Skip Navigation
 
   

NAID's Position on the FACTA Disposal Rule

Bookmark and Share

NAID is in the midst of preparing its official recommendations to the FTC regarding the FACTA Disposal Rule. While in general, the FTC proposed FACTA Disposal Rule was viewed very favorably by the NAID Government Relations Committee, there were a half-a-dozen or so items in the proposed rule that NAID felt could be improved or clarified.

1. CLARIFY WHERE THE RESPONSIBILITY FOR INFORMATION DESTRUCTION RESIDES: The proposed rule holds recycling companies and records storage firms responsible for the proper destruction of covered information. NAID felt that this should be clarified to hold outsourced contractors responsible only in the event that they had accepted the responsibility to destroy the materials in the first place. Otherwise, the contractor would have no way to know what was in the materials they had accepted. This modification would not only emphasize that the original owner of the records is ultimately responsible for their destruction, but would also make it illegal for outsourced contractors to circumvent destruction when they were specifically directed to do such by the client.

2. REQUIRE A CONTRACT FOR INFORMATION DESTRUCTION SERVICES: NAID will also recommend that FACTA require a contractual relationship between the client and the contractor that is responsible for information disposal. This is consistent with the requirements of HIPAA and GLB, as well as the E.U. Data Protection Directives, and will be helpful in establishing the transfer of responsibility from the original owner of the records to the information destruction contractor.

3. ELEVATE THE STATUS ON THE EXAMPLES USED IN THE REASONABLENESS STANDARD: The FTC wisely included very good examples of what would be considered reasonable measures for the destruction of covered information, including measures it felt would be reasonable for selecting an information destruction contractor. NAID will recommend that the status of these "examples" be elevated by including them in the rule as requirements or, at minimum, as safe harbors.

4. CLARIFY THAT THE SIZE OF THE OWNER OF THE INFORMATION WILL NOT MITIGATE THE ULTIMATE RESPONSIBILITY TO DESTROY COVERED INFORMATION: The FTC Disposal Rule says that the size of the organization can be considered in the "reasonableness" of their measures to destroy covered information. NAID is concerned that small organizations or individuals will construe this to mean that they will not be held to the same standard of having to actually destroy the information before it is discarded. According to the FTC, this was not their intention and so NAID will ask that it be made clear that everyone disposing of covered information will always be responsible to destroy it regardless of their size.

5. PREEMPTION OF STATE LAWS MAY BE COUNTER PRODUCTIVE: FACTA preempts state laws regarding related issues. It is assumed this was done because many of the FACTA provisions, of which information disposal is only a small part, need to be consistent throughout the country. Unfortunately, lumping the disposal provision into the preemption language may have the affect of weakening existing and future state-level initiatives that are (or would be) stronger or more comprehensive. While according to the FTC, this was not the intent, there is uncertainty whether or not the Disposal Rule could be isolated from the preemption requirement.

6. CLARIFY THE WASTE DISPOSAL EXEMPTION: There is clause included in the FACTA Disposal Rule that was designed to exempt garbage disposal companies from being held responsible for covered information being placed in their containers. As it is written, however, it could be construed by readers as a permissible method for disposing of covered information. Again, this was not the intent of the FTC and the language only needs to be clarified.