NATIONAL ASSOCIATION FOR INFORMATION DESTRUCTION, INC.
July 23, 2004
Office of the Comptroller of the Currency
250 E Street, S.W.
Public Reference Room, Mail Stop 1-5
Washington, DC 20219
Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve System
20th Street and
Constitution Avenue, N.W.
Washington, D.C. 20551
Robert E. Feldman, Executive Secretary
Attention: Comments, Federal Deposit Insurance Corporation
550 17th
Street, N.W.
Washington, D.C. 20429
Regulation Comments, Chief Counsel's Office
Office of Thrift
Supervision
1700 G Street, N.W.
Washington, D.C. 20552
Attention: No. 2004-26
RE: FACT Act Disposal Rule,
OCC Docket No. 04-13
Board Docket No.
R-1199
FDIC RIN No. 3064-AC77
OTS No. 2004-26
To the Banking Agencies:
The National Association for Information Destruction, Inc. ("NAID")
submits these comments on the regulations proposed by the Office of
the Comptroller of the Currency, Federal Reserve System, Federal
Deposit Insurance Corporation, and Office of Thrift Supervision
("Banking Agencies") entitled, Proper Disposal of Consumer Information
Under the Fair and Accurate Credit Transactions Act of 2003.1
Introduction
Identity theft is a serious crime that imposes enormous costs on
society. Tens of millions of Americans have been victims of identity
theft, costing consumers and businesses tens of billions of dollars.2
As President Bush recently stressed,
The crime of identity theft undermines the basic trust on which our
economy depends. When a person takes out an insurance policy [for
example], he or she must have confidence that personal financial
information will be protected and treated with care. Identity theft
harms not only its direct victims, but also many businesses and
customers whose confidence is shaken. Like other forms of stealing,
identity theft leaves the victim poor and feeling terribly violated.
But the losses are not measured only in dollars. Any identity
[thief] can steal the victim's financial reputation.... Repairing the
damage can take months or years.3
Numerous identity theft crimes are committed by so-called "dumpster
divers" who uncover sensitive financial information after it has been
disposed. Once there is access to enough of this information, "the
scope of fraud is limited only by the criminal imagination."4
One of the most efficient and effective ways to prevent identity theft
is to ensure the proper disposal of confidential information at the
point when documents are discarded in the normal course of business.
It makes far greater sense to adopt a strong rule that prevents these
"dumpster divers" and other criminals from accessing information, than
waiting until after massive losses have occurred and attempting (often
unsuccessfully) to find and prosecute the perpetrators after the fact.
NAID is the international, non-profit trade association of the
information destruction industry. NAID's members include individuals
as well as large and small businesses that provide information
destruction services. We are on the front lines of the information
disposal work that is addressed by this rule and we urge the Banking
Agencies to bolster this rule in several respects in order to ensure
that the rule is effective in preventing identity theft and that it
cannot be easily circumvented. In particular, these comments begin with a proposal for a clear disposal standard.
Second, we suggest that the Banking Agencies add definitions for
"dispose" or "disposal," add a definition for the phrase, "derived
from," and clarify the phrase "about an individual" within the
definition of "consumer information." Third, we recommend a more
fulsome explanation of the responsibilities of third-party record
custodians.
I. Disposal Standard
A. Proposed Standard
The Banking Agencies' supplementary information preceding the
proposed rule states that "an institution's information security
program should ensure that paper records containing either customer or
consumer information should be rendered unreadable as indicated by the
institution's risk assessment, such as by shredding or any other
means."5 NAID urges the Banking Agencies to include this important
language in the text of the rule itself so that the covered
institutions will operate under a clear and enforceable standard.
Additionally, we recommend that the Banking Agencies specify in the
rule that this standard of rendering information unreadable applies to
electronic documents, in addition to paper records.
This standard will achieve Congress' goal of reducing the incidence
of identity theft resulting from improper disposal of records without
imposing unreasonable burdens in the process. Without this
clarification, the rule would fail to provide a clear standard with
respect to the central issue presented and might invite controversy as
to whether it remains permissible, at least in some cases, merely to
throw consumer information into the trash without ensuring its
destruction.
Furthermore, the Fair and Accurate Credit Transactions Act of 2003
("the FACT Act")6 requires the Banking Agencies to "consult and
coordinate with each other such agency [issuing disposal regulations]
so that, to the extent possible, the regulations prescribed by each
such agency are consistent and comparable with the regulations by each
such other agency." 7 The Federal Trade Commission's ("FTC's")
proposed disposal rule requires covered entities to take "reasonable
measures" to protect consumer information. Examples of reasonable
measures include "[i]mplementing and monitoring compliance with
policies and procedures that require the burning, pulverizing, or
shredding of papers" and "the destruction or erasure of electronic
media containing consumer information so that the information cannot
practicably be read or reconstructed."8 We recommend that the Banking Agencies adopt a
clear destruction standard that requires shredding and other safe
destruction practices to dispose of consumer information, a category
of documents which requires special treatment in Congress' estimation.
In this way, as required by the FACT Act, the regulations of the
Banking Agencies will be consistent and comparable with the FTC's
regulations.
B. Role of FFIEC Guidelines
The proposed rule references the Federal Financial Institutions
Examination Council ("FFIEC") Handbook,9 which describes the methods
by which financial institutions should handle their sensitive
information. These hortatory measures provide helpful information
about designing and implementing effective information security
policies and procedures. In order to prevent identity theft by
imposing strong and clear requirements, NAID recommends that the
Banking Agencies' final rule require covered institutions to follow
the instructions set forth in this handbook.
C. Practical Advice for Compliance with the Standard
NAID recommends a new provision that will increase the
effectiveness of the rule in preventing identity theft and provide
clear guidance to covered entities that seek certainty regarding their
compliance. The Banking Agencies' rule should expressly advise record
owners to adopt a policy of shredding all documents that could
possibly contain consumer information. This practical advice is
especially important when it is not clear what sensitive information
is derived from consumer reports. At a minimum, NAID encourages the
Banking Agencies to disseminate this advice during its business
education campaign associated with the promulgation of these
regulations.
II. Definitions
A. Add Definition of "Dispose" or "Disposal"
For the sake of clarity, we suggest that the Banking Agencies
define the terms "dispose" or "disposal" within the rule. Similar to
the FTC's proposed rule,10 NAID recommends the following language:
As used in this part, "disposing" or "disposal" includes: (1) the
discarding or abandonment of consumer information, or (2) the sale,
donation, transfer, or discarding of any medium, including computer
equipment, upon which consumer information is stored.
B. Information Derived from Consumer Reports
The Banking Agencies' supplementary information recognizes that
"the phrase `derived from consumer reports' covers all of the
information about a consumer that is taken from a consumer report,
including information that results in whole or in part from
manipulation of information from a consumer report or information from
a consumer report that has been combined with other types of
information."11 NAID recommends that the Banking Agencies add this
definition to the text of the rule. This clarification will foster
compliance under the rule, and promote the purpose of the rule by
preventing identity theft.
C. Records About Individuals
The proposed regulations limit application of the disposal
requirement to records "about an individual."12 NAID
is concerned, however, that a portion of the commentary on the
proposed rules might generate some confusion regarding the breadth of
the rules. In particular, the commentary states that information that
"does not identify a particular consumer would not be covered under
the proposal.13 Presumably, this comment is not intended to suggest that
the information must actually include the name of the consumer as
opposed to other information that might be associated with a
particular individual,
such as a social security number, bank account number, address, phone
number, or credit card number. Nonetheless, to avoid any confusion,
and to ensure that the commentary is consistent with the text of the
proposed rule itself, NAID recommends that the Banking Agencies
clarify that any consumer information, or compilation of consumer
information, that includes information about a particular individual
(as opposed, for example, to aggregate data) falls within the scope of
the proposed rules. In this respect, the commentary might simply
follow the language of the proposed rules themselves, which adopt this
approach and, in any event, will constitute the legally-operative
provisions.
III. Custodian Liability
Outsourcing by financial institutions of record storage and disposal
functions raises special concerns, including the risk that records
transferred overseas by storage and disposal companies might be
compromised. The FFIEC handbook provides some guidance by recognizing
that "[m]anagement is responsible for ensuring institution and
customer data is protected, even when that data is transmitted,
processed or stored by a service provider.14 The Banking Agencies'
Guidelines for Safeguarding Member Information ("Guidelines") also
mandate that the covered entities "[r]equire [their] service
providers by contract to implement appropriate measures designed to
meet the objectives of these Guidelines."15 The proposed disposal rule, in
turn, amends the objectives articulated in the Guidelines to include
the objective of "[e]nsur[ing] the proper disposal of consumer
information in a manner consistent with the disposal of customer
information." 16
In general, the rule should clarify that financial institutions bear
responsibility for proper disposal of consumer information -- even
when they make use of service providers. Thus, the rules should
require that financial institutions contractually require their
service providers to abide by the procedures established by the final
disposal regulations.
Notwithstanding this approach, in some instances third parties will
offer document disposal services. Financial institutions should be
permitted to transfer their responsibility to assure proper disposal
of consumer information to such entities only when those entities
affirmatively accept the responsibility and thus subject themselves to
the jurisdiction of the appropriate federal regulator and its disposal
rules, such as the Federal Trade Commission and its disposal rules in
the case of non-bank service companies. Nonetheless, service providers
should not be obligated to make independent determinations about
whether the documents in their custody constitute consumer
information. Any contrary rule that required service providers to
evaluate the contents of a financial institution's documents would be
costly and counter-productive. Clearly, the financial institutions
themselves are in the best position to determine whether their records
contain consumer information. Accordingly, we suggest the following
additional language to govern the use of third party disposal
companies:
Financial institutions are liable under these rules for proper
disposal of consumer information unless and until: (A) They enter a
contract with a third party, including garbage collectors, recyclers,
and records management and storage companies, pursuant to 12 C.F.R.
§ 30, App. B § III(D)(2), 12 C.F.R. § 225, App. F § III(D)(2), 12
C.F.R. § 364, App. B § III(D)(2), or 12 C.F.R. § 570, App. B § III(D)(2);
and (B) They notify the third party that transferred documents contain
consumer information.
This modification would close any potential loopholes by requiring
record owner financial institutions to arrange for the proper disposal
of consumer information and by requiring third parties who carry out
this work to comply with the requisite standards.
We respectfully request that the Banking Agencies consider our
proposed clarifications and modifications, which we believe will
further serve the laudable goal of minimizing identity theft in an
efficient and effective manner.
Respectfully submitted,
John Bauknight IV, President
Robert Johnson, Executive Director
1 69 Fed. Reg. 31913 (June 8, 2004) (to be codified at 12 C.F.R. pts.
30, 41, 208, 211, 222, 225, 334, 364, 568, 570, 571).
2 Synovate/FTC, Identity Theft Survey Report 6-7, at http://www.ftc.gov/os/2003/09/synovatereport.pdf
(Sept. 2003); see also Report: Overview of the Identity Theft Program
(Oct. 1998 Sept. 2003), at http://www.ftc.gov/os/2003/09/timelinereport.pdf
(Sept. 2003).
3 Remarks by the President at Signing of Identity Theft Penalty
Enhancement Act, at http://www.whitehouse.gov/news/releases/2004/07/20040715-3.html
(July 15, 2004).
4 Deputy Attorney General James B. Comey, Ask the White House, at
http://www.whitehouse.gov/ask/20040715.html (July 15, 2004).
5 69 Fed. Reg. at 31916 (emphasis added).
6 Pub. L. No. 108-159 (2003). The FACT Act amends the Fair Credit
Reporting Act ("FCRA"), 15 U.S.C. § 1681 et seq.
7 FCRA § 628(a)(2)(A) (emphasis added).
8 FTC Proposed Rule § 682.3(a), (b)(1)-(2), 69 Fed. Reg. 21388, 21392
(Apr. 20, 2004) (to be codified at 16 C.F.R. pt. 682).
9 69 Fed. Reg. at 31916.
10 FTC Proposed Rule § 682.1(c), 69 Fed. Reg. at 21392.
11 69 Fed. Reg. at 31915.
12 Id.
13 Id.
14 See FFIEC Information Security Booklet at 81, at http://www.ffiec.gov
/ffiecinfobase/booklets/information_secruity/information_security.pdf
(Dec. 2002).
15 12 C.F.R. § 30, App. B § III(D)(2); 12 C.F.R. § 225, App. F §
III(D)(2); 12 C.F.R. § 364, App. B § III(D)(2); 12 C.F.R. § 570, App.
B § III(D)(2).
16 69 Fed. Reg. at 31922.
|