The Fair and Accurate Credit Transactions Act of 2003 (FACTA) added new sections to the federal Fair Credit Reporting Act (FCRA, 15 U.S.C. 1681 et seq.), intended primarily to help consumers fight the growing crime of identity theft. Accuracy, privacy, limits on information sharing, and new consumer rights to disclosure are included in FACTA.
The Federal Trade Commission (FTC) requires that when an employer investigates an employee's conduct on the job, including investigations of employee misconduct, the FCRA governs. The FCRA does not apply to investigations conducted by the in-house personnel. In addition, FCRA does not apply when a third-party, who is not in the business of providing such reports, does the investigation (e.g. contractors who do such investigations, but not as their principal business).
The practice known as “dumpster diving” provides identity thieves with a treasure trove of personal data. Irresponsible information disposal by businesses has been cited in numerous instances of fraud. Under FACTA provisions, consumer reporting agencies and any business that uses a consumer report must adopt procedures for proper document disposal.
The Federal Trade Commission (FTC), the Federal banking agencies, and the National Credit Union Administration (NCUA) have published final regulations to implement the new FACTA Disposal Rule. The FTC's disposal rule applies to consumer reporting agencies as well as individuals and any sized business that uses consumer reports. The FTC lists the following as among those that must comply with the rule:
✓ Lenders
✓ Insurers
✓ Employers
✓ Landlords
✓ Government agencies
✓ Mortgage brokers
✓ Automobile dealers
✓ Attorneys and private investigators
✓ Debt collectors
✓ Individuals who obtain a credit report on prospective nannies, contractors, or tenants
✓ Entities that maintain information in consumer reports as part of their role as service providers
The definition of “reasonable measures," in reference to the FACTA Disposal Rule, specifies three possible ways to comply:
✓ Burning, pulverizing, or shredding of physical documents
✓ Erasure or destruction of all electronic media
✓ Outsourcing contract with a third-party engaged in the business of information destruction
FACTA "Red Flag" Guidelines
Updates to FACTA mandate that financial institutions and creditors must comply with the identity theft “Red Flag” provisions by November 1, 2008. The ruling issued by the Federal Trade Commission (FTC) and 5 Federal bank regulatory agencies applies specifically to Section 114 of FACTA and addresses an array of accounts, organizations, and consumers, including:
The FACTA rules and guidelines implemented in Section 114 of FACTA specify several categories of Red Flags which illustrate the types of activities that need to be identified:
Secure Controls Framework (SCF)
Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...
ComplianceForge is very pleased to announce it is now a Secure Controls Framework Licensed Cont...
The NIST Cybersecurity Framework (NIST CSF) is commonly used “cybersecurity best practice” for organ...
Cybersecurity Supply Chain Risk Management (C-SCRM) is the process of identifying, assessing and mit...
Determining the scope of controls (e.g., assessment boundary) is different than determining control...
