This FACTA summary of the Disposal Rule will ensure your dealership is compliant and your customers’ identities are protected.
After spending a great deal of time with a prospect, it’s finally time: she’s decided she wants to buy the Jeep Liberty on your lot — and you’re the salesperson who is going to make it happen for her.
You’re thrilled; you worked hard for this sale, and you want to check out her credit report and get the financing on track ASAP. You run the report, print it out, take a look, and everything on it seems to be a green light. In a rush to close the deal, you leave the report on your desk. Eventually, you completely forget it’s there, and it gets lost among the files, piles, and clutter.
If this is a common everyday occurrence for you or other members of your team, you may be violating the Disposal Rule, which is part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA). Getting on board with the Disposal Rule is a huge part of auto dealership compliance, so if you’re not sure what your obligations are, keep reading for a FACTA summary of the Disposal Rule.
FACTA: Summary of the Disposal Rule
If you’re familiar with the federal Fair Credit Reporting Act (FRCA), FACTA added sections to that. The point of FACTA is mostly to protect your customers from identity theft — not something to take lightly, as every two seconds, an American has his or her identity stolen.
The Disposal Rule was added to FACTA in 2005, and it requires auto dealers — along with other businesses and individuals — to take appropriate measures to dispose of sensitive information derived from consumer reports. The proper disposal of sensitive, personal information is a critical step in preventing unauthorized access, misuse, or theft.
The good news? The Federal Trade Commission (FTC) is flexible as to how and when information is disposed of. They expect dealerships to figure out what type of measures are reasonable for them based on how sensitive the information is, the costs and benefits of various disposal methods, and any changes in technology.
Your FACTA summary of proper disposal methods
Regardless of how you choose to dispose of your customers’ private information, make a plan and stick to it so there is consistency across your dealership. Methods of disposal recommended by the FTC include:
- Shred papers so the information cannot be read or reconstructed
- Destroy or erase electronic files or media containing consumer report information
- Hire a contractor or company that specializes in the disposal of sensitive documents. If you go this route, you also need to do your due diligence to choose a reputable business. This could be accomplished by:
- Reviewing an independent audit of a disposal company’s operations and/or its compliance with the Disposal Rule
- Looking into several different independent references that can speak to the company’s discretion and reliability.
- Only choosing a company that is certified by a recognized trade association
- Taking time to review the company’s information security policies or procedures.
Follow the Disposal Rule and avoid penalties
There are penalties for non-compliance that your dealership likely doesn’t want to deal with. Depending on the situation, one or more of the following things could happen:
- The consumer may be entitled to recover actual damages sustained (in the case of identity theft, this amount can be quite large).
- The consumer may be able to recover statutory damages of up to $1,000.
- If a large number of consumers are affected by your non-compliance, they may be able to bring a class action suit against you and walk away with massive statutory damages.
- In addition to the penalties listed above for individuals or groups, you could be required to pay punitive damages and attorney fees.
Needless to say, it’s in your best interest — and your dealership’s best interest — to create a plan for proper disposal that fits within FACTA guidelines and follows the Disposal Rule. This will ensure your dealership is fully compliant, and your customers are protected from possible identity theft.