New rule protects consumer info from Dumpster diving

Real estate finance companies must safely dispose of personal data
By: Janis Mara: Inman News
Three years ago, an identity thief jumped into a filthy Dumpster behind a Washington, D.C., pizza place and stole Ray Everett-Church's credit card number from the pizza joint's discarded receipts.

In every consumer's worst nightmare, the thief used the card to buy $800 worth of watches from a Web site.

Though Everett-Church was able to set the matter straight before further damage was done, the process consumed hours of his time. His experience demonstrates the reasons behind a new federal rule mandating that businesses destroy customers' personal information before tossing it out.

The disposal rule of the Fair and Accurate Credit Transactions Act of 2003, or FACTA, goes into effect June 1. It mandates that anyone who has personal information from consumer credit reports must properly dispose of such material to protect against unauthorized access to the material.

Consumer concern over identity theft has skyrocketed in the wake of scandals over information theft from ChoicePoint and LexisNexis, among others. The new rule, which is just one part of FACTA, is specifically directed at businesses and individuals who obtain information from consumer credit reports, according to Dennis Kiker, an attorney at Moran Kiker Brown, PC.

"If the information comes from a credit report, it is covered by the rule. In the real estate and mortgage industries, particularly the mortgage side, that information often will be entered into another system," Kiker pointed out. Any information taken from a credit report, such as Social Security numbers, is covered, the attorney said.

In most instances, properly disposing of consumer information means shredding paper records containing information from credit reports or the credit reports themselves, and wiping computers clean of such data, Kiker said.

"The paper part is easy. If it's paper, you shred it," said Kiker, who specializes in litigation management, including document management programs.

The best way for a large-scale operation to shred paper is by hiring an outside company to do it, Kiker said. That way, as long as the information is identified as being affected by the FACTA rule, "if it gets out after leaving your hands, it's their (the outside company's) responsibility."

A sole proprietor or small company can just use a shredder from Home Depot or another store, he added.

With electronic data, sole proprietors and small companies can buy a software utility to clean the computer's hard drive, Kiker said. "Put consumer-identifying information in specific places, as simple as folders in Windows, and use software to eliminate that data."

In larger companies, the Information Technology department will dispose of the information, Kiker said. "For the big companies, it's understanding what the FACTA obligation is and taking care of it. This needs to be a part of an overall document retention policy. There needs to be someone responsible for implementing the policy and someone responsible for auditing it."

Generally, this is a good practice anyway, Kiker said.

"If a situation arises, the company needs to be able to demonstrate what they did to destroy the information. As long as they have made a good faith effort to eliminate it, they are very unlikely to result in any liability," Kiker said.

Generally, willful violation of the requirements can result in actual damages, or damages of not less than $100 nor more than $1,000, plus costs of the action, including attorneys' fees, the attorney said. Liability for negligent violation is limited to actual damages and the costs of the action, including attorneys' fees.

"It's not just the money," said Tena Friery, research director for the Privacy Rights Clearinghouse. "There is a tremendous amount of bad publicity associated with a breach. There was a case last week of medical records falling off a truck and scattering over the highway. The hospital will probably recover, but a mortgage broker who loses the faith of clients is another matter altogether."

Eventual financial losses to a company because of a damaged reputation can be enormous, Friery said. "ChoicePoint's reputation is really tanked," she said, referring to the scandals over data theft from the company.

With regard to the new rule, Everett-Church said, "In this day of rampant identity theft, what mortgage broker and real estate agent isn't already securely disposing of records containing deeply personal data?"

Everett-Church, who is himself a privacy expert, said, "I've witnessed people climbing into a Dumpster ankle-deep in half-drunk coffee behind my local Starbucks looking for credit card receipts. Anyone who doubts that data thieves haven't identified the offices of mortgage brokers, loan processors, settlement agents and anybody else with a goldmine of financial information in its Dumpster really has no concept of what's going on out there."

Friery and Kiker agreed that adhering to a set of security procedures shouldn't be anything new for mortgage brokerages. Kiker said most big companies are already sophisticated about safeguarding consumer-identifying information.

"The key is knowing if your document-retaining policies do address the FACTA rule and are being followed," Kiker said. "My experience is most big companies have good policies with regard to paper records, but often don't have policies for electronic data. The FACTA rule should be a component of every company's paper and electronic disposal policies."