Disposing of Sensitive Information- Disposal Rule

NOTICE:  The information below was obtained directly from the Federal Trade Commission’s (FTC) website. Links are provided so you may access the content on the FTC website.

FAST FACTS   

To protect the privacy of consumer information and reduce the risk of fraud and identity theft, a federal rule requires dealers to take appropriate measures to dispose of sensitive information derived from consumer reports (credit reports).

The Disposal Rule is enforced by the Federal Trade Commission (FTC)

Although the Disposal Rule applies to consumer reports and the information derived from consumer reports, the FTC encourages those who dispose of any records containing a consumer’s personal or financial information to take similar protective measures.

What is considered proper disposal?

  • burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;
  • destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
  • conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include:
    • reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule;
    • obtaining information about the disposal company from several references;
    • requiring that the disposal company be certified by a recognized trade association;
    • reviewing and evaluating the disposal company’s information security policies or procedures.

The FTC says that financial institutions that are subject to both the Disposal Rule and the Gramm-Leach-Bliley (GLB) Safeguards Rule should incorporate practices dealing with the proper disposal of consumer information into the information security program that the Safeguards Rule requires (ftc.gov/privacy/privacyinitiatives/safeguards.html).


The information below may be accessed by clicking here.

Disposing of Consumer Report Information? Rule Tells How

In an effort to protect the privacy of consumer information and reduce the risk of fraud and identity theft, a federal rule is requires businesses to take appropriate measures to dispose of sensitive information derived from consumer reports.

Any business or individual who uses a consumer report for a business purpose is subject to the requirements of the Disposal Rule. The Rule requires the proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.” The Federal Trade Commission, the nation’s consumer protection agency, enforces the Disposal Rule.

According to the FTC, the standard for the proper disposal of information derived from a consumer report is flexible, and allows the organizations and individuals covered by the Rule to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology.

Although the Disposal Rule applies to consumer reports and the information derived from consumer reports, the FTC encourages those who dispose of any records containing a consumer’s personal or financial information to take similar protective measures.

Who must comply?

The Disposal Rule applies to people and both large and small organizations that use consumer reports. Among those who must comply with the Rule are:

  • Consumer reporting companies
  • Lenders
  • Insurers
  • Employers
  • Landlords
  • Government agencies
  • Mortgage brokers
  • Automobile dealers
  • Attorneys or private investigators
  • Debt collectors
  • Individuals who obtain a credit report on prospective nannies, contractors, or tenants
  • Entities that maintain information in consumer reports as part of their role as service providers to other organizations covered by the Rule

What information does the Disposal Rule cover?

The Disposal Rule applies to consumer reports or information derived from consumer reports. The Fair Credit Reporting Act defines the term consumer report to include information obtained from a consumer reporting company that is used – or expected to be used – in establishing a consumer’s eligibility for credit, employment, or insurance, among other purposes. Credit reports and credit scores are consumer reports. So are reports businesses or individuals receive with information relating to employment background, check writing history, insurance claims, residential or tenant history, or medical history.

What is “proper” disposal?

The Disposal Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to:

  • burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed;
  • destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
  • conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include:
    • reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule;
    • obtaining information about the disposal company from several references;
    • requiring that the disposal company be certified by a recognized trade association;
    • reviewing and evaluating the disposal company’s information security policies or procedures.

The FTC says that financial institutions that are subject to both the Disposal Rule and the Gramm-Leach-Bliley (GLB) Safeguards Rule should incorporate practices dealing with the proper disposal of consumer information into the information security program that the Safeguards Rule requires (ftc.gov/privacy/privacyinitiatives/safeguards.html).

The Fair and Accurate Credit Transactions Act, which was enacted in 2003, directed the FTC, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the National Credit Union Administration, and the Securities and Exchange Commission to adopt comparable and consistent rules regarding the disposal of sensitive consumer report information. The FTC’s Disposal Rule became effective June 1, 2005. It was published in the Federal Register on November 24, 2004 [69 Fed. Reg. 68,690], and is available at ftc.gov/os/2004/11/041118disposalfrn.pdf.

Your Opportunity to Comment

The National Small Business Ombudsman and 10 Regional Fairness Boards collect comments from small businesses about federal compliance and enforcement activities. Each year, the Ombudsman evaluates the conduct of these activities and rates each agency’s responsiveness to small businesses. Small businesses can comment to the Ombudsman without fear of reprisal. To comment, call toll-free 1-888-REGFAIR (1-888-734-3247) or go towww.sba.gov/ombudsman.

The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint or to get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

June 2005


The information below may be accessed by clicking here.

Copier Data Security: A Guide for Businesses [PDF]

ORDER FREE COPIES

Does your company keep sensitive data — Social Security numbers, credit reports, account numbers, health records, or business secrets? If so, then you’ve probably instituted safeguards to protect that information, whether it’s stored in computers or on paper. That’s not only good business, but may be required by law.

According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, your information security plans also should cover the digital copiers your company uses. If the data on your copiers gets into the wrong hands, it could lead to fraud and identity theft.

Digital Copiers are Computers

Commercial copiers have come a long way. Today’s generation of networked multifunction devices — known as “digital copiers” — are “smart” machines that are used to copy, print, scan, fax and email documents. Digital copiers require hard disk drives to manage incoming jobs and workloads, and to increase the speed of production. But not every copier on the market is digital: generally, copiers intended for business have hard drives, while copiers intended for personal or home office use do not.

The hard drive in a digital copier stores data about the documents it copies, prints, scans, faxes or emails. If you don’t take steps to protect that data, it can be stolen from the hard drive, either by remote access or by extracting the data once the drive has been removed.

Digital copiers store different types of information in different ways. For example, photocopied images are more difficult to access directly from the hard drive than documents that are faxed, scanned or printed on the copier.

The Life-Cycle of a Copier

Copiers often are leased, returned, and then leased again or sold. It’s important to know how to secure data that may be retained on a copier hard drive, and what to do with a hard drive when you return a leased copier or dispose of one you own.

It’s wise to build in data security for each stage of your digital copier’s life-cycle: when you plan to acquire a device, when you buy or lease, while you use it, and when you turn it in or dispose of it.

Before you acquire a copier:

Make sure it’s included in your organization’s information security policies. Copiers should be managed and maintained by your organization’s IT staff. Employees who have expertise and responsibility for securing your computers and servers also should have responsibility for securing data stored on your digital copiers.

When you buy or lease a copier:

Evaluate your options for securing the data on the device. Most manufacturers offer data security features with their copiers, either as standard equipment or as optional add-on kits. Typically, these features involve encryption and overwriting.

Encryption is the scrambling of data using a secret code that can be read only by particular software. Digital copiers that offer encryption encode the data stored on the hard drive so that it cannot be retrieved even if the hard drive is removed from the machine.

Overwriting — also known as file wiping or shredding — changes the values of the bits on the disk that make up a file by overwriting existing data with random characters. By overwriting the disk space that the file occupied, its traces are removed, and the file can’t be reconstructed as easily.

Depending on the copier, the overwriting feature may allow a user to overwrite after every job run, periodically to clean out the memory, or on a preset schedule. Users may be able to set the number of times data is overwritten — generally, the more times the data is overwritten, the safer it is from being retrieved. However, for speed and convenience, some printers let you save documents (for example, a personnel leave slip) and print them straight from the printer hard drive without having to retrieve the file from your computer. For copiers that offer this feature, the memory is not overwritten with the rest of the memory. Users should be aware that these documents are still available.

Overwriting is different from deleting or reformatting. Deleting data or reformatting the hard drive doesn’t actually alter or remove the data, but rather alters how the hard drive finds the data and combines it to make files: The data remains and may be recovered through a variety of utility software programs.

Yet another layer of security that can be added involves the ability to lock the hard drives using a passcode; this means that the data is protected, even if the drive is removed from the machine.

Finally, think ahead to how you will dispose of the data that accumulates on the copier over time. Check that your lease contract or purchase agreement states that your company will retain ownership of all hard drives at end-of-life, or that the company providing the copier will overwrite the hard drive.

When you use the copier:

Take advantage of all its security features. Securely overwrite the entire hard drive at least once a month.

If your current device doesn’t have security features, think about how you will integrate the next device you lease or purchase into your information security plans. Plan now for how you will dispose of the copier securely. For example, you may want to consider placing a sticker or placard on the machine that says: “Warning: this copier uses a hard drive that must be physically destroyed before turn-in or disposal.” This will inform users of the security issues, and remind them of the appropriate procedures when the machine reaches the end of its usable life.

In addition, your organization’s IT staff should make sure digital copiers connected to your network are securely integrated. Just like computers and servers that store sensitive information, networked copiers should be protected against outside intrusions and attacks.

When you finish using the copier:

Check with the manufacturer, dealer, or servicing company for options on securing the hard drive. The company may offer services that will remove the hard drive and return it to you, so you can keep it, dispose of it, or destroy it yourself. Others may overwrite the hard drive for you. Typically, these services involve an additional fee, though you may be able to negotiate for a lower cost if you are leasing or buying a new machine.

One cautionary note about removing a hard drive from a digital copier on your own: hard drives in digital copiers often include required firmware that enables the device to operate. Removing and destroying the hard drive without being able to replace the firmware can render the machine inoperable, which may present problems if you lease the device. Also, hard drives aren’t always easy to find, and some devices may have more than one. Generally, it is advisable to work with skilled technicians rather than to remove the hard drive on your own.

Protecting Sensitive Information: Your Legal Responsibility

The FTC’s standard for information security recognizes that businesses have a variety of needs and emphasizes flexibility: Companies must maintain reasonable procedures to protect sensitive information. Whether your security practices are reasonable depends on the nature and size of your business, the types of information you have, the security tools available to you based on your resources, and the risks you are likely to face.

Depending on the information your business stores, transmits, or receives, you also may have more specific compliance obligations. For example, if you receive consumer information, like credit reports or employee background screens, you may be required to follow the Disposal Rule, which requires a company to properly dispose of any such information stored on its digital copier, just as it would properly dispose of paper information or information stored on computers. Similarly, financial institutions may be required to follow the Gramm-Leach-Bliley Safeguards Rule, which requires a security plan to protect the confidentiality and integrity of personal consumer information, including information stored on digital copiers.

For More Information

To learn more about securing sensitive data, in general, read Protecting Personal Information: A Guide for Business atftc.gov/infosecurity.

The FTC works for the consumer to prevent fraudulent, deceptive, and unfair practices in the marketplace and to provide information to businesses to help them comply with the law. To file a complaint or to get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. Watch a new video, How to File a Complaint, at ftc.gov/video to learn more. The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

Opportunity to Comment

The National Small Business Ombudsman and 10 Regional Fairness Boards collect comments from small businesses about federal compliance and enforcement activities. Each year, the Ombudsman evaluates the conduct of these activities and rates each agency’s responsiveness to small businesses. Small businesses can comment to the Ombudsman without fear of reprisal. To comment, call toll-free 1-888-REGFAIR (1-888-734-3247) or go tosba.gov/ombudsman.

November 2010


The information below may be accessed by clicking here.

Disposing of Your Mobile Device

Thinking of upgrading to a new mobile phone or device? Maybe returning one that didn’t work out for you? It’s important to delete any personal information you stored on the device.

How to Remove Personal Information

Your mobile device probably holds sensitive information like addresses and phone numbers, passwords, account numbers, email, voicemail, and text message logs. When getting rid of your old device, it’s important to take steps to help ensure this information doesn’t fall into the wrong hands.

First, try to use the factory reset. Many devices allow you to “wipe” your device and clear nearly all the information in its memory. Sometimes, this is called a “hard reset,” or “factory reset.” You may be able to save or transfer the information to your new device before you delete it from your old one. For detailed instructions on how to “wipe” your device, read your owner’s manual or check the website of your mobile provider or the device manufacturer.

Second, remove or erase SIM and SD cards. Many mobile devices store information on a SIM card or an external SD card as well as in the device’s internal memory. If you’re keeping your phone number, ask your mobile provider about transferring your SIM card to your new device. SD cards often contain photos and other sensitive information. Even when you “wipe” your device, your SIM card or SD cards may retain information about you. Remove them from your device or delete the data that’s stored on them.

Checking Twice

After you’ve deleted your personal information, it’s good to double-check to make sure it’s gone. Check your:

  • phone book
  • logs for both dialed and received calls
  • voicemails
  • sent and received emails and text messages
  • downloads and other folders
  • search histories
  • personal photos

If you stored apps on your device, remove them and the data associated with them.

Discarding with Care

Once you have a “clean” phone, it’s up to you to decide what to do next.

Recycling it is one option. Many mobile device manufacturers, wireless service providers, and other groups have programs to refurbish mobile devices or recycle their components, including accessories like chargers. For more information, check the websites of:

Another option is to donate your device. Many organizations collect used mobile devices for charitable purposes. You also might decide to trade in your device for a credit toward a new one; resell it to a person or an organization; or just dispose of it altogether. If that’s your choice, keep the environment in mind. The EPA recommends that you check with your local health and sanitation agencies for their preferred way to dispose of electronics..


The information below may be accessed by clicking here.

Disposing of Old Computers

Related Items

Getting rid of your old computer? You can ensure its hard drive doesn’t become a treasure chest for identity thieves. Use a program that overwrites or wipes the hard drive many times. Or remove the hard drive, and physically destroy it.

Understand Your Hard Drive

Computers often hold personal and financial information, including:

  • passwords
  • account numbers
  • license keys or registration numbers for software programs
  • addresses and phone numbers
  • medical and prescription information
  • tax returns
  • files created automatically by browsers and operating systems

When you save a file, especially a large one, it is scattered around the hard drive in bits and pieces. When you open a file, the hard drive gathers the bits and pieces and reconstructs them.

When you delete a file, the links to reconstruct the file disappear. But the bits and pieces of the deleted file stay on your computer until they’re overwritten, and they can be retrieved with a data recovery program. To remove data from a hard drive permanently, the hard drive needs to be wiped clean.

How to Clean a Hard Drive

Before you clean a hard drive, save the files you want to keep to:

  • a USB drive
  • a CDRom
  • an external hard drive
  • a new computer

Check your owner’s manual, the manufacturer’s website, or its customer support service for information on how to save data and transfer it to a new computer.

Utility programs to wipe a hard drive are available both online and in stores where computers are sold. These programs generally are inexpensive; some are available on the internet for free. These programs vary:

  • Some erase the entire disk, while others allow you to select files or folders to erase.
  • Some overwrite or wipe the hard drive many times, while others overwrite it only once.

Consider using a program that overwrites or wipes the hard drive many times; otherwise, the deleted information could be retrieved. Or remove the hard drive, and physically destroy it.

If you use your home or personal computer for business purposes, check with your employer about how to manage the information on your computer that’s business-related. The law requires businesses to follow data security and disposal requirements for certain information that’s related to customers.

How to Dispose of Your Computer

Recycle it.

Many computer manufacturers have programs to recycle computers and components. Check their websites or call their toll-free numbers for more information. The Environmental Protection Agency (EPA) has information about electronic product recycling programs. Your local community may have a recycling program, too. Check with your county or local government, including the local landfill office for regulations.

Donate it.

Many organizations collect old computers and donate them to charities.

Resell it.

Some people and organizations buy old computers. Check online.

Remember, most computer equipment contains hazardous materials that don’t belong in a landfill. For example, many computers have heavy metals that can contaminate the earth. The EPA recommends that you check with your local health and sanitation agencies for ways to dispose of electronics safely.

Tagged with: , , , , ,