The Fair and Accurate Credit Transactions Act of 2003 (FACTA) added new sections to the federal Fair Credit Reporting Act (FCRA, 15 U.S.C. 1681 et seq.), intended primarily to help consumers fight the growing crime of identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in FACTA.
The Federal Trade Commission (FTC) requires that when an employer investigates an employee's conduct on the job, including investigations of employee misconduct, the FCRA governs. The FCRA does not apply to investigations conducted by the in-house personnel. In addition, FCRA does not apply when a third-party, who is not in the business of providing such reports, does the investigation (e.g. contractors who do such investigations, but not as their principal business).
Disposal of Personally Identifiable Information (PII)
The practice known as “dumpster diving” provides identity thieves with a treasure trove of personal data. Irresponsible information disposal by businesses has been cited in numerous instances of fraud. Under FACTA provisions, consumer reporting agencies and any business that uses a consumer report must adopt procedures for proper document disposal.
The Federal Trade Commission (FTC), the Federal banking agencies, and the National Credit Union Administration (NCUA) have published final regulations to implement the new FACTA Disposal Rule. The FTC's disposal rule applies to consumer reporting agencies as well as individuals and any sized business that uses consumer reports. The FTC lists the following as among those that must comply with the rule: ✓ Lenders ✓ Insurers ✓ Employers ✓ Landlords ✓ Government agencies ✓ Mortgage brokers ✓ Automobile dealers ✓ Attorneys and private investigators ✓ Debt collectors ✓ Individuals who obtain a credit report on prospective nannies, contractors, or tenants ✓ Entities that maintain information in consumer reports as part of their role as service providers
The definition of “reasonable measures," in reference to the FACTA Disposal Rule, specifies three possible ways to comply: ✓ Burning, pulverizing, or shredding of physical documents ✓ Erasure or destruction of all electronic media ✓ Outsourcing contract with a third-party engaged in the business of information destruction
FACTA "Red Flag" Guidelines
Updates to FACTA mandate that financial institutions and creditors must comply with the identity theft “Red Flag” provisions by November 1, 2008. The ruling issued by the Federal Trade Commission (FTC) and 5 Federal bank regulatory agencies applies specifically to Section 114 of FACTA and addresses an array of accounts, organizations, and consumers, including:
Retail and business customers
Existing and new accounts
Financial institutions and creditors
The FACTA rules and guidelines implemented in Section 114 of FACTA specify several categories of Red Flags which illustrate the types of activities that need to be identified:
Alerts, notifications or warnings from a Consumer Reporting Agency
Suspicious personal identifying information
Unusual use of, or suspicious activity related to, the covered account
Digital Security Program (DSP) - Enterprise-Class, Hybrid Framework For Cybersecurity & Privacy
The DSP is an enterprise-class solution for cybersecurity & privacy documentation consisting of thirty-three (33) domains that defines a modern,...