The Federal Trade Commission issued the new rule last November in response to direction from the Fair and Accurate Credit Transactions Act of 2003 (FACTA).
FACTA amends the Fair Credit Reporting Act and directs the FTC, the Federal Reserve Board, the Securities and Exchange Commission, and other federal agencies to adopt consistent rules for the disposal of sensitive consumer report data. The goal is to reduce identity theft and other harm to consumers.
Under the new rule, businesses that maintain consumer report information must take "reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal."
The rule cites examples of reasonable measures, including implementing burning, pulverizing or shredding policies to ensure that data cannot be read or reconstructed; using electronic media erasure or destruction policies; and contracting with a third party to provide disposal services, provided due diligence is performed on the third party before entering the contract.
The rule defines consumer information as "any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report." The definition also applies to compilations of consumer records.