Does your company have a policy for disposing of human resources records that contain employee social security numbers and other personal information? A recent Fair Trade Commission (FTC) enforcement action may make such policies a priority for companies in 2008.
The FTC just agreed to a settlement with American United Mortgage Company of Northbrook, Illinois. The FTC accused American United of violating the FTC’s Disposal Rule (http://www.ftc.gov/os/2004/11/041118disposalfrn.pdf), which requires companies to dispose of credit reports and credit report information in a safe and appropriate manner. According to the FTC’s Complaint, American United repeatedly disposed of intact consumer credit reports, which contained consumers’ personal information, in an unsecured dumpster near its office. The settlement, which was announced by the FTC on December 18, 2007, requires, among other things, that American Mortgage pay a $50,000 civil penalty for violations of the Disposal Rule and obtain, every two years for the next 10 years, an audit from a qualified, independent, third-party professional to ensure that its security program meets the standards of the settlement order.
The FTC’s Disposal Rule applies to consumer reports, such as background and credit check reports, obtained by employers from consumer reporting agencies. Employers can expect, however, that plaintiffs’ attorneys will urge that the Disposal Rule be adopted as the standard of care in any situation where human resources records containing personal information, such as W-2 or I-9 forms, are disposed of in a manner that leaves the information vulnerable to theft. As a result, employers should be careful to dispose of such records — whether in paper, electronic, or other form — in accordance with the Disposal Rule’s requirements. The Disposal Rule itself does not impose specific disposal requirements but, instead, contemplates a flexible scale that permits businesses to reach their own conclusions as to the best means for disposing of personal information so that it is unreadable and cannot be reconstructed.
The FTC’s announcement of this settlement can be found at http://www.ftc.gov/opa/2007/12/aumort.shtm, and the Stipulated Final Judgment can be found at http://www.ftc.gov/os/caselist/0623103/071217americanunitedmrtgstipfinal.pdf