Disposal of Consumer Report Information and Records

AGENCY:

Federal Trade Commission (FTC).

ACTION:

Supplemental initial regulatory flexibility analysis for notice of proposed rulemaking.

SUMMARY:

The Federal Trade Commission (“FTC” or “Commission”) is publishing a supplemental initial regulatory flexibility analysis to aid the public in commenting upon the small business impact of its proposed rule implementing section 216 of the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act” or “Act”).

DATES:

Written comments must be received on or before July 30, 2004.

ADDRESSES:

Interested parties are invited to submit written comments. Comments should refer to “The FACT Act Disposal Rule, R-411007” to facilitate the organization of comments. A comment filed in paper form should include this reference both in the text and on the envelope, and should be mailed or delivered to the following address: Federal Trade Commission/Office of the Secretary, Room 159-H (Annex H), 600 Pennsylvania Avenue, NW., Washington, DC 20580. Comments containing confidential material must be filed in paper form clearly labeled “Confidential,” and comply with the Commission Rule 4.9(c). 16 CFR 4.9(c). The FTC is requesting that any comment filed in paper form be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

An electronic comment can be filed by (1) clicking on http://www.regulations.gov ; (2) selecting “Federal Trade Commission” at “Search for Open Regulations;” (3) locating the summary of this Notice; (4) clicking on “Submit a Comment on this Regulation;” and (5) completing the form. For a given electronic comment, any information placed in the following fields—“Title,” “First Name,” “Last Name,” “Organization Name,” “State,” “Comment,” and “Attachment”—will be publicly available on the FTC Web site. The fields marked with an asterisk on the form are required in order for the FTC to fully consider a particular comment. Commenters may choose not to fill in one or more of those fields, but if they do so, their comments may not be considered.

The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. All timely and responsive public comments, whether filed in paper or electronic form, will be considered by the Commission, and will be available to the public on the FTC Web site, to the extent practicable, at www.ftc.gov. As a matter of discretion, the FTC makes every effort to remove home contact information for individuals from the public comments it receives before placing those comments on the FTC Web site. More information, including routine uses permitted by the Privacy Act, may be found in the FTC's privacy policy, at http://www.ftc.gov/ftc/privacy.htm .

FOR FURTHER INFORMATION CONTACT:

Ellen Finn or Susan McDonald, Attorneys, (202) 326-3224, Division of Financial Practices, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

This notice supplements the Commission's initial notice of proposed rulemaking, 69 FR 21388 (Apr. 20, 2004), for its proposed rule regarding Disposal of Consumer Report Information and Records, 16 CFR part 682, implementing section 216 of the FACT Act, Pub. L. 108-159 (2003). The Commission's notice of proposed rulemaking included an initial regulatory flexibility analysis pursuant to the Regulatory Flexibility Act (5 U.S.C. 603); however, the Commission has decided to publish the following supplemental analysis in order to provide additional information and opportunity for public comment on the small business impact, if any, of the proposed rule. The Commission notes that there has already been a substantial period for public comment on the proposed rule itself and that the public comments received are posted online at http://www.ftc.gov/os/comments/disposal/index.htm .

A. Reasons for the Proposed Rule

Section 216 of the FACT Act requires the Commission to issue regulations regarding the proper disposal of consumer information in order to prevent sensitive financial and personal information from falling into the hands of identity thieves or others who might use the information to victimize consumers. The requirements of the proposed Rule are intended to implement section 216.

B. Statement of Objectives and Legal Basis

The objective of the proposed Rule, set forth in Proposed Section 682.2(a), is to reduce the risk of consumer fraud and related harms, including identity theft, created by improper disposal of consumer information. See Cong. Rec. S13889 (Nov. 4, 2003) (Statement of Sen. Nelson). The legal basis for the proposed Rule is section 216 of the FACT Act.

C. Description of Small Entities to Which the Proposed Rule Will Apply

The proposed Disposal Rule, which tracks the language of section 216 of the FACT Act, applies to “any person that, for a business purpose, maintains or otherwise possesses consumer information, or any compilation of consumer information.” As discussed in the initial notice of proposed rulemaking, the entities covered by the proposed Rule would include consumer reporting agencies, resellers of consumer reports, lenders, insurers, employers, landlords, government agencies, mortgage brokers, automobile dealers, waste disposal companies, and any other business that possesses or maintains consumer information.

As discussed in the initial notice of proposed rulemaking, any company, regardless of industry or size, that possesses or maintains consumer information for a business purpose would be subject to the proposed Rule. Therefore, numerous small entities across almost every industry could potentially be subject to the Rule. For the majority of entities subject to the proposed Rule, a small business is defined by the Small Business Administration as one whose average annual receipts do not exceed $6 million or who have fewer than 500 employees.

Although it is impossible to identify every industry that may possess or maintain consumer information for business purposes, the Commission anticipates that, at a minimum, the estimated 231,000 small entities within the finance and insurance industries are likely to be subject to the proposed Rule. Generally, these entities are already subject to the FTC's Gramm-Leach-Bliley Act Safeguards Rule, which contains requirements similar to those in the proposed Rule. As a result, as discussed further below, the marginal cost of compliance with the proposed Disposal Rule for these businesses is likely to be minimal.

In addition, any business, regardless of industry, that obtains a consumer report, or information derived from a consumer report, would be subject to the proposed Rule. Among businesses that might fall into this category are landlords, utility companies, telecommunications companies, and any business that obtains consumer reports for employment screening purposes. The Commission is unaware of any data concerning the frequency with which small businesses such as these obtain consumer reports. As a result, it is not possible to determine precisely how many small businesses outside the finance and insurance industries would be subject to the proposed Rule, or how often these entities would be required to undertake compliance efforts.

Accordingly, the Commission continues to believe that a precise estimate of the number of small entities that fall under the proposed Rule is not currently feasible, and specifically requests information or comment on this issue.

D. Projected Reporting, Recordkeeping and Other Compliance Requirements

The proposed Rule would not impose any specific reporting or recordkeeping requirements within the meaning of the Paperwork Reduction Act. The proposed Rule would require covered entities, when disposing of consumer information, to take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. What is considered “reasonable” will vary according to an entity's nature and size, the costs and benefits of available disposal methods, and the sensitivity of the information involved. In formulating the proposed Rule, the Commission considered alternatives to this approach, and determined that the flexibility afforded by the Rule as proposed would reduce the burden that might otherwise be imposed on small entities by a more rigid, prescriptive rule.

As noted above, entities already subject to the Commission's Safeguards Rule should incur few, if any, additional compliance costs. Among other things, the Safeguards Rule already requires covered entities to develop and implement policies that require the proper disposal of “customer information” (as defined in the GLB Act), as well as employee training programs and mechanisms to update its information security program on a periodic basis. Modifying these policies to address the disposal of “consumer information” (as defined in the proposed Rule), and training employees on these changes, should therefore be possible at little or no cost. In fact, because the definitions of “consumer information” and “customer information” overlap, many entities may already be in substantial compliance with the proposed Rule's requirements.

For small businesses not already subject to the GLB Safeguards Rule, compliance costs may be greater. Because the proposed Rule does not mandate specific disposal measures, a precise estimate of compliance costs is not feasible. However, there are certain basic steps that are likely to be appropriate for many small entities. For example, shredding or burning paper records containing consumer information will generally be appropriate. Depending upon the volume of records at issue and the office equipment available to the small entity, this method of disposal may be accomplished by the small entity itself at no cost, may require the purchase of a paper shredder (available at office supply stores for as little as $25), or may require the hiring of a document disposal service on a periodic basis (the costs of which will vary based on the volume of material, frequency of service, and geographic location).

If a small entity has stored consumer information on electronic media (for example, computer discs or hard drives), disposal of such media could be accomplished by a small entity at almost no cost by simply smashing the material with a hammer. In some cases, appropriate disposal of electronic media might also be accomplished by overwriting or “wiping” the data prior to disposal. Utilities to accomplish such wiping are widely available for under $25; indeed, some such tools are available for download on the Internet at no cost. Whether “wiping,” as opposed to destruction, of electronic media is reasonable, as well as the adequacy of particular utilities to accomplish that “wiping,” will depend upon the circumstances.

As the above examples illustrate, although it is not possible to estimate small businesses' compliance costs precisely, such costs are likely to be quite modest for most small entities. Nonetheless, because the Commission is concerned about the potential impact of the proposed Rule on small entities, it specifically invites comment on the costs of compliance for such parties. In particular, although the Commission does not expect that small entities will require legal assistance to develop an appropriate disposal plan, the Commission requests comment on whether small entities believe that they will incur such costs and, if so, what they will be. In addition, the Commission requests comment on the costs, if any, of training relevant employees regarding the proper disposal of consumer information, particularly for entities not subject to the Commission's Safeguards Rule.

E. Identification of Other Duplicative, Overlapping, or Conflicting Federal Rules

The FTC has not identified any other Federal statutes, rules, or policies that would conflict with the proposed Rule's requirement that covered persons take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. However, the Commission is requesting comment on the extent to which other Federal standards involving privacy or security of information may duplicate, satisfy, or inform the proposed Rule's requirements. In addition, the FTC seeks comment and information about any statutes or rules that may conflict with the proposed requirements, as well as any other State, local, or industry rules or policies that require covered entities to implement practices that comport with the requirements of the proposed Rule.

F. Discussion of Significant Alternatives

Section 216 of the FACT Act requires the Commission to issue regulations regarding the proper disposal of consumer information. The Act also requires that the regulations cover “any person who possesses or maintains” consumer report information. This broad coverage furthers the section's purpose of preventing identity theft because the risks created by improper disposal of consumer information are the same regardless of the nature of the entity disposing of the records. In addition, the standards in the proposed Rule are flexible, and take into account a covered entity's size and sophistication, as well as the costs and benefits of alternative disposal methods. Nevertheless, the FTC seeks comment on any significant alternatives, consistent with the purposes of the FACT Act, that could further minimize the Rule's impact on small entities.

In some situations, the Commission has considered adopting a delayed effective date for small entities subject to a new regulation in order to provide them with additional time to come into compliance. In this case, however, in light of the proposed Rule's flexible standard and modest compliance costs, the Commission believes that small entities should feasibly be able to come into compliance with the proposed Rule by the proposed effective date, three months following publication of the final Rule. Nonetheless, the Commission invites comment on whether small businesses might need additional time to come into compliance and, if so, why.

In addition, the Commission has the authority to exempt any persons or classes of persons from the Rule's application pursuant to section 216(a)(3) of the FACTA. As it did in the initial notice of proposed rulemaking, the Commission requests comment on whether there are any persons or classes of persons covered by the proposed Rule that it should consider exempting from the Rule's application pursuant to section 216(a)(3). However, the Commission notes that the statute's purpose of protecting consumers against identity theft could be undermined by the granting of a broad exemption to small entities.