federal Trade Commission (FTC).

ACTION: Notice of proposed rulemaking; request for public comment.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') is
proposing a rule regarding the proper disposal of consumer report
information and records. The Fair and Accurate Credit Transactions Act
of 2003 (``FACT Act'' or ``Act'') requires the Federal Reserve Board,
Office of the Comptroller of the Currency, Federal Deposit Insurance
Corporation, Office of Thrift Supervision (collectively, the ``Federal
banking agencies''), National Credit Union Administration, Securities
and Exchange Commission, and Federal Trade Commission, in coordination
with one another, to adopt consistent and comparable rules regarding
such disposal.

DATES: Written comments must be received on or before June 15, 2004.

ADDRESSES: Interested parties are invited to submit written comments.
Comments should refer to ``The FACT Act Disposal Rule, R-411007'' to
facilitate the organization of comments. A comment filed in paper form
should include this reference both in the text and on the envelope, and
should be mailed or delivered to the following address: Federal Trade
Commission/Office of the Secretary, Room 159-H (Annex H), 600
Pennsylvania Avenue, NW., Washington, DC 20580. Comments containing
confidential material must be filed in paper form. The FTC is
requesting that any comment filed in paper form be sent by courier or
overnight service, if possible, because U.S. postal mail in the
Washington area and at the Commission is subject to delay due to
heightened security precautions.
An electronic comment can be filed by (1) clicking on http://www.regulations.gov
; (2) selecting ``Federal Trade Commission'' at

``Search for Open Regulations;'' (3) locating the summary of this
Notice; (4) clicking on ``Submit a Comment on this Regulation;'' and
(5) completing the form. For a given electronic comment, any
information placed in the following fields--``Title,'' ``First Name,''
``Last Name,'' ``Organization Name,'' ``State,'' ``Comment,'' and
``Attachment''--will be publicly available on the FTC Web site. The
fields marked with an asterisk on the form are required in order for
the FTC to fully consider a particular comment. Commenters may choose
not to fill in one or more of those fields, but if they do so, their
comments may not be considered.
Comments on any proposed filing, recordkeeping, or disclosure
requirements that are subject to paperwork burden review under the
Paperwork Reduction Act should additionally be submitted to: Office of
Information and Regulatory Affairs, Office of Management and Budget,
Attention: Desk Officer for the Federal Trade Commission. Comments
should be submitted via facsimile to (202) 395-6974 because U.S. postal
mail at the Office of Management and Budget is subject to lengthy
delays due to heightened security precautions. Such comments should
also be sent to the following address: Federal Trade Commission/Office
of the Secretary, Room 159-H (Annex H), 600 Pennsylvania Avenue, NW.,
Washington, DC 20580.
The FTC Act and other laws the Commission administers permit the
collection of public comments to consider and use in this proceeding as
appropriate. All timely and responsive public comments, whether filed
in paper or electronic form, will be considered by the Commission, and
will be available to the public on the FTC Web site, to the extent
practicable, at http://www.ftc.gov. As a matter of discretion, the FTC

makes every effort to remove home contact information for individuals
from the public comments it receives before placing those comments on
the FTC Web site. More information, including routine uses permitted by
the Privacy Act, may be found in the FTC's privacy policy, at http://www.ftc.gov/ftc/privacy.htm
.

FOR FURTHER INFORMATION CONTACT: Ellen Finn or Susan McDonald,
Attorneys, (202) 326-3224, Division of Financial Practices, Bureau of
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue,
NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: This notice contains the following sections:

I. Introduction
II. Summary of Proposed Rule
III. Invitation to Comment
IV. Communications by Outside Parties to Commissioners or Their
Advisors
V. Paperwork Reduction Act
VI. Regulatory Flexibility Act
Proposed Rule

I. Introduction

The FACT Act was signed into law on December 4, 2003. Fair and
Accurate Credit Transactions Act of 2003, Pub. L. No. 108-159 (2003).
In general, the Act amends the Fair Credit Reporting Act (``FCRA'') to
enhance the accuracy of consumer reports and to allow consumers to
exercise greater control regarding the type and amount of marketing
solicitations they receive. To promote increasingly efficient national
credit markets, the FACT Act also establishes uniform national
standards in key areas of regulation regarding consumer report
information. Finally, the Act contains a number of provisions intended
to combat consumer fraud and related crimes, including identity theft,
and to assist its victims.
Section 216 of the FACT Act requires the Commission, Federal
banking agencies, National Credit Union Administration, and Securities
and Exchange Commission (the ``Agencies''), to issue regulations
requiring ``any person that maintains or otherwise possesses consumer
information, or any compilation of consumer information, derived from
consumer reports for a business purpose to properly dispose of any such
information or compilation.'' The purpose of this section is to prevent
unauthorized disclosure of consumer information and to reduce the risk
of fraud or related crimes, including identity theft, by ensuring that
records containing sensitive financial or personal information are
appropriately redacted or destroyed before being discarded. The
Agencies are required to consult and coordinate with each other so
that, to the extent possible, regulations implementing this section are
consistent and comparable. In addition, the Agencies' regulations must
be consistent with the Gramm-Leach-Bliley Act (``GLBA'') and other
provisions of Federal law. The Commission has conferred with the
Agencies and now offers for public comment this proposed rule regarding
the disposal of consumer report information and records (``Disposal
Rule'' or ``Rule'').\1\
---------------------------------------------------------------------------

\1\ The Federal banking agencies, SEC, and NCUA propose to
implement section 216 of the FACT Act by amending their existing
guidelines and rules on information security previously issued to
implement section 501(b) of the GLBA. However, because the entities
subject to the FTC's jurisdiction under the FACT Act and the GLBA
are overlapping but not coextensive, the Commission is proposing a
separate rule to implement section 216 of the FACT Act.
---------------------------------------------------------------------------

II. Summary of Proposed Rule

The following is a section-by-section summary of the Commission's
proposed Rule.

[[Page 21389]]

Proposed Section 682.1: Definitions

This section defines terms for purposes of the proposed Disposal
Rule. Proposed section 682.1(a) makes clear that, unless otherwise
stated, terms used in the Disposal Rule have the same meaning as set
forth in the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. Thus,
for example, the term ``consumer report'' as used in the Disposal Rule
has the same meaning as the term ``consumer report'' elsewhere in the
FCRA. See 15 U.S.C. 1681a(d) (defining ``consumer report''). The
proposed Disposal Rule also defines two new terms: ``consumer
information'' and ``disposal.''
Proposed section 682.1(b) defines ``consumer information'' as any
record about an individual, whether in paper, electronic, or other
form, that is a consumer report or is derived from a consumer report.
The Commission believes a broad definition of the term, which includes
all types of records that are consumer reports, or contain consumer
information derived from consumer reports, will best effectuate the
purpose of the Act. However, under this definition, information that is
derived from consumer reports but does not identify any particular
consumers would not be covered under the proposed Rule. The Commission
believes that limiting ``consumer information'' to information that
identifies particular consumers is consistent with current law relating
to the scope of the term ``consumer report'' under the FCRA and the
purposes of section 216.
Proposed section 682.1(c) defines ``disposing'' or ``disposal'' to
include the discarding or abandonment of consumer information, as well
as the sale, donation, or transfer of any medium, including computer
equipment, upon which consumer information is stored. By itself, the
sale, donation, or transfer of consumer information would not be
considered ``disposal'' under the proposed Rule.
The Commission requests comment on both of these proposed
definitions.

Proposed Section 682.2: Purpose and Scope

Proposed section 682.2(a) sets forth the purpose of the proposed
Disposal Rule, which is to reduce the risk of consumer fraud and
related harms, including identity theft, created by improper disposal
of consumer information. See Cong. Rec. S13889 (Nov. 4, 2003)
(Statement of Sen. Nelson).
Proposed section 682.2(b) sets forth the scope of the proposed
Disposal Rule, which applies to ``any person over which the Federal
Trade Commission has jurisdiction, that, for a business purpose,
maintains or otherwise possesses consumer information, or any
compilation of consumer information.''\2\ This section, which tracks
the language of section 216 of the FACT Act, creates two criteria for
determining whether a person would be required to comply with the
Disposal Rule. First, does the person maintain or otherwise possess the
consumer information for a business purpose? Second, does the record
being disposed of contain consumer information, or any compilation of
consumer information?
---------------------------------------------------------------------------

\2\ ``Person'' is defined in the FCRA, 15 U.S.C. 1681a(b), as
``any individual, partnership, corporation, trust, estate,
cooperative, association, government or governmental subdivision or
agency, or other entity.''
---------------------------------------------------------------------------

As to the first criterion, the Commission reads ``for a business
purpose'' broadly to include all business reasons for which a person
may possess or maintain consumer information. Thus, the Rule would
likely cover any person that possesses or maintains consumer
information other than an individual consumer who has obtained his or
her own consumer report. Among the entities that possess or maintain
consumer information for a business purpose are consumer reporting
agencies, including resellers of consumer reports, that are in the
business of selling consumer information, as well as lenders, insurers,
employers, landlords, government agencies, mortgage brokers, automobile
dealers, and other users of consumer reports.\3\ Companies that possess
consumer information in connection with the provision of services to
another entity are also directly covered by the proposed Rule to the
extent that they dispose of the consumer information. \4\
---------------------------------------------------------------------------

\3\ As these examples illustrate, the Commission views a
``business purpose'' as broader than a ``permissible purpose'' as
defined in section 604 of the FCRA. See 15 U.S.C. 1681b (outlining
permissible uses of consumer reports). Although ``permissible
purposes'' are generally ``business purposes,'' there are a variety
of business purposes for which persons maintain or possess
``consumer information'' beyond those listed as ``permissible'' for
users of consumer reports.
\4\ Examples of such companies could include records management
or waste disposal companies.
---------------------------------------------------------------------------

As to the second criterion, the FACT Act and proposed Rule make
clear that the disposal requirements apply not only to consumer
reports, but also to records containing ``consumer information, or any
compilation of consumer information, derived from consumer reports.''
FACT Act, section 628(a)(1). The Commission believes that the phrase
``derived from consumer reports'' covers all of the information about a
consumer that is taken from a consumer report, including information
that results in whole or in part from manipulation of information from
a consumer report or information from a consumer report that has been
combined with other types of information.\5\ Thus, any person that
possesses such information, including an affiliate that has received it
pursuant to section 603(d)(2)(A)(iii) of the FCRA, would be obligated
to properly dispose of it.
---------------------------------------------------------------------------

\5\ Information that does not identify particular consumers
would not be covered, even if the information was originally
``derived from consumer reports,'' since that information would no
longer be ``about a consumer.''
---------------------------------------------------------------------------

The Commission requests comment on the scope of the proposed Rule
and the costs and benefits of covering the entities and information
proposed. The Commission also seeks comment on whether the definition
of covered ``consumer information'' should be further clarified, by
example or otherwise. Finally, the Commission requests comment on
whether there are any persons or classes of persons covered by the
proposed Rule that it should consider exempting from the Rule's
application pursuant to section 216(a)(3) of the FACTA.

Proposed Section 682.3: Proper Disposal of Consumer Information

Regarding the standard for disposal, the proposed Rule would
require that any person that maintains or otherwise possesses consumer
information ``take reasonable measures to protect against unauthorized
access to or use of the information in connection with its disposal.''
The Commission recognizes that there are few foolproof methods of
record destruction. Accordingly, the proposed Rule does not require
covered persons to ensure perfect destruction of consumer information
in every instance; rather, it requires covered entities to take
reasonable measures to protect against unauthorized access to or use of
the information in connection with its disposal.
In determining what measures are ``reasonable'' under the Rule, the
Commission expects that entities covered by the proposed Rule would
consider the sensitivity of the consumer information, the nature and
size of the entity's operations, the costs and benefits of different
disposal methods, and relevant technological changes. ``Reasonable
measures'' are very likely to require elements such as the
establishment of policies and procedures governing disposal, as well as
appropriate employee training.

[[Page 21390]]

The flexible standard for disposal in the proposed Rule would allow
covered persons to make decisions appropriate to their particular
circumstances and should minimize the disruption of existing practices
to the extent that they already provide appropriate protections for
consumers. It is also intended to minimize the burden of compliance for
smaller entities. In addition, a ``reasonable measures'' standard would
harmonize the Disposal Rule with the Commission's Safeguards Rule, 16
CFR part 314, implementing section 501(b) of the GLBA, so that entities
subject to both rules will not face conflicting requirements.\6\ An
entity subject to the Safeguards Rule is required to address the
disposal of customer information as one part of a larger, written
information security program reasonable and appropriate for that
entity. An entity that incorporates proper disposal measures for
consumer information, as defined in the FACT Act Disposal Rule, into
the broader information security program required by the Safeguards
Rule would easily be able to comply with both rules.\7\
---------------------------------------------------------------------------

\6\ The coverage of the proposed Disposal Rule is different from
that of the Commission's Safeguards Rule. Although some entities may
be subject to both rules, there are a variety of entities subject to
the proposed Disposal Rule that are not subject to the Safeguards
Rule because they are not ``financial institutions'' under GLBA.
This differential coverage was specifically intended by Congress.
See Cong. Rec. S13889 (Nov. 4, 2003) (Statement of Sen. Nelson). In
addition, the proposed Disposal Rule and the Safeguards Rule apply
to different sets of information. See 16 CFR 314.1(b) (describing
scope of ``customer information'' covered by Safeguards Rule);
Proposed Disposal Rule Sec. Sec. 682.1(b) & 682.2(b) (defining
scope of ``consumer information'' subject to proposed Disposal
rule).
\7\ As noted above, in addition to the entities that own
consumer information, waste disposal companies and other companies
that obtain consumer information in connection with the provision of
services would be directly covered by the Disposal Rule. By
contrast, such entities are generally deemed ``service providers''
under the Safeguards Rule. To the extent that such entities
undertake disposal measures that comply with the Disposal Rule, such
measures would also be appropriate disposal measures under the
service provider provisions of the Safeguards Rule. See 16 CFR
314.4(d). However, such disposal measures would only be one part of
the broader security program required of both financial institutions
and, indirectly, their service providers under the Safeguards Rule.
---------------------------------------------------------------------------

Despite the many benefits of a flexible ``reasonableness''
standard, the Commission recognizes that such a standard can leave
covered persons with some uncertainty about compliance. Accordingly,
the proposed Rule includes examples intended to provide guidance on
disposal measures that would be deemed reasonable under the Rule. These
examples are illustrative only, not exhaustive, and because they cannot
take into account a particular entity's unique circumstances, they are
intended merely to provide general guidance.
The Commission invites comment on the proposed standard for record
disposal. In particular, the Commission invites comment on: (1) The
costs and benefits of the proposed standard; (2) the costs and benefits
of any alternative standards; (3) the appropriateness and usefulness of
providing examples in the Rule of reasonable record disposal measures;
(4) the merits of the examples included in this notice, as well as any
other standards or examples that the Commission might consider to
provide guidance on appropriate record disposal.

Proposed Section 682.4: Relation to Other Laws

The proposal makes clear that nothing in the proposed Rule is
intended to create a requirement that a person maintain or destroy any
record pertaining to a consumer. Nor is the Rule intended to affect any
requirement imposed under any other provision of law to maintain or
destroy such records.

Proposed Section 682.5: Effective Date

The Commission proposes to make the Disposal Rule effective 3
months after the publication of the final Rule.

III. Invitation To Comment

The Commission invites interested members of the public to submit
written data, views, facts, and arguments addressing the issues raised
by this Notice. Written comments must be received on or before June 15,
2004. Comments should refer to ``The FACT Act Disposal Rule, R-411007''
to facilitate the organization of comments. A comment filed in paper
form should include this reference both in the text and on the
envelope, and should be mailed or delivered to the following address:
Federal Trade Commission/Office of the Secretary, Room 159-H (Annex H),
600 Pennsylvania Avenue, NW., Washington, DC 20580. If the comment
contains any material for which confidential treatment is requested, it
must be filed in paper (rather than electronic) form, and the first
page of the document must be clearly labeled ``Confidential.'' \8\ The
FTC is requesting that any comment filed in paper form be sent by
courier or overnight service, if possible, because U.S. postal mail in
the Washington area and at the Commission is subject to delay due to
heightened security precautions.
---------------------------------------------------------------------------

\8\ Commission Rule 4.2(d), 16 CFR 4.2(d). The comment must be
accompanied by an explicit request for confidential treatment,
including the factual and legal basis for the request, and must
identify the specific portions of the comment to be withheld from
the public record. The request will be granted or denied by the
Commission's General Counsel, consistent with applicable law and the
public interest. See Commission Rule 4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

An electronic comment can be filed by (1) clicking on http://www.regulations.gov
; (2) selecting ``Federal Trade Commission'' at

[[Page 21391]]

IV. Communications by Outside Parties to Commissioners or Their
Advisors

Written communications and summaries or transcripts of oral
communications respecting the merits of this proceeding from any
outside party to any Commissioner or Commissioner's advisor will be
placed on the public record. See 16 CFR 1.26(b)(5).

V. Paperwork Reduction Act

In accordance with the Paperwork Reduction Act of 1995 (44 U.S.C.
3506) (PRA), the Commission has reviewed the proposed rule. The
proposed rule explicitly provides that it is not intended ``(1) to
require a person to maintain or destroy any record pertaining to a
consumer that is not imposed under other law; or (2) to alter or affect
any requirement imposed under any other provision of law to maintain or
destroy such a record.'' As such, the proposed rule does not impose any
recordkeeping requirement or otherwise constitute a ``collection of
information'' as it is defined in the regulations implementing the PRA.
See 5 CFR 1320.3(c).

VI. Regulatory Flexibility Act

The Regulatory Flexibility Act (``RFA''), 5 U.S.C. 601-612,
requires an agency to provide an Initial Regulatory Flexibility
Analysis (``IRFA'') with a proposed rule and a Final Regulatory
Flexibility Analysis (``FRFA'') with the final rule, if any, unless the
agency certifies that the rule will not have a significant economic
impact on a substantial number of small entities. See 5 U.S.C. 603-605.
The Commission has determined that it is appropriate to publish an IRFA
in order to inquire into the impact of the proposed Rule on small
entities. Therefore, the Commission has prepared the following
analysis.

A. Reasons for the Proposed Rule

Section 216 of the FACT Act requires the Commission to issue
regulations regarding the proper disposal of consumer information in
order to prevent sensitive financial and personal information from
falling into the hands of identity thieves or others who might use the
information to victimize consumers. The requirements of the proposed
Rule are intended to fulfill the obligations imposed by section 216.

B. Statement of Objectives and Legal Basis

The objectives of the proposed Rule are discussed above. The legal
basis for the proposed Rule is section 216 of the FACT Act.

C. Description of Small Entities to Which the Proposed Rule Will Apply

The proposed Disposal Rule, which tracks the language of section
216 of the FACT Act, applies to ``any person that, for a business
purpose, maintains or otherwise possesses consumer information, or any
compilation of consumer information.'' As discussed above, the entities
covered by the Rule would include consumer reporting agencies,
resellers of consumer reports, lenders, insurers, employers, landlords,
government agencies, mortgage brokers, automobile dealers, waste
disposal companies, and any other business that possesses or maintains
consumer information. Although it is not readily feasible to determine
a precise number of small entities that will be subject to the proposed
Rule, it is clear that numerous small entities across almost every
industry could potentially be subject to the Rule.
For example, any employer, regardless of industry or size, that
obtains a consumer report (whether a full credit report or a pre-
employment background check of public records) would be subject to the
proposed Rule. Indeed, any company, regardless of industry or size,
that obtains consumer reports for a business purpose would be subject
to the proposed Rule. In addition, a variety of consumer reporting
agencies and resellers of consumer reports may qualify as small
businesses, as could a number of waste disposal companies, all of which
would be subject to the proposed Rule.
Given the diversity of the entities potentially subject to the
Rule, determining a precise estimate of the number of small entities
that will be subject to the proposed Rule, or describing those
entities, is not possible. The Commission invites comment and
information on this issue.

D. Projected Reporting, Recordkeeping and Other Compliance Requirements

The proposed Rule would not impose any reporting or any specific
recordkeeping requirements within the meaning of the Paperwork
Reduction Act, discussed above. The proposed Rule would require covered
entities, when disposing of consumer information, to take reasonable
measures to protect against unauthorized access to or use of the
information in connection with its disposal. What is considered
``reasonable'' will vary according to an entity's nature and size, the
costs and benefits of available disposal methods, and the sensitivity
of the information involved. This flexibility is intended to reduce the
burden that might otherwise be imposed on small entities by a more
rigid, prescriptive rule. Nonetheless, the Commission is concerned
about the potential impact of the proposed Rule on small entities, and
invites comment on the costs of compliance for such parties.

E. Identification of Other Duplicative, Overlapping, or Conflicting
Federal Rules

The FTC has not identified any other Federal statutes, rules, or
policies that would conflict with the proposed Rule's requirement that
covered persons take reasonable measures to protect against
unauthorized access to or use of the information in connection with its
disposal. However, the Commission is requesting comment on the extent
to which other federal standards involving privacy or security of
information may duplicate, satisfy, or inform the proposed Rule's
requirements. In addition, the FTC seeks comment and information about
any statutes or rules that may conflict with the proposed requirements,
as well as any other state, local, or industry rules or policies that
require covered entities to implement practices that comport with the
requirements of the proposed Rule.

F. Discussion of Significant Alternatives

Section 216 of the FACT Act requires the Commission to issue
regulations regarding the proper disposal of consumer information. The
Act also requires that the regulations cover ``any person who possesses
or maintains'' consumer report information. This broad coverage is
consistent with the section's purpose of preventing identity theft
because the risks created by improper disposal of consumer information
are the same regardless of the nature of the entity disposing of the
records. However, the standards in the proposed Rule are flexible, and
take account of a covered entity's size and sophistication, as well as
the costs and benefits of alternative disposal methods. The FTC
welcomes comment on any significant alternatives, consistent with the
purposes of the FACT Act, that would minimize the impact on small
entities.

List of Subjects in 16 CFR Part 682

Consumer reports, Consumer reporting agencies, Credit, Fair Credit
Reporting Act, Trade practices.
Accordingly, the Commission proposes to add part 682 of title 16 of
the Code of Federal Regulations as follows:

[[Page 21392]]

PART 682--DISPOSAL OF CONSUMER REPORT INFORMATION AND RECORDS

Sec.
682.1 Definitions.
682.2 Purpose and scope.
682.3 Proper disposal of consumer information.
682.4 Relation to other laws.
682.5 Effective date.

Authority: Pub. L. 108-159, sec. 216.

Sec. 682.1 Definitions.

(a) In general. Except as modified by this part or unless the
context otherwise requires, the terms used in this part have the same
meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681
et seq.
(b) As used in this part, ``consumer information'' means any record
about an individual, whether in paper, electronic, or other form, that
is a consumer report or is derived from a consumer report.
(c) As used in this part, ``disposing'' or ``disposal'' includes:
(1) the discarding or abandonment of consumer information, and
(2) the sale, donation, or transfer of any medium, including
computer equipment, upon which consumer information is stored.

Sec. 682.2 Purpose and scope.

(a) Purpose. This part (``rule'') implements section 216 of the
Fair and Accurate Credit Transactions Act of 2003, which is designed to
reduce the risk of consumer fraud and related harms, including identity
theft, created by improper disposal of consumer information.
(b) Scope. This rule applies to any person over which the Federal
Trade Commission has jurisdiction, that, for a business purpose,
maintains or otherwise possesses consumer information or any
compilation of consumer information.

Sec. 682.3 Proper disposal of consumer information.

(a) Standard. Any person who maintains or otherwise possesses
consumer information, or any compilation of consumer information, for a
business purpose must properly dispose of such information by taking
reasonable measures to protect against unauthorized access to or use of
the information in connection with its disposal.
(b) Examples. Reasonable measures to protect against unauthorized
access to or use of consumer information in connection with its
disposal would include:
(1) Implementing and monitoring compliance with policies and
procedures that require the burning, pulverizing, or shredding of
papers containing consumer information so that the information cannot
practicably be read or reconstructed.
(2) Implementing and monitoring compliance with policies and
procedures that require the destruction or erasure of electronic media
containing consumer information so that the information cannot
practicably be read or reconstructed.
(3) After due diligence, entering into and monitoring compliance
with a written contract with another party engaged in the business of
record destruction to dispose of consumer information in a manner
consistent with this rule. In this context, due diligence could include
reviewing an independent audit of the disposal company's operations
and/or its compliance with this rule, obtaining information about the
disposal company from several references or other reliable sources,
requiring that the disposal company be certified by a recognized trade
association or similar third party, reviewing and evaluating the
disposal company's information security policies or procedures, or
taking other appropriate measures to determine the competency and
integrity of the potential disposal company.
(4) (a) For disposal companies explicitly hired to dispose of
consumer information: implementing and monitoring compliance with
policies and procedures that protect against unauthorized access to or
use of consumer information during collection and transportation, and
disposing of such information in accordance with examples (1) and (2)
above.
(b) For traditional garbage collectors engaged in the normal course
of business: disposing of garbage in accordance with standard
procedures.

Sec. 682.4 Relation to other laws.

Nothing in this rule shall be construed--
(a) to require a person to maintain or destroy any record
pertaining to a consumer that is not imposed under other law; or
(b) to alter or affect any requirement imposed under any other
provision of law to maintain or destroy such a record.

Sec. 682.5 Effective date.

This rule is effective 3 months from the date on which a final rule
is published in the Federal Register.

By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 04-8904 Filed 4-19-04; 8:45 am]

BILLING CODE 6750-01-P