Data Theft Soared in 2008; FACTA and the Duty to Dispose of Employee and Customer Data

One industry reporting record numbers for 2008? Data theft. A report released this week concluded that more than 285 million records were compromised in 2008, supposedly more than the previous four years combined. As one part of their defense against identity theft, businesses of all varieties should make sure to comply with federal Fair and Accurate Credit Transactions Act (FACTA) obligations to properly destroy certain types of consumer and employment information.

The Washington Post points out that credit card thieves have gathered so much personal data that they've driven down its price on the black market.

As Ars Technica quotes from the Verizon 2009 Data Breach Investigations Report, "[t]he best defense against data breaches is, in theory, quite simple--don't retain data. ... the next best thing is to retain only what is required for business or legal reasons, to know where it lives and flows, and to protect it diligently. The majority of breaches still occur because basic controls were not in place or because those that were present were not consistently implemented across the organization."

Part of the basic controls all businesses should have in place is FACTA compliance.

The Fair and Accurate Credit Transactions Act (FACTA) is part of our federal law regulating credit reporting. FACTA aims to protect consumers from identity theft. Beyond mandating that all merchants who accept credit cards print only the last five digits of card numbers on receipts, it obligates businesses to properly dispose of any "consumer report" used for business purposes.

Why does this affect all types of businesses? Because "consumer report" includes credit reports, background checks, insurance histories, medical histories and residential histories, amongst other types of data. Businesses routinely gather such information when deciding whether to extend credit to customers, or employment to job applicants.

What is proper disposal of these records? The FTC suggests that businesses might:

• burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;
• destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
• conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include:
• reviewing an independent audit of a disposal company's operations and/or its compliance with the Rule;
• obtaining information about the disposal company from several references;
• requiring that the disposal company be certified by a recognized trade association; and
• reviewing and evaluating the disposal company's information security policies or procedures.
• Disposing of Consumer Report Information (FTC)
• 2009 Data Breach Investigations Report [pdf] (Verizon Business RISK Team)
• Identity thieves got data on 3,400 employees, Irving school district says (Dallas Morning News)
• Identity Theft Overview (provided by the Law Offices of Earl Carter & Associates)
• Identity Theft FAQ (FindLaw)