NATIONAL ASSOCIATION FOR INFORMATION DESTRUCTION, INC. July 23, 2004 Office of the Comptroller of the Currency 250 E Street, S.W. Public Reference Room, Mail Stop 1-5 Washington, DC 20219 Jennifer J. Johnson, Secretary Board of Governors of the Federal Reserve System 20th Street and Constitution Avenue, N.W. Washington, D.C. 20551 Robert E. Feldman, Executive Secretary Attention: Comments, Federal Deposit Insurance Corporation 550 17th Street, N.W. Washington, D.C. 20429 Regulation Comments, Chief Counsel's Office Office of Thrift Supervision 1700 G Street, N.W. Washington, D.C. 20552 Attention: No. 2004-26 RE: FACT Act Disposal Rule, OCC Docket No. 04-13 Board Docket No. R-1199 FDIC RIN No. 3064-AC77 OTS No. 2004-26 To the Banking Agencies: The National Association for Information Destruction, Inc. ("NAID") submits these comments on the regulations proposed by the Office of the Comptroller of the Currency, Federal Reserve System, Federal Deposit Insurance Corporation, and Office of Thrift Supervision ("Banking Agencies") entitled, Proper Disposal of Consumer Information Under the Fair and Accurate Credit Transactions Act of 2003.1 Introduction Identity theft is a serious crime that imposes enormous costs on society. Tens of millions of Americans have been victims of identity theft, costing consumers and businesses tens of billions of dollars.2 As President Bush recently stressed, The crime of identity theft undermines the basic trust on which our economy depends. When a person takes out an insurance policy [for example], he or she must have confidence that personal financial information will be protected and treated with care. Identity theft harms not only its direct victims, but also many businesses and customers whose confidence is shaken. Like other forms of stealing, identity theft leaves the victim poor and feeling terribly violated. But the losses are not measured only in dollars. Any identity [thief] can steal the victim's financial reputation.... Repairing the damage can take months or years.3 Numerous identity theft crimes are committed by so-called "dumpster divers" who uncover sensitive financial information after it has been disposed. Once there is access to enough of this information, "the scope of fraud is limited only by the criminal imagination."4 One of the most efficient and effective ways to prevent identity theft is to ensure the proper disposal of confidential information at the point when documents are discarded in the normal course of business. It makes far greater sense to adopt a strong rule that prevents these "dumpster divers" and other criminals from accessing information, than waiting until after massive losses have occurred and attempting (often unsuccessfully) to find and prosecute the perpetrators after the fact. NAID is the international, non-profit trade association of the information destruction industry. NAID's members include individuals as well as large and small businesses that provide information destruction services. We are on the front lines of the information disposal work that is addressed by this rule and we urge the Banking Agencies to bolster this rule in several respects in order to ensure that the rule is effective in preventing identity theft and that it cannot be easily circumvented. In particular, these comments begin with a proposal for a clear disposal standard. Second, we suggest that the Banking Agencies add definitions for "dispose" or "disposal," add a definition for the phrase, "derived from," and clarify the phrase "about an individual" within the definition of "consumer information." Third, we recommend a more fulsome explanation of the responsibilities of third-party record custodians. I. Disposal Standard A. Proposed Standard The Banking Agencies' supplementary information preceding the proposed rule states that "an institution's information security program should ensure that paper records containing either customer or consumer information should be rendered unreadable as indicated by the institution's risk assessment, such as by shredding or any other means."5 NAID urges the Banking Agencies to include this important language in the text of the rule itself so that the covered institutions will operate under a clear and enforceable standard. Additionally, we recommend that the Banking Agencies specify in the rule that this standard of rendering information unreadable applies to electronic documents, in addition to paper records. This standard will achieve Congress' goal of reducing the incidence of identity theft resulting from improper disposal of records without imposing unreasonable burdens in the process. Without this clarification, the rule would fail to provide a clear standard with respect to the central issue presented and might invite controversy as to whether it remains permissible, at least in some cases, merely to throw consumer information into the trash without ensuring its destruction. Furthermore, the Fair and Accurate Credit Transactions Act of 2003 ("the FACT Act")6 requires the Banking Agencies to "consult and coordinate with each other such agency [issuing disposal regulations] so that, to the extent possible, the regulations prescribed by each such agency are consistent and comparable with the regulations by each such other agency." 7 The Federal Trade Commission's ("FTC's") proposed disposal rule requires covered entities to take "reasonable measures" to protect consumer information. Examples of reasonable measures include "[i]mplementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers" and "the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed."8 We recommend that the Banking Agencies adopt a clear destruction standard that requires shredding and other safe destruction practices to dispose of consumer information, a category of documents which requires special treatment in Congress' estimation. In this way, as required by the FACT Act, the regulations of the Banking Agencies will be consistent and comparable with the FTC's regulations. B. Role of FFIEC Guidelines The proposed rule references the Federal Financial Institutions Examination Council ("FFIEC") Handbook,9 which describes the methods by which financial institutions should handle their sensitive information. These hortatory measures provide helpful information about designing and implementing effective information security policies and procedures. In order to prevent identity theft by imposing strong and clear requirements, NAID recommends that the Banking Agencies' final rule require covered institutions to follow the instructions set forth in this handbook. C. Practical Advice for Compliance with the Standard NAID recommends a new provision that will increase the effectiveness of the rule in preventing identity theft and provide clear guidance to covered entities that seek certainty regarding their compliance. The Banking Agencies' rule should expressly advise record owners to adopt a policy of shredding all documents that could possibly contain consumer information. This practical advice is especially important when it is not clear what sensitive information is derived from consumer reports. At a minimum, NAID encourages the Banking Agencies to disseminate this advice during its business education campaign associated with the promulgation of these regulations. II. Definitions A. Add Definition of "Dispose" or "Disposal" For the sake of clarity, we suggest that the Banking Agencies define the terms "dispose" or "disposal" within the rule. Similar to the FTC's proposed rule,10 NAID recommends the following language: As used in this part, "disposing" or "disposal" includes: (1) the discarding or abandonment of consumer information, or (2) the sale, donation, transfer, or discarding of any medium, including computer equipment, upon which consumer information is stored. B. Information Derived from Consumer Reports The Banking Agencies' supplementary information recognizes that "the phrase `derived from consumer reports' covers all of the information about a consumer that is taken from a consumer report, including information that results in whole or in part from manipulation of information from a consumer report or information from a consumer report that has been combined with other types of information."11 NAID recommends that the Banking Agencies add this definition to the text of the rule. This clarification will foster compliance under the rule, and promote the purpose of the rule by preventing identity theft. C. Records About Individuals The proposed regulations limit application of the disposal requirement to records "about an individual."12 NAID is concerned, however, that a portion of the commentary on the proposed rules might generate some confusion regarding the breadth of the rules. In particular, the commentary states that information that "does not identify a particular consumer would not be covered under the proposal.13 Presumably, this comment is not intended to suggest that the information must actually include the name of the consumer — as opposed to other information that might be associated with a particular individual, such as a social security number, bank account number, address, phone number, or credit card number. Nonetheless, to avoid any confusion, and to ensure that the commentary is consistent with the text of the proposed rule itself, NAID recommends that the Banking Agencies clarify that any consumer information, or compilation of consumer information, that includes information about a particular individual (as opposed, for example, to aggregate data) falls within the scope of the proposed rules. In this respect, the commentary might simply follow the language of the proposed rules themselves, which adopt this approach and, in any event, will constitute the legally-operative provisions. III. Custodian Liability Outsourcing by financial institutions of record storage and disposal functions raises special concerns, including the risk that records transferred overseas by storage and disposal companies might be compromised. The FFIEC handbook provides some guidance by recognizing that "[m]anagement is responsible for ensuring institution and customer data is protected, even when that data is transmitted, processed or stored by a service provider.14 The Banking Agencies' Guidelines for Safeguarding Member Information ("Guidelines") also mandate that the covered entities "[r]equire [their] service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines."15 The proposed disposal rule, in turn, amends the objectives articulated in the Guidelines to include the objective of "[e]nsur[ing] the proper disposal of consumer information in a manner consistent with the disposal of customer information." 16 In general, the rule should clarify that financial institutions bear responsibility for proper disposal of consumer information -- even when they make use of service providers. Thus, the rules should require that financial institutions contractually require their service providers to abide by the procedures established by the final disposal regulations. Notwithstanding this approach, in some instances third parties will offer document disposal services. Financial institutions should be permitted to transfer their responsibility to assure proper disposal of consumer information to such entities only when those entities affirmatively accept the responsibility and thus subject themselves to the jurisdiction of the appropriate federal regulator and its disposal rules, such as the Federal Trade Commission and its disposal rules in the case of non-bank service companies. Nonetheless, service providers should not be obligated to make independent determinations about whether the documents in their custody constitute consumer information. Any contrary rule that required service providers to evaluate the contents of a financial institution's documents would be costly and counter-productive. Clearly, the financial institutions themselves are in the best position to determine whether their records contain consumer information. Accordingly, we suggest the following additional language to govern the use of third party disposal companies: Financial institutions are liable under these rules for proper disposal of consumer information unless and until: (A) They enter a contract with a third party, including garbage collectors, recyclers, and records management and storage companies, pursuant to 12 C.F.R. § 30, App. B § III(D)(2), 12 C.F.R. § 225, App. F § III(D)(2), 12 C.F.R. § 364, App. B § III(D)(2), or 12 C.F.R. § 570, App. B § III(D)(2); and (B) They notify the third party that transferred documents contain consumer information. This modification would close any potential loopholes by requiring record owner financial institutions to arrange for the proper disposal of consumer information and by requiring third parties who carry out this work to comply with the requisite standards. We respectfully request that the Banking Agencies consider our proposed clarifications and modifications, which we believe will further serve the laudable goal of minimizing identity theft in an efficient and effective manner. Respectfully submitted, John Bauknight IV, President Robert Johnson, Executive Director
1 69 Fed. Reg. 31913 (June 8, 2004) (to be codified at 12 C.F.R. pts. 30, 41, 208, 211, 222, 225, 334, 364, 568, 570, 571). 2 Synovate/FTC, Identity Theft Survey Report 6-7, at http://www.ftc.gov/os/2003/09/synovatereport.pdf (Sept. 2003); see also Report: Overview of the Identity Theft Program (Oct. 1998 – Sept. 2003), at http://www.ftc.gov/os/2003/09/timelinereport.pdf (Sept. 2003). 3 Remarks by the President at Signing of Identity Theft Penalty Enhancement Act, at http://www.whitehouse.gov/news/releases/2004/07/20040715-3.html (July 15, 2004). 4 Deputy Attorney General James B. Comey, Ask the White House, at http://www.whitehouse.gov/ask/20040715.html (July 15, 2004). 5 69 Fed. Reg. at 31916 (emphasis added). 6 Pub. L. No. 108-159 (2003). The FACT Act amends the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1681 et seq. 7 FCRA § 628(a)(2)(A) (emphasis added). 8 FTC Proposed Rule § 682.3(a), (b)(1)-(2), 69 Fed. Reg. 21388, 21392 (Apr. 20, 2004) (to be codified at 16 C.F.R. pt. 682). 9 69 Fed. Reg. at 31916. 10 FTC Proposed Rule § 682.1(c), 69 Fed. Reg. at 21392. 11 69 Fed. Reg. at 31915. 12 Id. 13 Id. 14 See FFIEC Information Security Booklet at 81, at http://www.ffiec.gov /ffiecinfobase/booklets/information_secruity/information_security.pdf (Dec. 2002). 15 12 C.F.R. § 30, App. B § III(D)(2); 12 C.F.R. § 225, App. F § III(D)(2); 12 C.F.R. § 364, App. B § III(D)(2); 12 C.F.R. § 570, App. B § III(D)(2). 16 69 Fed. Reg. at 31922. |