EMPLOYMENT LAW BULLETIN
Vol. 05, No. 10
Courtesy of ESKRIDGE LAW

Does your company properly dispose of old employment records?

In an effort to protect the privacy of consumer information and reduce the risk of fraud and identity theft, a new federal rule requires businesses to take appropriate measures to dispose of sensitive information derived from consumer reports. Under the Records Disposal Rule of the Fair and Accurate Credit Transactions Act of 2003 (FACTA), which became effective on June 1, 2005, businesses may be liable to employees for failure to protect their personal information from unauthorized access.

Who does the Disposal Rule apply to?

The Disposal Rule affects any business or individual who uses, maintains, or otherwise possesses consumer information for a business purpose, such as evaluating an individual for employment, promotion, reassignment, or retention as an employee.

What information is covered by the Disposal Rule?

The Disposal Rule applies to consumer reports or information derived from consumer reports. A consumer report includes any information provided by a consumer reporting agency bearing on an individual’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. The rule does not apply to records that do not identify individuals, such as aggregate information or blind data.

What are proper disposal measures?

The Disposal Rule requires that businesses take steps that are reasonable and appropriate to prevent unauthorized access to sensitive information. The standard for proper disposal of consumer information is a flexible one, which takes into account the sensitivity of the information, nature and size of the company, costs and benefits of different disposal methods, and changes in technology.

Ways to protect your company

• Establish security policies and procedures for the maintenance and destruction of sensitive information and monitor compliance.
• Educate and train employees regularly on security policies and proper disposal procedures.
• Destroy or erase paper and electronic records so that the information cannot practicably be read or reconstructed. Some methods recommended by the FTC include burning, shredding, or pulverizing paper records, and overwriting or physically destroying computer-readable media.
• Destroy unneeded reports when you no longer have a legitimate business reason for keeping them.
• Establish a purge date for every file and destroy the reports routinely.
• Use alternate identifiers, other than social security numbers to keep track of employees.
• Secure records by restricting physical access and having a dedicated HR printer and fax machine.
• Conduct background checks on any employee who has access to HR records.
• Use care when selecting outside companies for record destruction contracts by reviewing an independent audit of the company’s compliance with the rule, obtaining reliable references, requiring that the company be certified by a recognized trade association, and reviewing the company’s security policies and procedures.

ESKRIDGE LAW may be contacted by phone (310/303-3951), by fax (310/303-3952), or by e-mail (geskridge@eskridgelaw.net). Please visit our website at www.eskridgelaw.net or www.employmentattorneys.net.

	AREAS OF PRACTICE | ABOUT OUR FIRM | PROFILES
	MEDIATION | CONTACT US | ARTICLES | RESOURCE LINKS | HOME