COALITION TO IMPLEMENT THE FACT ACT July 23, 2004 Robert E. Feldman, Executive Secretary Re: FACT Act Disposal Rule, RIN 3064-AC77 To Whom It May Concern: The Coalition to implement the FACT Act ("Coalition”) submits this comment letter in response to the Proposed Rule ("Proposed Rule") issued by the Federal Reserve Board, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and the Federal Deposit insurance Corporation (collectively, the "Agencies") regarding the disposal of consumer information by entities within the Agencies' jurisdictions ("banks"). The Coalition represents a full range of trade associations and companies that furnish and use consumer information, as well as those who collect and disclose such information. The Coalition appreciates the opportunity to comment on the Proposed Rule. SUMMARY The Agencies were charged by Congress in section 628 of the Fair Credit Reporting Act ("FCRA") to "issue final regulations requiring any [bank] that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose to properly dispose of any such information or compilation." The Agencies issued the Proposed Rule in response to this requirement. As a general matter, the Coalition believes that the Proposed Rule takes the correct approach to the requirement of section 628. In particular, the Coalition is pleased that the Agencies have crafted a Proposed Rule to coincide with existing information security requirements already imposed on banks. By incorporating the Proposed Rule into the Agencies' respective information security guidelines ("Information Security Guidelines"), the Agencies have made it easier for banks to understand, and to comply with, the obligations described in the Proposed Rule. "Consumer Information" By statute, the Proposed Rule must address "consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose." The Agencies' definition of "consumer information" in the Proposed Rule generally tracks this statutory description. The Coalition appreciates the Agencies' clarification that "consumer information" must pertain to "an individual" and that information that does not identify a particular individual would not be "consumer information." We believe that the Agencies' interpretation is appropriate. The Coalition does not believe Congress intended to impose obligations with respect to the disposal of anonymous information since such information, if improperly obtained, could not be misused to commit identity theft or consumer fraud. Therefore, we urge the Agencies to retain this clarification in the text of the final rule itself. We also urge the Agencies to consider whether the final rule should apply to information which a bank does not know is "consumer information." For example, a bank may not know that information in its possession was derived from a consumer report and therefore cannot be expected to know that the information is subject to the Proposed Rule. Rule of Construction Section 628 of the FCRA states that it does not require a person to maintain or destroy consumer information, and that it does not alter any requirement imposed under other law to maintain or destroy such information. The Agencies essentially restate this rule of construction in the portion of the Proposed Rule amending the Agencies' regulation implementing the FCRA. We agree with the Agencies' decision to make this rule of construction explicit, and we request the Agencies retain it in the final rule. We also ask the Agencies to make a similar clarification in the portion of the Proposed Rule amending the Information Security Guidelines. Compliance Obligations The Agencies state that a bank should "implement appropriate measures to properly dispose of consumer information in a manner consistent with the disposal of customer information." The Coalition applauds the Agencies for allowing banks to provide for the disposal of consumer information in a manner consistent with how they dispose of customer information. In particular, the disposal of consumer information should be subject to the same risk-based analysis and protection to which customer information is currently subject under the Information Security Guidelines. We therefore commend the Agencies for recognizing that it need not propose a prescriptive rule describing the proper methods of disposal—the risk-based approach of the Information Security Guidelines does not lend itself to such treatment. The Coalition asks the Agencies, however, to delete the reference to the disposal of consumer information from the "objectives" of the Information Security Guidelines. The objectives of the Information Security Guidelines are those that were specified by Congress in the Gramm-Leach-Blilely Act ("GLBA") as the necessary objectives for banks' information security programs. Given that Congress did not amend the GLBA to add an additional objective, we do not believe Congress intended for Section 628 of the FCRA to establish a new objective for the Information Security Guidelines. Furthermore, the Information Security Guidelines establish broad objectives for banks to use when developing their information security programs. Among these objectives is to "protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer." We believe that the proper disposal of consumer information is just one of the several methods that can be used to achieve this objective. To include the proper disposal of consumer information as a separate objective would therefore appear to be redundant, and perhaps place undue emphasis on the disposal of information relative to other measures to prevent unauthorized access to customer information. We also note that one result of the disposal of consumer information being listed as an objective of the Information Security Guidelines is that banks must include provisions pertaining to the disposal of consumer information in their contracts with their service providers. We do not believe that such a requirement provides any benefits, since the substance of the requirement would already be ad-dressed by the contractual provisions pertaining to the existing objectives of the In-formation Security Guidelines. Providing unique treatment to certain types of consumer information in contracts with service providers also appears to be incongruous with the Agencies' intent to treat the disposal of consumer information consistently with the disposal of customer information. Specifically, banks need not ad-dress the disposal of customer information in their contracts with service providers. Furthermore, service providers will have independent obligations to dispose of consumer information properly as a result of the final rule issued by the Federal Trade Commission, the federal banking agencies, the Securities and Exchange Commission, or the NCUA under section 628 of the FCRA. In sum, we do not feel that the burdens imposed on banks to review and potentially revise each and every contract would provide meaningful consumer benefits. Effective Dates The Agencies propose to make the final rule effective three months after it is published in the Federal Register. The Coalition believes that six months would be more appropriate. Although the final rule will not likely require wholesale changes to a bank's information security program, the bank will need to evaluate what types of information will be covered by the final rule. Banks are also working hard to comply with the many other provisions of the FCRA that were recently added or amended by Congress. Therefore, we believe six months is more appropriate. Also, if the Agencies retain an approach requiring contracts with service providers to be amended as a result of the final rule, the new requirements should not apply for one year with respect to new contracts and for two years with respect to contracts in existence on the effective date of the final rule. Thank you again for allowing the Coalition to comment on this issue. Please do not hesitate to contact me at 202 464 8815 if the Coalition can be of further assistance. Sincerely, Jeffrey A. Tassey |
Last Updated 07/26/2004 | regs@fdic.gov |