June 16, 2006
0
Anthony Foschi
View Magazine Version of This Article
© 2006 Hospitality Upgrade. No reproduction without written permission.
Hotels and motels obtain access to consumer credit information on a daily basis. As of June 1, 2005, every business that handles consumer credit information must have developed and implemented a process to destroy consumer credit information before it is discarded. Failure to properly destroy consumer credit information could lead to civil liabilities, class action law suits and state and federal enforcement actions.
The Fair and Accurate Credit Transactions Act (FACTA) is a federal law designed to reduce the risk of identity theft and consumer fraud by providing for the routine destruction of consumer information. According to a September 2003 study released by the Federal Trade Commission (FTC), nearly 10 million Americans were the victims of identity theft in the previous year alone. Furthermore, the FTC found that United States businesses lost $47 billion and consumers lost approximately $5 billion as a result of identity theft during the same period.
In November 2004, the FTC developed and published the Disposal Rule requiring that "any person who maintains or otherwise possesses consumer information for a business purpose" dispose of discarded consumer information, whether in electronic or paper form. The disposal rule compels "taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal." Examples of reasonable measures include: burning, pulverizing or shredding of physical documents; erasure or destruction of all electronic media; and contracting with a third party engaged in the business of information destruction. The disposal rule applies to almost all businesses operating in the United States that use or store consumer information in everyday operations.
Innkeepers receive and maintain consumer credit information inasmuch as consumers provide credit card and other confidential information upon arrival. Many hoteliers record consumer credit information for guests who visit an establishment frequently. Moreover, most employers perform background checks on prospective employees that involve accessing consumer credit reports. Under FACTA, innkeepers must now assure the proper destruction of this confidential information.
To ensure compliance with FACTA’s disposal rules, innkeepers must create a document retention policy that sets forth the timing and method of destroying consumer credit information. This policy should include definition and identification of confidential consumer information, determining the method, schedule and frequency for destruction and proper training of employees who will have contact with consumer credit information.
The method of destruction depends on the media. Paper records could be destroyed on site with a shredding device. Larger business could resort to use of document destruction services. Materials other than paper, such as compact discs, diskettes and hard drives require destruction by more sophisticated methods. Certain vendors are certified by the National Association of Information Destruction. Written agreements with a third party should include a confidentiality provision and certification of compliance with FACTA. Otherwise, innkeepers could become liable for identity theft caused by lax procedures of document destruction companies.
Failure to comply with the disposal rule can be costly. Penalties for willful noncompliance include actual damages, or damages of not less than $100 and not more than $1,000 per violation, costs and attorneys fees, and punitive damages. Administrative enforcement could include fines of up to $2,500 per violation and/or state fines of up to $1,000 per violation. Business can also expect class action law suits for failure to comply.
Accordingly, innkeepers should take note of FACTA’s disposal rule and immediately institute a document destruction policy that protects the confidential information received from guests and employees.
Ask the Attorney: Anthony J. Foschi, Esquire, Shumaker Williams P.C., General Counsel, Pennsylvania, Tourism & Lodging Association.
FTC Disposal Rule
1) Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information "by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal."
2) Consumer information is defined as "any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report." This definition includes a compilation of such records, but "it does not include information that does not identify individuals, such as aggregate information or blind data."
3) Disposal of consumer information occurs when you discard or abandon it, or sell, donate or transfer any medium (including computer equipment) where it is stored. The FTC disposal rule requires the proper disposal of consumer information, but does not affect the period of time in which it must be retained. Therefore, the rule does not change record retention requirements for documents containing consumer information.
4) The reasonable measures standard for disposal provides some flexibility in determining how to comply with the rule based on an entity’s circumstances. >> Implementing and monitoring compliance with policies and procedures that require: burning, pulverizing or shredding papers containing consumer information so they cannot practically be read or reconstructed, and destroying or erasing electronic media containing consumer information so that it cannot be read or reconstructed; • After due diligence, entering into (and monitoring compliance with) a contract with a records disposal company that requires it to dispose of your consumer information in accordance with this rule; • Identifying consumer information when providing it to a records disposal company, another service provider or an affiliate; and • For entities subject to the FTC Safeguards Rule, incorporating proper procedures for disposing of consumer information into your written information security program.
1 These examples of reasonable measures are illustrative only and are not exclusive or exhaustive methods (or "safe harbors") for complying with the rule.
2 The reasonable measures you adopt should include educating your employees on the proper disposal of consumer information.
3 Due diligence in selecting and overseeing a records disposal company.