Federal Deposit
Insurance Corporation

July 22, 2004

Jennifer J. Johnson
Secretary
Board of Governors of the Federal
Reserve System
20th Street and Constitution Avenue, NW
Washington, DC 20551
Attention: Docket No. R-1199

Office of the Comptroller of the Currency
250 E Street, SW
Public Reference Room
Mail Stop 1-5
Washington, DC 20219
Attention: Docket No. 04-13

Robert E. Feldman
Executive Secretary
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
Attention: RIN No. 3064-AC77

Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G Street, NW
Washington, DC 20552
Attention: Docket No. 2004-26

Re: Proper Disposal of Consumer Information Under FACT Act, Section 216

Ladies and Gentlemen:

This comment letter is submitted on behalf of First National Bank of Omaha in response to the joint notice of proposed rulemaking ("Proposed Rule") and request for public comment by the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency and the Office of Thrift Supervision (collectively, the "Agencies"), published in the Federal Register on June 8, 2004. The Proposed Rule would require financial institutions under the Agencies' jurisdiction to develop, implement and maintain appropriate measures to properly dispose of consumer information. First National Bank of Omaha supports the Agencies' Proposed Rule and appreciates the opportunity to comment on this important topic.

Section 216 of the Fair and Accurate Credit Transactions Act of 2003 added section 628 to the Fair Credit Reporting Act ("FCRA") in order "to protect a consumer against the risks associated with unauthorized access to information about the consumer contained in a consumer report," such as the risk of identity theft or fraud.¹ Section 628 of the FCRA requires the Agencies, the Federal Trade Commission, the National Credit Union Administration and the Securities and Exchange Commission to prescribe consistent and comparable regulations that require "any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports" to properly dispose of this information or compilation.² Section 628 also directs the agencies to ensure that these regulations are consistent with the requirements and regulations issued under the Gramm-Leach-Bliley Act ("GLBA") and other federal law.³

The Final Rule Should State that "Consumer Information" Must Identify a Particular Consumer

The Proposed Rule would define "consumer information" as "any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of [financial institutions] for a business purpose."⁴ The Supplementary Information to the Proposed Rule states that records that are "derived from consumer reports" would include any "information about a consumer that is taken from a consumer report," but that records that do "not identify a particular consumer" would not qualify as "consumer information."⁵ We support the proposed definition of "consumer information." This definition will allow financial institutions and companies providing services to financial institutions to apply consistent disposal procedures and, therefore, a consistent level of protection for all consumer information nationwide.

We are concerned, however, that the proposed definition of "consumer information" itself does not provide guidance as to the coverage of information that may identify a particular consumer. We believe that the text of the final rule should state expressly that information that does not identify a particular consumer does not qualify as "consumer information." This express statement would promote clarity and eliminate any ambiguity surrounding the phrase "any record about an individual." Information that does not identify a particular consumer poses little or no risk of consumer fraud or identity theft and, as a result, financial institutions should not be required to properly dispose of such information.

The Final Rule Should Harmonize the Disposal Rule with the Interagency Guidelines Establishing Standards for Safeguarding Customer Information

In order to implement section 628, the Proposed Rule would amend the Agencies' FCRA rules and the Interagency Guidelines Establishing Standards for Safeguarding Customer Information ("Guidelines"). The Proposed Rule would add a new section to the FCRA rules that would require financial institutions to "properly dispose of any consumer information that [financial institutions] maintain or otherwise possess in accordance with the [Guidelines]."⁶ The Guidelines, promulgated pursuant to sections 501 and 505 of the GLBA, provide that financial institutions must assess the risks to their customer information and customer information systems and implement appropriate security measures to control these risks. This "responsibility to safeguard customer information continues through the disposal process."⁷ The Proposed Rule would amend the Guidelines to require financial institutions to "develop, implement, and maintain as part of [their] information security program[s], appropriate measures to properly dispose of consumer information in a manner consistent with the disposal of customer information."⁸

We support the Agencies' determination that "consumer information" should be disposed of in a manner consistent with the disposal of "customer information." This standard would allow financial institutions to employ different standards based on the individual financial institution's risk assessment and circumstances in order to ensure appropriate disposal of consumer information. This standard would promote flexibility and would allow financial institutions to avoid disrupting existing practices under their information security programs, except where necessary to do so. This approach also would respond to the statutory mandate that the regulations issued be consistent with those issued under the GLBA by harmonizing the disposal rule with the Guidelines. This harmonization is essential because inconsistent requirements would result in confusion and poor implementation. In conclusion, we strongly support the Agencies' determination that the requirements for the disposal of consumer information should be part of financial institutions' larger information security programs.

First National Bank of Omaha appreciates the opportunity to comment on this important topic. If you have any questions concerning these comments, or if we may otherwise be of assistance in connection with this matter, please do not hesitate to contact Eric Durham, Director of Corporate Compliance at (402) 636-6647.

Sincerely,

Eric Durham
Director, Corporate Compliance
First National Bank of Omaha
P.O. Box 3331
Omaha, NE 68103

¹ 69 Fed. Reg. 31,913, 31,914 (June 8, 2004).
² FCRA §§ 628(a)(1)-(2).
³ FCRA § 628(a)(2)(B).
⁴ 69 Fed. Reg. at 31,918, 31,919, & 31,921.
⁵ Id. at 31,915.
⁶ Id. at 31,918, 31,919, 31,920 & 31,922.
⁷ 66 Fed. Reg. 8616, 8618 (Feb. 1, 2001).
⁸ 69 Fed. Reg. at 31,918, 31,919, 31,921 & 31,922.