FACT Act requires secure disposal but not receipt of consumer information?
Many federal, state and local laws and regulations have been implemented to protect the privacy of consumers and businesses alike. From the Federal Privacy Act, which requires government entities to protect information of individuals and business, to HIPAA, which mandates the proper storage and disposal of patients’ medical and billing information, existing standards aim to protect against data breaches of personal sensitive information.
These laws and regulations are important now more than ever, as identity theft affects over 10 million Americans each year. Most relevant, perhaps, is the Fair and Accurate Credit Transaction Act (FACTA), which established uniform national standards regarding handling and disposal of consumer information in the possession of all companies and organizations.
Specifically, FACT Act requires “any person or entity who maintains or otherwise possesses consumer information […] for a business purpose [to] properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”
In short, FACT Act requires businesses to shred or otherwise destroy their consumers’ sensitive information.
However, the legislation falls short in protecting consumers’ information at a common point of origination – the mailbox.
Case in point: Pike County Water Authority in Troy, Alabama.
Just last week, the Pike County Water Authority (PCWA) discovered that hundreds of water bill payments had been stolen from their business mailbox. The thief made out with an undisclosed number of customers’ checks, and has used bank account information to create fraudulent checks, wreaking havoc for PCWA customers.
Now, PCWA has notified its customers that their bill payments may have been stolen and has extended bill due dates a month, while financial institutions are working with potential victims to stop fraudulent activity. Representatives of PCWA say they will likely have to switch to a PO Box or a locking mailbox, but in the meantime the mail carrier is honking the horn to notify them when the mail arrives.
These measures are too little too late, as Pike County residents must fearfully await the fallout of PCWA’s failure to protect their information. How is it that a utility company that receives thousands of checks or credit card payments in the mail each and every month allows their customers’ sensitive financial information to arrive and await retrieval in an unsecured mailbox?
It seems obvious that any business or organization that receives sensitive customer information by mail should make every reasonable effort to protect that information from mail thieves (just as they are legally required by FACT Act to protect it from dumpster divers). Yet, it is not clear if FACT Act applies.
If it does not, it certainly should.
Identity theft is the fastest growing crime in the United States, and Javelin Strategy research indicates that “old fashioned methods” account for the majority of known ID theft cases: stolen wallets, stolen trash, and stolen mail. Moreover, one could imagine that an identity thief might prefer stealing sensitive documents from the mailbox over rifling through the trash, especially when most everyone uses a paper shredder nowadays.
The big picture is that most Americans have been habituated – from years of warnings by the government, financial institutions, and other authorities – to shred or destroy their sensitive documents rather than simply throwing them in the trash. Similarly, businesses religiously shred consumer information, and if they did not in the past, they are now legally obligated to do so.
Yet, there remains the paradox: the origin of the very documents these consumers and businesses so diligently shred is most commonly an unsecured mailbox. When will privacy regulations and consumer behaviors evolve to eliminate this Catch 22?