Last week I blogged about record keeping. See here.  In that blog, I mentioned the destruction of records in accordance with your policies and procedures.   I have heard from several people asking me to jog their memories as to just what it is that I was talking about!

Back in April, I wrote about the FTC Disposal of Consumer Report Information and Records Rule (Rule).  See here.  That is the federal rule we look to for instruction about the disposal of consumer information.

Also, many states have adopted data breach notification laws.  For example, the State of Alabama has adopted The Alabama Data Breach Notification Act of 2018 (a Data Breach Notification Act). This law requires consumer finance companies to implement and maintain reasonable security measures to protect against breaches of sensitive, personally identifying information (which is also nonpublic personal information); and to adopt procedures to address security breaches.  

Both the Rule and State Data Breach Notification Acts provide that the measures taken to address security breaches are to be reasonable and sufficient based on the size and complexity of the consumer finance company. Both require the implementation of policies and procedures to address record retention and destruction.

Last spring, the FTC published for comment a proposed amendment to its Rule.  The proposal contains five main modifications to the existing Rule.

  • First, it adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program.
  • Second, it adds provisions designed to improve the accountability of financial institutions' information security programs.
  • Third, it exempts small businesses from certain requirements.
  • Fourth, it expands the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.
  • Finally, the Commission proposes to include the definition of “financial institution” and related examples in the Rule itself rather than cross-reference them from a related FTC rule, the Privacy of Consumer Financial Information Rule.

The FTC notice can be accessed here.

So, the message that I may not have gotten across last week is that creditors need to have in place a policy and procedure that addresses retention, destruction, and data breach notification.

Practice Pointer: Continue to be cognizant of your duty to properly preserve and then destroy consumer information!

Please note: This is the seventy-ninth blog in a series of Back to Basics blogs, in which relevant and resourceful information can be easily accessed by clicking here.