COALITION
TO IMPLEMENT THE FACT ACT
July 23, 2004
Robert E. Feldman,
Executive Secretary
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, D.C. 20429
Re: FACT Act Disposal Rule, RIN 3064-AC77
To Whom It May Concern:
The Coalition to implement the FACT Act ("Coalition) submits this
comment letter in response to the Proposed Rule ("Proposed Rule")
issued by the Federal Reserve Board, the Office of the Comptroller of
the Currency, the Office of Thrift Supervision, and the Federal
Deposit insurance Corporation (collectively, the "Agencies") regarding
the disposal of consumer information by entities within the Agencies'
jurisdictions ("banks"). The Coalition represents a full range of
trade associations and companies that furnish and use consumer
information, as well as those who collect and disclose such
information. The Coalition appreciates the opportunity to comment on
the Proposed Rule.
SUMMARY
The Agencies were charged by Congress in section 628 of the Fair
Credit Reporting Act ("FCRA") to "issue final regulations requiring
any [bank] that maintains or otherwise possesses consumer information,
or any compilation of consumer information, derived from consumer
reports for a business purpose to properly dispose of any such
information or compilation." The Agencies issued the Proposed Rule in
response to this requirement.
As a general matter, the Coalition believes that the Proposed Rule
takes the correct approach to the requirement of section 628. In
particular, the Coalition is pleased that the Agencies have crafted a
Proposed Rule to coincide with existing information security
requirements already imposed on banks. By incorporating the Proposed
Rule into the Agencies' respective information security guidelines
("Information Security Guidelines"), the Agencies have made it easier
for banks to understand, and to comply with, the obligations described
in the Proposed Rule.
"Consumer Information"
By statute, the Proposed Rule must address "consumer information,
or any compilation of consumer information, derived from consumer
reports for a business purpose." The Agencies' definition of "consumer
information" in the Proposed Rule generally tracks this statutory
description. The Coalition appreciates the Agencies' clarification
that "consumer information" must pertain to "an individual" and that
information that does not identify a particular individual would not
be "consumer information." We believe that the Agencies'
interpretation is appropriate. The Coalition does not believe Congress
intended to impose obligations with respect to the disposal of
anonymous information since such information, if improperly obtained,
could not be misused to commit identity theft or consumer fraud.
Therefore, we urge the Agencies to retain this clarification in the
text of the final rule itself. We also urge the Agencies to consider
whether the final rule should apply to information which a bank does
not know is "consumer information." For example, a bank may not know
that information in its possession was derived from a consumer report
and therefore cannot be expected to know that the information is
subject to the Proposed Rule.
Rule of Construction
Section 628 of the FCRA states that it does not require a person to
maintain or destroy consumer information, and that it does not alter
any requirement imposed under other law to maintain or destroy such
information. The Agencies essentially restate this rule of
construction in the portion of the Proposed Rule amending the
Agencies' regulation implementing the FCRA. We agree with the
Agencies' decision to make this rule of construction explicit, and we
request the Agencies retain it in the final rule. We also ask the
Agencies to make a similar clarification in the portion of the
Proposed Rule amending the Information Security Guidelines.
Compliance Obligations
The Agencies state that a bank should "implement appropriate
measures to properly dispose of consumer information in a manner
consistent with the disposal of customer information." The Coalition
applauds the Agencies for allowing banks to provide for the disposal
of consumer information in a manner consistent with how they dispose
of customer information. In particular, the disposal of consumer
information should be subject to the same risk-based analysis and
protection to which customer information is currently subject under
the Information Security Guidelines. We therefore commend the Agencies
for recognizing that it need not propose a prescriptive rule
describing the proper methods of disposalthe risk-based approach of
the Information Security Guidelines does not lend itself to such
treatment.
The Coalition asks the Agencies, however, to delete the reference
to the disposal of consumer information from the "objectives" of the
Information Security Guidelines. The objectives of the Information Security Guidelines
are those that were specified by Congress in the Gramm-Leach-Blilely
Act ("GLBA") as the necessary objectives for banks' information
security programs. Given that Congress did not amend the GLBA to add
an additional objective, we do not believe Congress intended for
Section 628 of the FCRA to establish a new objective for the
Information Security Guidelines. Furthermore, the Information Security
Guidelines establish broad objectives for banks to use when developing
their information security programs. Among these objectives is to
"protect against unauthorized access to or use of such information
that could result in substantial harm or inconvenience to any
customer." We believe that the proper disposal of consumer information
is just one of the several methods that can be used to achieve this
objective. To include the proper disposal of consumer information as a
separate objective would therefore appear to be redundant, and
perhaps place undue emphasis on the disposal of information relative
to other measures to prevent unauthorized access to customer
information.
We also note that one result of the disposal of consumer
information being listed as an objective of the Information Security
Guidelines is that banks must include provisions pertaining to the
disposal of consumer information in their contracts with their
service providers. We do not believe that such a requirement provides
any benefits, since the substance of the requirement would already be
ad-dressed by the contractual provisions pertaining to the existing
objectives of the In-formation Security Guidelines. Providing unique
treatment to certain types of consumer information in contracts with
service providers also appears to be incongruous with the Agencies'
intent to treat the disposal of consumer information consistently with
the disposal of customer information. Specifically, banks need not
ad-dress the disposal of customer information in their contracts with
service providers. Furthermore, service providers will have
independent obligations to dispose of consumer information properly as
a result of the final rule issued by the Federal Trade Commission, the
federal banking agencies, the Securities and Exchange Commission, or
the NCUA under section 628 of the FCRA. In sum, we do not feel that
the burdens imposed on banks to review and potentially revise each and
every contract would provide meaningful consumer benefits.
Effective Dates
The Agencies propose to make the final rule effective three months
after it is published in the Federal Register. The Coalition believes
that six months would be more appropriate. Although the final rule
will not likely require wholesale changes to a bank's information
security program, the bank will need to evaluate what types of
information will be covered by the final rule. Banks are also working
hard to comply with the many other provisions of the FCRA that were
recently added or amended by Congress. Therefore, we believe six
months is more appropriate. Also, if the Agencies retain an approach
requiring contracts with service providers to be amended as a result of the final rule, the new requirements
should not apply for one year with respect to new contracts and for
two years with respect to contracts in existence on the effective
date of the final rule.
Thank you again for allowing the Coalition to comment on this
issue. Please do not hesitate to contact me at 202 464 8815 if the
Coalition can be of further assistance.
Sincerely,
Jeffrey A. Tassey
Executive Director
Coalition to Implement the FACT Act
919 18th St., NW, Suite 300
Washington, DC 20006
|