ID theft rule casts wide net
Dover landlady Joyce Forsythe routinely runs credit checks on prospective tenants before agreeing to rent them her spare apartment.
“Sometimes, applicants give you a friend’s name when they’re asked for their last landlord’s name,” Forsythe explained. “A credit check gives you a way of checking where someone really lived, so you can find out whether they paid their rent on time, and left the place in decent order.”
But the New Hampshire Property Owners Association member was surprised to find out that a new federal rule now requires her and a host of small landlords and other similar businesses to completely destroy private consumer data to protect clients’ identities from being stolen.
“I didn’t know about it,” said Forsythe, secretary of the statewide group, which she says represents mostly small landlords. “If the law says we have to get rid of materials, then we need to spread the word.”
The new Federal Trade Commission rule, in effect since June 1, is part of a congressional crackdown on identity theft. The new rule requires personal information that businesses obtain from credit bureaus and other sources to help them make various business, credit, rental and employment decisions be destroyed so that it can’t be stolen or re-used for illicit purposes. The rule covers paper and electronic files. It says data from credit reports, credit scores, work histories, insurance claims, check-writing histories, tenant history and medical information must all be burned, shredded or otherwise destroyed.
Susan LeDuc, a regulatory specialist with the law firm of Gallagher, Callahan & Gartrell in Concord, says the new rule will affect a slew of small businesses in New Hampshire — from landlords to car dealers, lawyers, lenders and private eyes. Non-compliance could mean a $2,500 federal penalty for each offense, and possible lawsuits from victims if their personal information gets into the wrong hands due to sloppy disposal.
“Most of our banks have been subjected to this type of rule already,” said LeDuc. “Instead, it affects some of those less-regulated entities — private landlords, small employers, some insurance agencies and debt collectors — it’s going to be a little hard for them to catch up to this. This is another section of law and regulation that’s going to apply to a pretty wide array of businesses.”
Is this good news for the shredder business? “I would think so,” said LeDuc.
Portsmouth landlord Basil Richardson said word about the new rule took him by surprise as well. “I had absolutely no idea,” said Richardson, who used to file records in brown paper bags. Richardson said he doesn’t collect Social Security numbers, “so it really wouldn’t make much difference, but it’s a nasty sort of thing to open up both ways.”
Richardson also questioned whether the federal government would live by its own standard. “What about when the Post Office misdirects your mail and someone else opens it and gets your bank account information, is the federal government going to be responsible for that?”
Dan McLeod, president of the New Hampshire Auto Dealers Association, said the new rule only adds to post-September 11th rules that already require car dealers to jump through hoops. “It’s nothing new,” said McLeod, whose organization represents about 600 new and used car dealerships, collision repair shops, motorcycle and RV dealers across New Hampshire. “It’s part of the federal safeguards rules. And when there’s certain information like credit applications with Social Security information on it, you must hold it in a safe place, and dealers have dealt pretty well with that. And when they discard it, you can’t just put it out on the curb in a garbage bag. These are shredded documents, and our guys have been doing that for quite awhile. It’s protecting the private information of individuals and making sure Social Security numbers aren’t just handed around, and they take it pretty seriously.”
Car dealers have been forced to comply with new rules since the September 11th attacks, McLeod said. “There have been terrorism issues and privacy issues, a lot of regulatory requirements not just for car dealers. It’s not just making sure you can pay your bill, it’s making sure you’re not selling a vehicle to a terrorist. Then there’s the ‘do not call’ requirements. My point is the days of 20 years ago when you were running a retail auto business have changed dramatically. We now have a whole host of rules that require added effort, which means dollars and personnel, and they have nothing to do with selling or servicing cars. We’re not complaining. We’re just saying it’s increased the real cost of running a car dealership. It’s almost like you have to have a compliance officer.”
The new rule does not spell out when data has to be destroyed, or how it must be stored beforehand. “It is specifically addressing the destruction of consumer information,” said LeDuc. “It talks about reasonable and appropriate ways to prevent unauthorized access to it.”
“Any covered entity will be required to comply with the rules,” said LeDuc. “I don’t think anyone will be checking garbage bags.”
But she said businesses will suffer the price — federal fines — “if there’s a discovery that some information was used. Because we have this rule, whatever it was that didn’t comply with the disposal rule will be subject to regulatory scrutiny.”