AGENCY:
National Credit Union Administration (NCUA).
ACTION:
Final rule.
SUMMARY:
The NCUA Board is adopting a final rule to implement section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) by amending security program regulations and NCUA's Guidelines for Safeguarding Member Information and establishing a section in new part 717. The final rule generally requires federal credit unions (FCUs) to develop, implement, and maintain appropriate measures to properly dispose of consumer information derived from consumer reports to address the risks associated with identity theft. FCUs are expected to implement these measures consistent with the provisions in NCUA's Guidelines for Safeguarding Member Information.
DATES:
Effective December 29, 2004.
FOR FURTHER INFORMATION CONTACT:
Chrisanthy J. Loizos, Staff Attorney, Office of General Counsel, National Credit Union Administration, (703) 518-6540.
SUPPLEMENTARY INFORMATION:
I. Introduction
Section 216 of the FACT Act adds a new section 628 to the Fair Credit Reporting Act (FCRA) that, in general, is designed to protect a consumer against the risks associated with unauthorized access to information about the consumer contained in a consumer report, such as fraud and identity theft. 15 U.S.C. 1681w. Section 216 of the FACT Act requires NCUA to adopt a rule requiring any FCU “that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose to properly dispose of any such information or compilation.” Pub. L. 108-159, 117 Stat. 1985-86. The FACT Act mandates that the rule be consistent with the requirements issued pursuant to the Gramm-Leach-Bliley Act (GLBA) (Pub. L. 106-102), as well as other provisions of Federal law. The FACT Act also requires NCUA to consult and coordinate with the Office of the Comptroller of the Currency (OCC), Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), Office of Thrift Supervision (OTS), Federal Trade Commission (FTC), and Securities and Exchange Commission (collectively, the Agencies) so that, to the extent possible, NCUA's rule is consistent and comparable with the regulations issued by each of the other agencies.
II. Background
In 2001, NCUA amended the security program rule to establish standards for federally insured credit unions (FICUs) relating to administrative, technical, and physical safeguards to protect the security and confidentiality of member records and information, pursuant to section 501 of GLBA. 15 U.S.C. 6805(b). NCUA worked with the Agencies and state insurance authorities to develop appropriate standards. 66 FR 8152 (Jan. 30, 2001). The Federal banking agencies issued their standards as guidelines under section 39 of the Federal Deposit Insurance Act. 12 U.S.C. 1831p. NCUA determined it could best meet the congressional directive to prescribe standards by amending the rule governing security programs and by providing guidance in an appendix to the rule. 12 CFR part 748, appendix A; 66 FR 8152 (Jan. 30, 2001).
12 CFR parts 30, app. B; 208, app. D-2 and 225, app. F; 364, app. B; 570, app. B. See 66 FR 8616 Feb. 1, 2001.
Section 748.0 requires an FICU to develop a security program that implements safeguards designed to: (1) Ensure the security and confidentiality of member records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to a member. 12 CFR 748.0(b)(2).
Appendix A to part 748 sets forth NCUA's Guidelines for Safeguarding Member Information (Guidelines), which are substantially identical to the guidelines issued by the Agencies. 66 FR 8152 (Jan. 30, 2001). The Guidelines “are intended to outline industry best practices and assist credit unions to develop meaningful and effective security programs to ensure their compliance with the safeguards contained in the regulation.” Id.
The Guidelines direct FICUs to assess the risks to their member information and member information systems and, in turn, implement appropriate security measures to control those risks. 12 CFR part 748, appendix A. For example, under the risk-assessment framework, FICUs should evaluate whether the controls the FICU has developed sufficiently protect its member information from unauthorized access, misuse, or alteration when the FICU disposes of the information. “[A] credit union's responsibility to safeguard member information continues through the disposal process.” 66 FR 8152, 8155.
On May 28, 2004, the NCUA Board published a proposal to add a section to the new fair credit reporting rule and amend the security program rule and Guidelines for Safeguarding Member Information (Guidelines) to require FCUs to implement controls designed to ensure the proper disposal of consumer information within the meaning of section 216. 69 FR 30601 (May 28, 2004). NCUA's proposed regulation and the preamble were substantively similar to a joint notice of proposed rulemaking issued by the FRB, OCC, FDIC and OTS (the Federal banking agencies). 69 FR 31913 (June 8, 2004).
In the proposal, NCUA noted that section 216 of the FACT Act requires NCUA to issue final regulations for entities under its enforcement authority under section 621 of the FCRA. Unlike the current provisions in the security program rule, which apply to all FICUs, the requirements in NCUA's final rule apply solely to FCUs. See 15 U.S.C. 1681s(b)(3). Federally insured state-chartered credit unions are subject to the enforcement jurisdiction of the FTC for purposes of the FCRA. See 15 U.S.C. 1681s(a). State charters, therefore, should refer to the final rule issued by the FTC regarding the proper disposal of consumer information under section 216.
III. Summary of Comments
NCUA received fourteen comment letters: One from a corporate credit union; four from natural person credit unions; five from credit union trades or leagues; one from a consumer; two from financial services trade organizations; and a joint letter from seven consumer rights organizations. The Agencies also received numerous letters from financial institutions, industry trade organizations, consumer advocacy groups, consumers, and trade associations from the information destruction industry. NCUA and the Agencies considered the comments and suggestions submitted.
Of the letters received by NCUA, twelve commenters generally supported the proposed regulation requiring FCUs to properly dispose of consumer information. One commenter stated that the proposal balanced the concerns of consumers and the industry by providing reasonable protections from identity theft and the unintended disclosure of consumer information while giving FCUs sufficient latitude for the disposal of consumer information. One comment letter, submitted on behalf of seven consumer groups, found the proposed rule weak and inadequate to meet Congress' intended purpose of preventing identity theft and other fraud.
IV. Analysis of Final Rule
Section-by-Section Overview
Section 717.83—Disposal of Consumer Information
As set forth in the proposal, NCUA is establishing a new part 717 to house its fair credit reporting rules and adds a subpart setting forth the duties of users of consumer reports regarding identity theft. To implement section 216, NCUA is adding § 717.83 to require FCUs to develop and maintain, as part of their information security programs, appropriate controls designed to ensure that they properly dispose of consumer information. The final rule retains the statute's rule of construction as proposed stating that this requirement does not impose any requirements to maintain or destroy consumer records beyond those imposed by any other law. The final rule also does not affect any requirement to maintain or destroy consumer records imposed under any other provision of law.
The only revisions to § 717.83 from the proposed rule incorporate examples of appropriate measures to properly dispose of consumer information and clarify “consumer information” in its definition and through examples. These additions required a renumbering of the section and are discussed in further detail below.
The final rule also includes a general definitions section, § 717.3, to define the terms “you” and “consumer.” Although these definitions were not included in the proposed disposal rule, they were published in another FACT Act proposal. The final rule refers to FCUs using the plain language term “you” because section 216 requires NCUA to adopt a final disposal rule for FCUs. The final rule also uses the term “consumer.” Paragraph (e) of § 717.3 defines the term “consumer” to mean an individual, which follows the statutory definition in section 603(c) of the FCRA. 15 U.S.C. 1681a(c). NCUA will add more definitions to § 717.3 as the agency adopts other rules to implement provisions of the FCRA.
On April 8, 2004, NCUA issued its first proposal to add a new part 717, implementing section 411 of the FACT Act. See 69 FR 23380 (Apr. 28, 2004). This final disposal rule, however, will be the first section to establish the new part 717.
Section 748.0—Security Program
The final rule retains § 748.0(c) as proposed. Paragraph (c) cross references the section 216 requirement in § 717.83, for ease of reference when FCUs adopt or modify their information security programs.
Guidelines for Safeguarding Member Information
The final rule amends the Guidelines to specifically address the disposal of consumer information by: (1) Defining “consumer information” as defined in § 717.83; (2) adding an objective regarding the proper disposal of member information and consumer information; and (3) providing that an FCU should implement appropriate measures to properly dispose of member information and consumer information. NCUA discusses the final rule's slight variations from the proposal below.
The changes to the Guidelines are intended to provide guidance to FCUs for compliance with § 717.83. As noted above, the requirements of this final rule only apply to FCUs, while federally insured state-chartered credit unions are subject to the jurisdiction of the FTC on this matter. NCUA believes, however, that federally insured state charters may find this guidance helpful in adopting meaningful and effective security programs that deal with the disposal of consumer information.
In accordance with section 216, NCUA has consulted with the Agencies to ensure that, to the extent possible, the final rules issued by the respective agencies to implement section 216 are consistent and comparable.
Proper Disposal of Consumer Information and Member Information
Consumer Information
Proposed § 717.83(c)(1) defined “consumer information” to mean “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the credit union for a business purpose.” “Consumer information” was also defined to mean “a compilation of such records.”
Commenters generally supported NCUA's proposed definition of this term, but argued that NCUA should include statements or illustrations to clarify the nature and scope of “consumer information.” Several commenters found the proposed phrase “about an individual” to be ambiguous and urged NCUA to adopt a definition expressly stating that “consumer information” only includes information that identifies a particular individual.
Similarly, some commenters supported NCUA's explanation in the proposal that “consumer information” does not include information derived from a consumer report that does not identify any particular consumer, such as the mean credit score derived from a group of consumer reports. These commenters suggested that NCUA include this example or similar examples in the definition.
In § 717.83(d)(1), the final rule defines “consumer information” as proposed but modifies the term to expressly exclude from the definition “any record that does not identify an individual.” NCUA believes that qualifying the term “consumer information” to cover only personally identifiable information appropriately focuses on the information derived from a consumer report that, if improperly disposed, could be used to commit fraud or identity theft against a consumer. NCUA believes that limiting this definition to information that identifies a consumer is consistent with the current law relating to the scope of the term “consumer report” under the FCRA and the purposes of section 216 of the FACT Act.
Under the final rule, an FCU must implement measures to properly dispose of consumer information that identifies a consumer, such as the consumer's name and the credit score derived from a consumer report. This requirement, however, does not apply to aggregate information, such as the mean credit score that is derived from a group of consumer reports, or blind data, such as a series of credit scores that do not identify the subjects of consumer reports from which those scores are derived. The final rule includes examples of records that illustrate this aspect, but it does not rigidly define the nature and scope of personally identifiable information. These examples are found in § 717.83(d)(1)(i). NCUA notes that there are a variety of types of information apart from an individual's name, account number, or address that, depending on the circumstances or when used in combination, could identify the individual.
As discussed in the proposal, NCUA notes that the scope of information covered by the terms “consumer information” and “member information” will sometimes overlap, but will not always coincide. The definition of “consumer information” is drawn from the term “consumer” in section 603(c) of the FCRA, which defines a “consumer” as an individual. 15 U.S.C. 1681a(c). By contrast, “member information” under the Guidelines, only covers nonpublic personal information about a “member,” as defined in § 716.3(n), namely, an individual who obtains a financial product or service to be used primarily for personal, family, or household purposes and who has a continuing relationship with the FCU.
The relationship between consumer information and member information can be illustrated through the following examples. Payment history information from a consumer report about an individual, who is an FCU's member, will be both consumer information because it comes from a consumer report and member information because it is nonpublic personal information about a member. In some circumstances, member information will be broader than consumer information. For instance, information that an FCU maintains about its member's transactions with the FCU would be only member information because it does not come from a consumer report. In other circumstances, consumer information will be broader than member information. Consumer information would include information from a consumer report that an FCU obtains about an individual who guarantees a loan for a business entity or who has applied for employment with the FCU. In these instances, the consumer reports would not be member information because the information would not be about a “member” within the meaning of the Guidelines but would be consumer information.
NCUA believes the phrase “derived from consumer reports” covers all of the information about a consumer that is taken from a consumer report, including information that results in whole or in part from manipulation of information from a consumer report or information from a consumer report that has been combined with other types of information. Consequently, an FCU that possesses any of this information must properly dispose of it. For example, any record about a consumer derived from a consumer report, such as the consumer's name and credit score, that is shared between an FCU and its credit union service organization (CUSO) affiliate must be disposed of properly by each affiliate that possesses that information. Similarly, a consumer report that is shared among affiliates after the consumer has been given a notice and has elected not to opt out of that sharing, and therefore is no longer a “consumer report” under section 603(d)(2)(A)(iii) of the FCRA, would still be consumer information. Accordingly, an affiliate that receives consumer information under these circumstances must properly dispose of the information. NCUA notes that a CUSO affiliate subject to the jurisdiction of the FTC must properly dispose of consumer information in accordance with the FTC's final rule.
The proposed definition of consumer information included the qualification “for a business purpose,” as set forth in section 216. NCUA believes that this phrase encompasses any commercial purpose for which an FCU might maintain or possess consumer information. Commenters did not raise concerns about this interpretation.
Proper Disposal
In the proposed rule, NCUA requested comment on the standard for proper disposal. Of the comment letters received by NCUA, five commenters thought that the concept was clear and sufficiently explained the nature and scope of an FCU's responsibilities under the rule, but two of those commenters welcomed additional clarification through guidance or examples. Four commenters believed “proper disposal” was not clear in the proposed rule and asked for either a definition or examples in the regulatory text like those used in the FTC's proposed rule. 69 FR 21388 (April 20, 2004). Some of these commenters stated that the rule should adopt a clear standard that requires FCUs to render paper and electronic data unreadable and incapable of being reconstructed. They also asked that the rule provide examples of proper disposal techniques consistent with the FTC's proposed regulatory text.
NCUA believes that there is no need to adopt a definition of the term “disposal” because, in the context of the duty imposed under section 216, the ordinary meaning of that term applies. The final rule, however, includes examples of appropriate measures to properly dispose of consumer information as requested by the commenters in renumbered paragraph (b) of § 717.83. NCUA believes these examples will be helpful as illustrative guidance for compliance with the rule.
NCUA notes that any sale, lease, or other transfer of any medium containing consumer information constitutes disposal of the information insofar as the information itself is not the subject of the sale, lease or other transfer between the parties. By contrast, the sale, lease, or other transfer of consumer information from an FCU to another party can be distinguished from the act of throwing out or getting rid of consumer information, and accordingly, does not constitute disposal subject to NCUA's rule.
New Objective for an Information Security Program
NCUA proposed to add a new objective regarding the proper disposal of consumer information in paragraph II.B. of the Guidelines. A few commenters expressed objections to this aspect of the proposal primarily as it relates to service providers.
The final rule slightly revises the proposal to add a new objective in the Guidelines providing that an FCU should design its information security program to “[e]nsure the proper disposal of member information and consumer information.” With this revision from the proposal, NCUA omitted the proposed provision stating that an FCU should ensure proper disposal of consumer information “in a manner consistent with the disposal of member information.” By making this change and adding the reference to “member information” in paragraph II.B., the Guidelines more clearly and fully state an FCU's information security objectives with respect to disposing of information. As noted in the proposal, a credit union should properly dispose of member information as part of designing and maintaining its information security program under the Guidelines. The inclusion of “member information” in the objective, therefore, does not establish a new objective in the Guidelines.
NCUA continues to believe that including this additional objective in paragraph II.B. of the Guidelines is important because section 216's disposal requirement applies to an FCU's consumer information maintained or otherwise in the possession of the FCU's service providers. NCUA notes that, under current paragraph III.D.2., an FCU is expected to “[r]equire its service providers by contract to implement appropriate measures designed to meet the objectives” of the Guidelines.
By expressly incorporating a provision in paragraph II.B. of the Guidelines, FCUs should contractually require service providers to develop appropriate measures for the proper disposal of consumer information and, where warranted, monitor service providers to confirm that they have satisfied their contractual obligations. As some commenters observed, the particular contractual arrangement that an FCU may negotiate with a service provider may take varied forms or use general terms. As a result, some credit unions already may have existing contracts that are sufficiently broad to cover the proper disposal of member information and consumer information, and therefore they would not have to be amended. NCUA continues to believe that the parties should have substantial latitude in negotiating the contractual terms appropriate to their arrangement in any manner that satisfies the objectives of the Guidelines. NCUA, therefore, has not prescribed any particular standards that relate to these service provider contracts.
The final rule also amends paragraph III.G.4. of the Guidelines to allow an FCU a reasonable period of time, after the final rule is issued, to amend its contracts with its service providers to incorporate the necessary requirements in connection with the proper disposal of consumer information. After reviewing the varying comments on this provision of the proposal, NCUA has determined that FCUs should modify contracts that will be affected by the final rule's requirements, if necessary, no later than July 1, 2006.
New Provision To Implement Measures to Properly Dispose of Consumer Information
NCUA has amended paragraph III.C. of the Guidelines by adding a new provision stating that an FCU, as part of its information security program, should develop, implement, and maintain, appropriate measures to properly dispose of consumer information and member information. Like the proposal, this new provision also provides that FCUs should implement these measures “in accordance with the provisions in paragraph III.” of the Guidelines.
Paragraph III. of the Guidelines presently states that an FCU should undertake measures to design, implement, and maintain its information security program to protect member information and member information systems. Because “member information systems” is defined to include any methods used to dispose of member information, an FCU presently must use risk-based measures to protect member information. Building on this provision in the Guidelines, NCUA proposed a provision in paragraph III.C.4. stating that FCUs should develop controls “in a manner consistent with the disposal of member information.” Commenters generally supported this provision because FCUs could develop and implement risk-based protections, rather than be subject to a prescriptive standard that required them to adopt particular methods for disposing of consumer information.
In the final rule, NCUA has revised the proposed provision in paragraph III.C.4. by omitting “in a manner consistent with the disposal of member information.” In its place, the Guidelines now provide a more direct and general statement that FCUs should develop and maintain risk-based measures to properly dispose of consumer information and member information. Under this final amendment to the Guidelines, an FCU is expected to properly dispose of both classes of information, which is consistent with the Guidelines and the FACT Act.
An FCU should broaden the scope of its risk assessment to include an assessment of the reasonably foreseeable internal and external threats associated with the methods it uses to dispose of consumer information, and adjust its risk assessment in light of the relevant changes relating to such threats. By expressly referencing the disposal requirement in § 748.0(c) and the Guidelines, NCUA expects FCUs to integrate into their information security programs the risk-based measures in paragraph III of the Guidelines for the disposal of consumer information.
After reviewing the comments, NCUA continues to believe that it is not necessary to propose a prescriptive rule describing proper methods of disposal.
Nonetheless, consistent with interagency guidance previously issued through the Federal Financial Institutions Examination Council (FFIEC), NCUA expects FCUs to have appropriate disposal procedures for records maintained in paper-based or electronic form. In addition, as noted above, the final rule includes illustrative examples of appropriate measures to properly dispose of consumer information in § 717.83(b). An FCU's information security program should ensure that paper records containing either member or consumer information should be rendered unreadable as indicated by the FCU's risk assessment, such as by shredding or any other means. FCUs also should recognize that computer-based records present unique disposal problems. Residual data frequently remains on media after erasure. Since that data can be recovered, FCUs should apply additional disposal techniques to sensitive electronic data.
See FFIEC Information Security Booklet, page 63 at: http://www.ffiec.gov/ffiecinfobase/booklets/information_security/information_security.pdf.
See footnote 3, supra.
Compliance
The final rule requires FCUs to implement the appropriate measures to properly dispose of consumer information by July 1, 2005. NCUA believes that any changes to an FCU's existing information security program likely will be minimal because many of the measures that an FCU already uses to dispose of member information can be adapted to properly dispose of consumer information. Several commenters agreed with NCUA's assessment and noted that they already have appropriate disposal policies in place. Nevertheless, a comment on behalf of small credit unions and a few comments to the Federal banking agencies noted the proposed period for compliance would be relatively short in light of the work required to amend policies and locate and track consumer information in an institution's existing information system. Accordingly, NCUA has determined that the final rule should afford FCUs a six-month period to adjust their systems and controls.
V. Regulatory Procedures
Regulatory Flexibility Act
The Regulatory Flexibility Act requires NCUA to prepare an analysis to describe any significant economic impact any proposed regulation may have on a substantial number of small entities (those under $10 million in assets). The NCUA Board has determined and certifies that the final rule will not have a significant economic impact on a substantial number of small credit unions. Accordingly, a regulatory flexibility analysis is not required.
The rule requires an FCU to implement appropriate controls designed to ensure the proper disposal of consumer information. An FCU must develop and maintain these controls as part of implementing its existing information security program as required by § 748.0.
Any modifications to an FCU's information security program needed to address the proper disposal of consumer information could be incorporated through the process the FCU presently uses to adjust its program under paragraph III.E. of the Guidelines, particularly because of the similarities between the consumer and member information and the measures commonly used to properly dispose of both types of information. To the extent the rule imposes new requirements for certain types of consumer information, developing appropriate measures to properly dispose of that information likely would require only a minor modification of an FCU's existing information security program.
Because some consumer information will be member information and because segregating particular records for special treatment may entail considerable costs, NCUA believes that many FCUs, including small entities, already are likely to have implemented measures to properly dispose of both member and consumer information. In addition, NCUA and the Federal banking agencies, through the Federal Financial Institutions Examination Council (FFIEC), already have issued guidance regarding their expectations concerning the proper disposal of all of an institution's paper and electronic records. See FFIEC Information Security Booklet, December 2002, p. 63. Therefore, the rule does not require any significant changes for FCUs that currently have procedures and systems designed to comply with this guidance.
See footnote 3, supra.
NCUA anticipates that, in light of current practices relating to the disposal of information in accordance with § 748.0, the Guidelines, and the guidance issued by the FFIEC, the final rule would not impose undue costs on FCUs. NCUA believes that the controls that small FCUs would need to develop and implement, if any, to comply with the rule likely pose a minimal economic impact on those entities.
Paperwork Reduction Act
NCUA has determined that the final rule does not increase paperwork requirements under the Paperwork Reduction Act of 1995 and regulations of the Office of Management and Budget.
Executive Order 13132
Executive Order 13132 encourages independent regulatory agencies to consider the impact of their regulatory actions on State and local interests. In adherence to fundamental federalism principles, NCUA, an independent regulatory agency as defined in 44 U.S.C. 3502(5), voluntarily complies with the executive order. This final rule will not have substantial direct effects on the States, on the relationship between the National Government and the States, or on the distribution of power and responsibilities among the various levels of government. NCUA has determined that the final rule does not constitute a policy that has federalism implications for purposes of the executive order.
Small Business Regulatory Enforcement Fairness Act
The Small Business Regulatory Enforcement Fairness Act of 1996 (Pub. L. 104-121) provides generally for congressional review of agency rules. A reporting requirement is triggered in instances where NCUA issues a final rule as defined by section 551 of the Administrative Procedures Act. 5 U.S.C. 551. The Office of Management and Budget (OMB) has determined that this rule is not a major rule for the purposes of the Small Business Regulatory Enforcement Fairness Act of 1996.
The Treasury and General Government Appropriations Act, 1999—-Assessment of Federal Regulations and Policies on Families
NCUA has determined that this rule will not affect family well-being within the meaning of section 654 of the Treasury and General Government Appropriations Act, 1999, Pub. L. 105-277, 112 Stat. 2681 (1998).
List of Subjects
12 CFR Part 717
- Consumer protection
- Credit unions
- Information
- Privacy
- Reporting and recordkeeping requirements
12 CFR Part 748
- Credit unions
- Crime
- Currency
- Reporting and recordkeeping requirements, and Security measures
By the National Credit Union Administration Board on November 18, 2004.
Mary F. Rupp,
Secretary of the Board.
For the reasons stated in the preamble, NCUA amends 12 CFR chapter VII as set forth below:
1. Part 717 is added to read as follows:
PART 717—FAIR CREDIT REPORTING
- Subpart A—General Provisions
- 717.1-717.2
- [Reserved]
- 717.3
- Definitions. Subparts B-H [Reserved] Subpart I—Duties of Users of Consumer Reports Regarding Identity Theft
- 717.80-717.82
- [Reserved]
- 717.83
- Disposal of consumer information.
Authority: 15 U.S.C. 1681a, 1681s, 1681w, 6801 and 6805(b).
Subpart A— General Provisions
As used in this part, unless the context requires otherwise:
(a) [Reserved]
(b) [Reserved]
(c) [Reserved]
(d) [Reserved]
(e) Consumer means an individual.
(f) [Reserved]
(g) [Reserved]
(h) [Reserved]
(i) [Reserved]
(j) [Reserved]
(k) [Reserved]
(l) [Reserved]
(m) [Reserved]
(n) [Reserved]
(o) You means a Federal credit union.
Subpart I—Duties of Users of Consumer Reports Regarding Identity Theft
(a) In general. You must properly dispose of any consumer information that you maintain or otherwise possess in a manner consistent with the Guidelines for Safeguarding Member Information, in appendix A to part 748 of this chapter.
(b) Examples. Appropriate measures to properly dispose of consumer information include the following examples. These examples are illustrative only and are not exclusive or exhaustive methods for complying with this section.
(1) Burning, pulverizing, or shredding papers containing consumer information so that the information cannot practicably be read or reconstructed.
(2) Destroying or erasing electronic media containing consumer information so that the information cannot practicably be read or reconstructed.
(c) Rule of construction. This section does not:
(1) Require you to maintain or destroy any record pertaining to a consumer that is not imposed under any other law; or
(2) Alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record.
(d) Definitions. As used in this section:
(1) Consumer information means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the credit union for a business purpose. Consumer information also means a compilation of such records. The term does not include any record that does not identify an individual.
(i) Consumer information includes:
(A) A consumer report that you obtain;
(B) Information from a consumer report that you obtain from your affiliate after the consumer has been given a notice and has elected not to opt out of that sharing;
(C) Information from a consumer report that you obtain about an individual who applies for but does not receive a loan, including any loan sought by an individual for a business purpose;
(D) Information from a consumer report that you obtain about an individual who guarantees a loan (including a loan to a business entity); or
(E) Information from a consumer report that you obtain about an employee or prospective employee.
(ii) Consumer information does not include:
(A) Aggregate information, such as the mean credit score, derived from a group of consumer reports; or
(B) Blind data, such as payment history on accounts that are not personally identifiable, you use for developing credit scoring models or for other purposes.
(2) Consumer report has the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681a(d). The meaning of consumer report is broad and subject to various definitions, conditions and exceptions in the Fair Credit Reporting Act. It includes written or oral communications from a consumer reporting agency to a third party of information used or collected for use in establishing eligibility for credit or insurance used primarily for personal, family or household purposes, and eligibility for employment purposes. Examples include credit reports, bad check lists, and tenant screening reports.
PART 748—SECURITY PROGRAM, REPORT OF CRIME AND CATASTROPHIC ACT AND BANK SECRECY ACT COMPLIANCE
2. The authority citation for part 748 is revised to read as follows:
Authority: 12 U.S.C. 1766(a), 1786(q); 15 U.S.C. 1681s, 1681w, 6801, and 6805(b); 31 U.S.C. 5311 and 5318.
3. Amend § 748.0 by adding paragraph (c) to read as follows:
(c) Each Federal credit union, as part of its information security program, must properly dispose of any consumer information the Federal credit union maintains or otherwise possesses, as required under § 717.83 of this chapter.
4. Amend appendix A to part 748 as follows:
a. Add the following sentence at the end of paragraph I.: “These Guidelines also address standards with respect to the proper disposal of consumer information pursuant to sections 621(b) and 628 of the Fair Credit Reporting Act ( 15 U.S.C. 1681s(b) and 1681w).”;
b. Add the following sentence as the end of paragraph I.A.: “These Guidelines also apply to the proper disposal of consumer information by such entities.”;
c. Redesignate paragraphs I.B.2.a. through d. as I.B.2.c. through f.;
d. Add new paragraphs I.B.2.a. and b., III.C.4., and III.G.3. and III.G.4. to read as set forth below; and
e. Amend paragraph II.B. by removing the word “and” after the word “information;” and adding the following phrase after the word “member” at the end of the sentence: “; and ensure the proper disposal of member information and consumer information”.
Appendix A to Part 748—Guidelines for Safeguarding Member Information
I. * * *
B. * * *
2. * * *
a. Consumer information means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the credit union for a business purpose. Consumer information also means a compilation of such records. The term does not include any record that does not identify an individual.
b. Consumer report has the same meaning as set forth in the Fair Credit Reporting Act, 15 U.S.C. 1681a(d). The meaning of consumer report is broad and subject to various definitions, conditions and exceptions in the Fair Credit Reporting Act. It includes written or oral communications from a consumer reporting agency to a third party of information used or collected for use in establishing eligibility for credit or insurance used primarily for personal, family or household purposes, and eligibility for employment purposes. Examples include credit reports, bad check lists, and tenant screening reports.
III. * * *
C. * * *
4. Develop, implement, and maintain, as part of its information security program, appropriate measures to properly dispose of member information and consumer information in accordance with the provisions in paragraph III.
G. * * *
3. Effective date for measures relating to the disposal of consumer information. Each Federal credit union must properly dispose of consumer information in a manner consistent with these Guidelines by July 1, 2005.
4. Exception for existing agreements with service providers relating to the disposal of consumer information. Notwithstanding the requirement in paragraph III.G.3., a Federal credit union's existing contracts with its service providers with regard to any service involving the disposal of consumer information should implement the objectives of these Guidelines by July 1, 2006.
[FR Doc. 04-25995 Filed 11-26-04; 8:45 am]
BILLING CODE 7535-01-P