Federal Law
FACTA Disposal Rule: Destroying Consumer Report Information
The Fair and Accurate Credit Transactions Act of 2003 (FACTA) directed the Federal Trade Commission to require proper disposal of consumer report information. The FTC Disposal Rule at 16 CFR Part 682 requires reasonable measures to protect against unauthorized access when discarding that data. All Green Recycling's data destruction processes are operationally aligned to the Disposal Rule for media holding consumer report information.
What Is the FACTA Disposal Rule?
The Fair and Accurate Credit Transactions Act of 2003 (FACTA) amended the Fair Credit Reporting Act and directed federal agencies to issue a rule on the proper disposal of consumer report information. The Federal Trade Commission Disposal Rule, codified at 16 CFR Part 682, took effect on 1 June 2005.
Publisher: U.S. Federal Trade Commission (FTC)
Key citation: 16 CFR Part 682, “Disposal of Consumer Report Information and Records”
Legal force: Mandatory federal rule. Enforced by the FTC and, for certain entities, by federal banking regulators.
The Disposal Rule sets a flexible performance standard rather than a prescribed method. Any person who maintains or possesses consumer information for a business purpose must take “reasonable measures” to protect against unauthorized access to or use of the information in connection with its disposal. For electronic media, the rule recognizes destruction or erasure so that the information cannot practicably be read or reconstructed.
What Does the FACTA Disposal Rule Require?
The FACTA Disposal Rule requires reasonable measures to dispose of consumer report information so it cannot practicably be read or reconstructed. The rule names burning, pulverizing, or shredding papers, and destroying or erasing electronic media, as examples of reasonable measures.
Reasonable measures for electronic media
For electronic consumer information, reasonable measures include destroying or erasing the media so that the information cannot practicably be read or reconstructed. End-of-life drives holding consumer report data should be destroyed at the NIST Destroy level, or sanitized at the Purge level when the device will be reused.
Due diligence on disposal vendors
The rule states that engaging a third party in the business of record destruction can constitute reasonable measures, provided the entity exercises due diligence in selecting that vendor. Due diligence includes reviewing the vendor’s competence and integrity and obtaining documentation of destruction.
Scope of “consumer information”
Consumer information means any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. It includes a compilation of such records. A list derived from credit reports is consumer information; a list that contains no consumer-report-derived data is not.
The “reasonable measures” standard is risk-based
The rule deliberately avoids a single prescribed method because it must apply to a corner landlord and a national bank alike. What is reasonable scales with the sensitivity of the information and the nature and size of the operation. A business holding large volumes of credit-report data is expected to apply more rigorous controls, such as documented destruction with a chain of custody, than a sole proprietor disposing of a handful of records. The standard rewards an organization that can show it assessed the risk and selected a proportionate disposal method.
Paper and electronic media are both covered
The Disposal Rule names burning, pulverizing, and shredding of papers, and destroying or erasing electronic media, as illustrative reasonable measures. This means a complete program addresses both the printed background-check files in a records room and the drives inside the workstations that generated them. Treating only one format leaves a gap, because consumer report information frequently exists in both forms for the same individual.
How All Green Recycling Aligns to the FACTA Disposal Rule
All Green Recycling’s data destruction processes are operationally aligned to the FACTA Disposal Rule standard that consumer report information cannot practicably be read or reconstructed after disposal. Engaging All Green Recycling, and retaining its destruction documentation, supports a client’s due-diligence obligation under the rule.
| Disposal Rule element | All Green Recycling control |
|---|---|
| Render electronic data unreadable | Hard Drive Shredding at NIST Destroy level |
| Erase media for reuse | SSD Secure Erase and verified wiping |
| Engage a competent destruction vendor | Documented Data Destruction chain of custody |
| Evidence of reasonable measures | Certificate of Destruction with serialized inventory |
All Green Recycling does not claim “FACTA certification.” The Disposal Rule is a federal regulation enforced by the FTC, not a certification scheme. The company states that its destruction methods satisfy the requirements of the Disposal Rule, and the Certificate of Destruction provides the documentation that helps a client demonstrate reasonable measures and vendor due diligence.
For a client, the value of this arrangement is that it converts an open-ended “reasonable measures” obligation into a documented event. Rather than asserting after the fact that media was probably wiped, the client holds a dated, serialized record tying each destroyed device to a method that renders consumer information unreadable. That record is the practical answer to an FTC inquiry or a civil claim, because it shows both that a competent vendor was engaged and that the disposal actually occurred.
Who Must Comply With the FACTA Disposal Rule?
The FACTA Disposal Rule applies to any person who maintains or otherwise possesses consumer information for a business purpose. This is one of the broadest scopes in federal data law, because it follows the data rather than an industry.
Covered parties include consumer reporting agencies, lenders, insurers, employers that run background checks, landlords and property managers that screen tenants, car dealers, debt collectors, and the service providers that support them. A financial services firm retiring loan-origination servers and a property-management company decommissioning tenant-screening workstations are both within scope. The rule reaches individuals as well as businesses when they possess consumer information for a business purpose.
The breadth catches organizations that do not think of themselves as data businesses. A human resources department that runs pre-employment background checks holds consumer report information on every screened applicant, and a property management company that screens prospective tenants holds it on every applicant it reviews. When these organizations retire the computers, servers, and storage that held those reports, the Disposal Rule attaches to that media, and a documented destruction record is the simplest way to evidence that reasonable measures were taken.
Enforcement and Consequences
The Federal Trade Commission enforces the Disposal Rule, and federal banking agencies enforce parallel rules for the institutions they supervise. Violations expose an organization to federal penalties, civil liability, and state action.
FTC enforcement: The FTC has pursued companies that discarded consumer records in unsecured dumpsters. A money-services business settled FTC and CFPB allegations that it threw documents containing consumers’ personal information into open trash, with a civil penalty in the six figures.
Civil liability: Because the Disposal Rule arises under the Fair Credit Reporting Act, violations can expose a business to FCRA civil liability, including statutory damages and attorney fees in private actions.
State overlay: Many state data-disposal and breach-notification laws apply alongside the federal rule, so a single disposal failure can trigger concurrent FTC and state attorney general exposure.
Frequently Asked Questions
Is the FACTA Disposal Rule mandatory or voluntary?
The FACTA Disposal Rule is a mandatory federal regulation at 16 CFR Part 682, enforced by the Federal Trade Commission. It applies to any person who maintains or possesses consumer report information for a business purpose. The rule requires reasonable measures to dispose of that information so it cannot practicably be read or reconstructed. There is no size threshold, so small businesses that run background or credit checks are covered.
What does the FACTA Disposal Rule require for electronic media?
The Disposal Rule requires reasonable measures to destroy or erase electronic media so that consumer report information cannot practicably be read or reconstructed. In practice this means shredding end-of-life drives at the NIST Destroy level, or applying a verified Purge-level erase when a device will be reused. The rule also recognizes that engaging a competent third-party destruction vendor, with due diligence, constitutes reasonable measures.
How does All Green Recycling satisfy the FACTA Disposal Rule?
All Green Recycling’s destruction processes are operationally aligned to the Disposal Rule standard. The company shreds media holding consumer information at Destroy level, erases reusable media at Purge level, and issues a Certificate of Destruction with a serialized inventory. That documentation supports a client’s obligation to take reasonable measures and to demonstrate due diligence in selecting a destruction vendor. All Green Recycling states process-alignment, not a FACTA certification.
What counts as consumer report information under FACTA?
Consumer report information, or consumer information, is any record about an individual that is a consumer report or is derived from one, including compilations of such records, in paper or electronic form. Credit reports, background-check results, and tenant-screening reports are examples. A record that contains no information derived from a consumer report is not covered, but mixed datasets that include consumer-report-derived fields fall within the rule.
Does using a destruction vendor satisfy the due-diligence requirement?
Engaging a third party in the business of record destruction can constitute reasonable measures under the Disposal Rule, provided the client exercises due diligence in selecting the vendor. Due diligence includes confirming the vendor’s competence and integrity and obtaining destruction documentation. The Certificate of Destruction from All Green Recycling, with its serialized inventory and method record, provides the evidence a client retains to show the obligation was met.
Does the FACTA Disposal Rule have a small-business exemption?
No. The Disposal Rule applies to any person who maintains or possesses consumer report information for a business purpose, with no exemption based on company size or revenue. A sole proprietor who runs tenant or applicant background checks is covered just as a national lender is. What scales with size is the level of reasonable measures expected, not whether the rule applies at all. For a small business the practical path is straightforward: route end-of-life devices and consumer-report paper to a documented destruction service and keep the resulting certificate, which demonstrates reasonable measures regardless of the volume involved.
How does FACTA relate to the GLBA Safeguards Rule?
FACTA’s Disposal Rule governs the disposal of consumer report information for any business that uses such reports, while the GLBA Safeguards Rule governs how financial institutions protect customer financial information throughout its lifecycle, including disposal. A lender is often subject to both. Documented destruction that renders media unreadable satisfies the disposal element of each rule, which is why a single Certificate of Destruction can support both compliance programs.
What happens if consumer report data is found in the trash?
Discarding records containing consumer report information in unsecured trash is the classic Disposal Rule violation, and the FTC has brought enforcement actions on exactly those facts. Beyond the federal penalty, dumpster disposal can expose individuals to identity theft, which invites Fair Credit Reporting Act civil claims and state attorney general action. The preventive control is to route every storage-bearing device and every box of consumer-report paper to documented destruction rather than to a dumpster, and to keep the Certificate of Destruction as proof that the information was rendered unreadable.
Need secure disposal services that satisfy FACTA Disposal Rule?
Bonded · Insured · Certificate of Destruction · Methods follow FACTA Disposal Rule