Mellisa C. Marsh, Esq.
 
Home | About Us | Practice Areas | Articles | Contact Us | Directions| Links | Disclaimer | Copyright | Privacy

Corporate Client Bulletin

Important Disclaimer

May 2005

Businesses Required to Properly Store and Dispose of Consumer Information
Prepared By: Melissa C. Marsh

Obligation To Properly Dispose of Consumer information.

The Fair Credit Reporting Act (“FCRA”), as amended by the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”), requires businesses as of July 1, 2005 to implement policies and produces to effectively dispose of Consumer Information. The FTC specifically suggests burning, pulverizing, or shredding of papers containing Consumer Information, and the destruction or erasure of electronic media containing Consumer Information so the information cannot practicably be read or reconstructed.

What is Consumer Information?

Consumer Information is defined as any record (paper or electronic) that identifies an individual and contains information about that individual’s creditworthiness, character, general reputation, personal characteristics, or mode of living, etc. and which is or can be used to determine the individual’s eligibility for credit, insurance, or employment. Consumer Information does not include blind data that does not identify the individual. Specifically, Consumer Information includes information like an individuals name, social security number, account number (bank or credit card), password, etc…

All businesses including retailers that accept credit cards, banks, insurers, businesses offering credit, and employers that maintain even a single employee's social security number will likely have to comply with these new rules. The obligation to properly store and later dispose of Consumer Information in a reasonable manner also extends to third-party service providers who dispose of Consumer Information on behalf of a business. A business cannot simply “outsource” its obligations under the new regulations to avoid liability; it must ensure that the third-party disposal company agrees to follow the FCRA requirements.

Penalties.

A business that fails to comply with the FRCA’s proper storage and disposal requirements may be subject to civil liability for willful noncompliance or negligent noncompliance, which could result in the recovery of actual damages (up to $1,000 per violation), punitive damages, and court costs and attorney fees. In addition, a business that fails to comply with the disposal requirement may be subject to administrative enforcement, including fines of up to $2,500 per violation where the FTC is responsible for enforcement.

When Should I Dispose Of The Information.

Neither the FCRA, nor the new regulations, creates document retention periods. Consequently, businesses must look elsewhere to determine how long records containing consumer information must be kept. There is no single statute of limitations for the many categories of records a business needs to retain. To make matters more complicated, the federal and state governments often provide different time tables, and the rules seem to change.

Below is a table that outlines some federal and California record retention periods relating to tax, business and employment records that are likely to contain Consumer Information.

 

Record Retention Periods
Record CA Law Federal Law
Tax Records, including the employee's name, address, account number, total payments made and date of each payment; the period of the employee's service; the total remuneration constituting wages which are subject to withholding; collected taxes; explanation(s) for any difference between remuneration and taxable income; the fair market value of any non-cash remuneration; an IRS Form W-4, documentation concerning the employee's tax status. 6 years (Cal. Rev. & Taxation Code § 19704). 4 years (Internal Revenue Code § 3402).
Contacts and Leases 7 Years 7 Years
Purchase Orders, Sales Records, Customer Invoices & Vendor Invoices, and Accounts Payable Ledgers. 7 Years 7 Years
Job Applications, including all records relating to hiring, job advertisements, job descriptions, and job orders regarding recruitment 2 years after creation or receipt (Cal. Govt. Code § 12946) At least 1 year from the date of hiring, or from the date of the relevant personnel action (Title VII of the Civil Rights Act of 1964, Americans With Disabilities Act of 1990, and Age Discrimination in Employment Act ("ADEA").
Payroll Records, the employee's name, address, date of birth, occupation, hours worked by day and week, wages paid each pay period, the date of wage payments, straight-time and overtime payments and deductions) 2 Years, but 3 Years for records relating to deductions made from an employee's wages after employment is terminated (Cal. Govt. Code § 12946; Cal. Lab. Code § 1174 and California Family Rights Act) 3 Years - Fair Labor Standards Act, Family and Medical Leave Act ("FMLA") and ADEA, but ERISA related records must be maintained for 6 years.
Family, Medical and Pregnancy Leave. 32; All employers must maintain an annual summary of work-related illnesses and injuries that result in that result in the need for medical treatment, work restrictions, lost workdays, termination, transfer, a diagnosed work-related illness, loss of consciousness, or death. 2 Years (Cal. Gov't Code § 12945, 12946) 3 Years (FMLA records for employers with 50 or more employees)
OSHA Log. #32; All employers must maintain an annual summary of work-related illnesses and injuries that result in that result in the need for medical treatment, work restrictions, lost workdays, termination, transfer, a diagnosed work-related illness, loss of consciousness, or death. 5 Years 5 Years from the date of injury or illness (8 Cal. Code Regs. § 14304-14311)

Businesses that handle Consumer Information should:

  • Immediately review their policies and procedures with respect to record retention and destruction to ensure there are provisions requiring the proper secure storage of consumer information and timely destruction of such consumer information;

  • If the business does not have a record retention and destruction policy, consider creating one that requires the encryption of sensitive consumer information collected from either your employees or from your customers and stored on a computer network and its proper destruction in a timely manner;

  • Train all employees handling Consumer Information to ensure they are aware of, and will follow, the policy; and

  • Periodically audit your document retention and destruction policy to ensure employees and/or service providers are abiding by the policy.

The FTC has been taking prompt enforcement action against companies for security breaches involving consumers’ personal information even when the company has complied with its own privacy policies. The FTC continues to make “privacy and information security" a top priority in the FTC’s consumer protection program.

© Melissa C. Marsh 2005 All Rights Reserved.

If you have any questions, or would like further information, please e-mail us at
mmarsh@yourlegalcorner.com or call: 323-655-1002.

Disclaimer: This article has been prepared by Melissa C. Marsh for general informational purposes only and does not constitute legal advice. Readers should not rely or act upon the information contained in this article for any purpose without seeking legal advice from a local licensed attorney in your state. This article is not, and should not be used as, a substitute for legal advice as your specific factual circumstances may differ, the laws of your jurisdiction may differ, and the laws may have changed. Your use of this Internet site does not create an attorney-client relationship. Transmission of this article is not intended to create, and receipt of it does not constitute, an attorney-client relationship. All uses of the contents of this site, other than personal uses, are prohibited.