While investigating a story for a Boston newspaper in April, a reporter stumbled across a dumpster on the street full of financial records outside a Bank of America branch. The records included the names, financial statements, account numbers and social security numbers of hundreds of the bank's customers. While it's surprising a respected financial institution could be so lackadaisical with sensitive information–especially in a time when the threat of identity theft is on the rise–Bank of America isn't alone. Citibank, MasterCard and Ameritrade have all recently come under attack for being careless with confidential customer and employee information.

Finally, someone has decided to do something about it.

In June the FTC implemented the Fair and Accurate Credit Transactions Act (FACTA) Disposal Rules as part of an amendment to the Fair Credit Reporting Act (FCRA). These new rules require companies to “properly dispose” of any information they obtain on consumers or employees. That information includes everything from addresses and driver's license numbers to credit report information and criminal background checks.

“Five or 10 years ago, when a company obtained personal information on employees, it owned that information and could dispose of it however it saw fit,” says Charlene Brownlee, senior counsel and records management specialist at Fulbright & Jaworski in Austin, Texas. “But that changed over the years through privacy legislation.”

If companies fail to comply with these rules, they may be hit with substantial fines or worse.

“Companies would face thousands of dollars in fines for each record improperly disposed of, as well as possible lawsuits from anyone negatively affected by a company's negligent failure to comply with the rules,” says Lawrence McGoldrick, a partner in Fisher & Phillips' labor and employment practice.

Trash Talk

The new rules only apply to individuals or companies that maintain or possess consumer information for a business purpose. But because companies routinely obtain personal information when hiring employees, virtually every business must comply with the new regulations.

“Any organization, be it large or small, that uses consumer information in making employment decisions or in the context of its employment administration is going to be affected by this rule,” says Jonathon Stoler, a partner in the employment and labor practice at Kelley Drye in New York.

Consumer information includes all records about a person, whether on paper or stored electronically. Companies are also responsible for proper destruction of consumer credit reports, which they often obtain before hiring new employees.

“You are talking about anything that is a personal identifier,” Stoler says. “That includes phone numbers, physical addresses and e-mail addresses.” He says the rules also cover any document employers prepare internally that summarizes the information contained in background checks and credit reports.

Although the FACTA Disposal Rules provide no guidance on when companies should discard consumer information (there are various regulations governing the timing of disposal depending on the type of information companies obtain and for what purposes), businesses must “properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” The rules stop short of defining “reasonable measures,” but do provide examples of appropriate disposal methods.

According to the rules, proper disposal of consumer information may include burning, pulverizing and shredding papers, as well as destroying or erasing electronic media containing consumer information so that it can't be read or reconstructed.

“But these are only examples,” McGoldrick explains. “The law says this is a minimum, but it may not be all you have to do.”

Some experts believe the FTC purposely kept the language broad by using terms such as “properly dispose” and “reasonable measures” to allow the law to evolve with technology.

“For example, 10 years ago many companies kept all of their confidential information on microfilm, and we would have to know how to properly dispose of those records,” Brownlee says. “But today companies use floppy discs and CDs to store information. The disposal methods today are different than from those of microfilm, and the law was written to allow for that.”

In addition to providing examples for proper disposal methods, the rules also suggest companies implement specific policies for disposing the information.

Put It In Writing

“It's critical that companies come up with internal practices and procedures that outline how to appropriately dispose of this type of information,” Stoler says. “For some companies it may be as simple as going out and buying a shredder. For others, however, the responsibility may be much greater.”

Experts say disposal policies are dependant upon business size. The first thing any company should do is review its records-retention policy.

“First, determine which records you need to keep and for how long,” Stoler explains. “Anything you don't need to keep should be disposed of as soon as possible.”

While this system may work well for a small company that can regularly shred documents, McGoldrick believes larger companies may be better off using a third-party service that specializes in disposing of confidential information.

“If a company decides to hire a professional disposal service, however, the rules mandate it must perform due-diligence in selecting that service,” he explains. “Review an audit that has been prepared about the company or get references from others who have used the service.”

Integrating the rules into the company culture also is essential to maintaining an effective policy. Brownlee suggests companies make sure their employees understand that putting a document in the recycling bin isn't the same as shredding it.

“This sounds simple,” she says, “but it's surprising how many employees don't understand the difference. And that's where companies run into trouble.”

Brownlee suggests HR departments provide locked bins for employees to discard confidential information–whether it's paper, floppy discs or CDs. Then it should maintain a regular schedule for destroying the contents of those bins.

Finally, the experts agree it's important–although not required by statute–to assign one person the task of ensuring the company complies with the disposal rules. The custodian of the policy should know who receives sensitive information, what documents should be disposed of and when, and how to dispose of the information. That person also would be responsible for educating staff members on properly handling confidential documents and regularly auditing the policy to ensure the company is in compliance.

If a company fails to comply, the

consequences could be serious.

Breaking The Rules

Because the new rules don't outline specific penalties, violations of these rules are subject to the existing penalties for FCRA violations.

“These are not easy penalties,” Brownlee says. “It's not like a company is just going to get a slap on the wrist.”

Under the FCRA, any person harmed because a company willfully didn't comply with the rules can sue for actual damages not to exceed $1,000, punitive damages, costs and attorneys' fees. If a business negligently failed to comply, the employee may recover any actual damages, attorneys' fees and costs. And courts may authorize class actions if large numbers of employees are affected by a company's actions.

Furthermore, the FTC could bring a criminal action against a business. In that case, company executives could face up to two years in prison and a $2,500 fine per violation.

But a simple tweaking to an existing plan could be all it takes to keep a company out of trouble. Most companies already have records-retention programs in place, and experts say these rules are an important add-on to those policies.

“It's not like companies are scrambling to get in compliance with these new rules,” Brownlee says. “But, like identity theft, they are here to stay. And it's important companies update their existing policies and abide by the rules. Not complying could be a very costly mistake.”

As for Bank of America, the company continues to investigate the incident at the Boston branch, but maintains its policy is to shred any documents containing confidential information.