LITIGATION SUPPORT TIP OF THE NIGHT

The Tip of the Night for March 18, 2021, discussed how the Fair and Accurate Credit Transactions Act (FACTA) provides for the secure disposal of consumer data. In response to the obligations imposed on it by the Act, the Federal Trade Commission has adopted a Disposal Rule, discussed here. See, 69 Fed. Reg. 68,690 (Nov. 24, 2004). The Rule directs organizations to evaluate the sensitivity of the information they hold, and take measures of a proportional cost to dispose of it, also taking into consideration how technology makes the information easy to distribute and eliminate.

The Disposal Rule is addressed to consumer reports obtained for the purpose of checking an individual's credit, and eligibility for employment or insurance. The FTC specifies the following measures as being reasonable ones to prevent the disclosure of consumer report data:

1. Shredding paper records.

2. Erasing electronic files so the data cannot be reconstructed.

3. Auditing the operations of a company tasked with data destruction.

4. Using a data disposal company that has proper certification.

5. Checking the security policies of the data disposal vendor.

The FTC requires a business to be proactive in confirming that agents who use consumer data the business has collected comply with this Disposal Rule. The Statement of Basis and Purpose for the Rule states that, "if a record owner transfers or otherwise provides consumer information to a service provider, the 'reasonable measures’ standard will generally require a record owner to take reasonable steps to select and retain a service provider that is capable of properly disposing of the consumer information at issue; notify the service provider that such information is consumer information; and enter into a contract that requires the service provider to dispose of such information in accordance with this rule." Id. at 68,694.

Fair and Accurate Credit Transactions Act (FACTA), Pub. L. No. 108-159, 117 Stat. 1952-2012 (codified as amended at 15 U.S.C. 1601 et seq.; 15 U.S.C. § 1681 et seq. (2003)) is best known for giving American citizens the right to request a free credit report once a year. FACTA also provides for the secure disposal of consumer data, helps prevent identity theft, and places restrictions on how healthcare data can be used by the financial services industry. Note the following key provisions of FACTA:

- FACTA gives a consumer the right to have a reporting agency place an identity theft alert for a 90 day period on their account, and to disclose this alert along with requests for the consumer's credit score for 7 years.

- Sales receipts may not include more than 5 digits from a credit card number.

- Red Flags Rule - mandated that the National Credit Union Administration, the Federal Trade Commission, and other federal banking agencies adopt regulations to prevent identity theft.

- Issuers of consumer reports must respond to requests for home address corrections.

- Mortgage lenders also have to provide a borrower with a Credit Disclosure Notice that lists their credit score and the factors that contributed to that score.

- Credit reporting agencies have to provide consumers upon request with a summary (following a model prescribed by the FTC) of their rights to remedy identity theft.

- A credit reporting agency must block any information used in a credit report within 4 days of receiving proof that the information was the result of identity theft.

- Credit agencies must submit annual reports to the FTC regarding all of the identity theft and fraud alerts they process.

Article 35 of the General Data Protection Regulation requires that an impact assessment be prepared for data processing which poses a high risk to personal data These Data Processing Impact Assessments are particularly recommended in the following situations:

1. Personal profiling which affects the legal rights of individuals.

2. Processing of data regarding criminal records.

3. Processing of data on the race, ethnicity, political beliefs, religious beliefs, health, sexual orientation, or trade union membership of individuals.

4. Large scale monitoring of a public area.

The list of processing operations covered by the assessment must be made available to the public.

The assessment has to include the following:

1. A systematic description of processing operations.

2. An assessment of the necessity and proportionality of the processing operations in relation to their purposes.

3. The measures taken to safeguard the personal data.

The views of the data subjects must be solicited for the DPIA.

The DPIA must be updated when the risk to the personal data changes.

The Information Commissioner's Office of the United Kingdom has posted a sample template for a Data Processing Impact Assessment. Among other things, the template requires that a plan be prepared about how to consult relevant stakeholders; and descriptions be given of each type of risk the processing poses, indicating the likelihood of harm, severity of harm, and overall degree of risk. An organization's Data Protection Officer has to sign off on the assessment.