What Is the FACTA Disposal Rule?
The FACTA Disposal Rule, codified at 16 CFR Part 682, requires any business or individual that maintains or possesses consumer information derived from a consumer report to take “reasonable measures” to protect against unauthorized access to or use of the information in connection with its disposal. The rule was promulgated under the Fair and Accurate Credit Transactions Act of 2003 (FACTA) and became effective June 1, 2005.
Governing statute: Fair and Accurate Credit Transactions Act of 2003 (FACTA), amending the Fair Credit Reporting Act (FCRA), 15 U.S.C. §1681w
Key regulation: 16 CFR Part 682 (Disposal of Consumer Report Information and Records)
Current version: Effective June 1, 2005 — current, no major amendments
Enforcement body: Federal Trade Commission (FTC); federal banking regulators for banks
Official source: ftc.gov/disposal-rule
The scope of FACTA’s Disposal Rule is unusually broad because it applies to any business that receives information from a consumer reporting agency, regardless of the industry the business is in. Retailers that run credit checks, employers that conduct background screening, landlords that pull credit reports on prospective tenants, and auto dealers that access consumer financial information are all covered. FACTA did not create a regulated industry; it created a regulated activity (using consumer reports).
What the FACTA Disposal Rule Requires
The Disposal Rule requires one thing: take reasonable measures to dispose of consumer report information in a way that protects against unauthorized access or use. The rule defines “reasonable measures” through specific examples at 16 CFR §682.3(a).
Reasonable Measure 1: Burning, Pulverizing, or Shredding Paper (§682.3(a)(1))
Citation: 16 CFR §682.3(a)(1)
What it requires: Burning, pulverizing, or shredding papers containing consumer information so that the information cannot practicably be read or reconstructed.
Plain English: Paper records derived from consumer reports (credit applications, background check printouts, employment screening reports) must be physically destroyed. Throwing them in a dumpster or recycling bin violates the rule. Physical shredding to a particle size that prevents reconstruction satisfies the standard.
Reasonable Measure 2: Destroying or Erasing Electronic Media (§682.3(a)(2))
Citation: 16 CFR §682.3(a)(2)
What it requires: Destroying or erasing electronic media containing consumer information so that the information cannot practicably be read or reconstructed.
Plain English: Hard drives, SSDs, laptops, backup tapes, and any other electronic media that stored consumer report information must be destroyed or erased before disposal. Deleting the files or reformatting a drive does not satisfy the standard. Physical destruction or software erasure meeting an industry standard (NIST SP 800-88 r2) satisfies the rule.
Reasonable Measure 3: Contracting with a Qualified Disposal Company (§682.3(a)(3))
Citation: 16 CFR §682.3(a)(3)
What it requires: Entering into a contract with another party engaged in the business of record destruction to dispose of material, specifically a contract that requires the disposal company to implement reasonable procedures for the destruction and disposal of the consumer information.
Plain English: A business can satisfy the rule by contracting with a qualified destruction vendor. The contract must require the vendor to use compliant destruction methods. The Certificate of Destruction from Data Destruction Inc. documents the vendor’s methods and satisfies the contractual verification requirement.
How Data Destruction Inc. Satisfies the FACTA Disposal Rule
Data Destruction Inc. satisfies 16 CFR §682.3(a) through NIST SP 800-88 r2 Destroy-level physical destruction of electronic media and provides a written contract structure that satisfies the third-party oversight requirement.
| Service | NIST r2 Category | FACTA Compliance Path |
|---|---|---|
| Hard drive shredding | Destroy (§3.1.3) | Media destroyed so information cannot practicably be read — satisfies §682.3(a)(2) |
| Hard drive crushing | Destroy (§3.1.3) | Physical elimination of media — satisfies §682.3(a)(2) |
| Witnessed destruction | All categories | Customer-witnessed destruction with signature documentation |
| Data wiping | Clear/Purge (§3.1.1/§3.1.2) | Electronic erasure meeting industry standard — satisfies §682.3(a)(2) |
The service agreement between Data Destruction Inc. and clients satisfies 16 CFR §682.3(a)(3) by contractually requiring NIST-conformant destruction methods. The Certificate of Destruction documents the destruction event with the specificity required to demonstrate compliance to FTC investigators or auditors.
Who Must Comply with the FACTA Disposal Rule?
The Disposal Rule applies to any “person” (individual or entity) that maintains or possesses “consumer information” in connection with their business. “Consumer information” means information derived from a consumer report about an individual.
Common covered organizations:
Retailers: Run credit checks for store credit cards or financing applications. The credit application information is consumer report information.
Employers: Use background screening companies for employment decisions. Background check data is consumer information under FACTA.
Landlords and property managers: Pull credit reports on prospective tenants. The credit data must be disposed of under FACTA requirements.
Healthcare organizations: Some use background checks for employees and contractors. That employment screening data is covered.
Financial institutions: Banks, mortgage companies, auto lenders, and credit unions use consumer reports extensively. They face both FACTA and GLBA disposal requirements.
Auto dealers: Pull credit reports for financing. Must dispose of the consumer information per the rule.
Government agencies: Federal agencies that obtain consumer reports for security clearances or employment purposes must comply with disposal requirements.
Small businesses are not exempt. The rule applies to every covered business regardless of size. A sole proprietor who runs background checks on contractors handles consumer information and must use proper disposal methods.
Enforcement and Penalties
The FTC enforces the FACTA Disposal Rule under the FTC Act (15 U.S.C. §45). Civil penalties apply for knowing violations.
FTC enforcement authority: Civil penalties up to $100,000 per violation under FCRA §616 and §617. FTC Act §5 provides additional enforcement authority for unfair or deceptive practices.
State attorneys general can enforce FCRA and bring civil actions for violations of the Disposal Rule. Individual consumers can also bring private lawsuits for actual damages, statutory damages of $100 to $1,000 per violation, punitive damages, and attorney’s fees.
Documented FTC enforcement actions involving disposal failures: National Mortgage Company (2008) — FTC enforcement action involving disposal of consumer information in open dumpsters, with a consent order requiring a document shredding program. Multiple auto dealer actions (2012-2024) — FTC has pursued auto dealers that disposed of consumer financing applications without proper destruction. California, New York, and Illinois have enacted statutes that impose additional disposal requirements and penalties for consumer information held by businesses.
Consumer Information Disposal: Method by Media Type
The FACTA Disposal Rule requires “reasonable measures” to prevent unauthorized access to consumer report information during disposal. NIST SP 800-88 r2 methods satisfy the “accepted industry standard” requirement. Use this matrix to select the correct disposal method for media that stored consumer report information.
| Media Type | FACTA Disposal Requirement | NIST r2 Category | DDI Method |
|---|---|---|---|
| Hard drives (HDD / SSD) | Cannot be read or reconstructed | Destroy (§3.1.3) | Hard drive shredding or crushing |
| Paper consumer reports | Cannot be read or reconstructed | Physical destruction (§682.3(a)(1)) | Cross-cut shredding / pulping |
| Backup tapes | Cannot be read or reconstructed | Destroy (§3.1.3) | Tape shredding / degauss + shred |
| Mobile devices | Consumer data cannot be accessed | Purge or Destroy (§3.1.2/§3.1.3) | Crypto Erase or physical shred |
| USB / flash drives | Cannot be read or reconstructed | Destroy (§3.1.3) | Physical shredding |
| Electronic media (reuse) | Consumer data erased to industry standard | Clear or Purge (§3.1.1/§3.1.2) | Data wiping per NIST standard |
Regulations That Interact with the FACTA Disposal Rule
FACTA creates overlapping disposal obligations with other federal regulations. Organizations in healthcare, financial services, or retail often face FACTA alongside one or more of the following. A single NIST SP 800-88 r2 Destroy-level destruction process satisfies all simultaneously.
NIST SP 800-88 r2
The FTC-recognized technical benchmark for FACTA-compliant electronic media disposal
GLBA Safeguards Rule
16 CFR Part 314 — financial institutions face both GLBA and FACTA disposal obligations
HIPAA Disposal Rule
Healthcare orgs with employee background checks face both HIPAA and FACTA obligations
PCI DSS v4.0.1
Retailers accepting cards and using consumer reports face both PCI DSS and FACTA
FISMA
Federal agencies that pull consumer reports for security clearances face FACTA and FISMA
ISO 27001 / 27040
Multinational businesses may align FACTA disposal with ISO Annex A.7.14 requirements
Authoritative Source and Official Regulation
FACTA Disposal Rule · 16 CFR Part 682 — Disposal of Consumer Report Information
Current Version: 16 CFR Part 682, effective June 1, 2005 — no major amendments
Original rule effective June 1, 2005. No major amendments to date. Monitor ftc.gov and Federal Register for any FCRA or FACTA-related rulemaking that affects disposal requirements.
Frequently Asked Questions
Does the FACTA Disposal Rule apply to my business even if I am not in financial services?
Yes. The Disposal Rule applies to any business that uses consumer reports, regardless of the industry. Retailers, employers, landlords, healthcare organizations, and government agencies that obtain consumer report information from a consumer reporting agency must comply with the disposal requirement. The only question is whether your business obtains information from a consumer reporting agency. If yes, the rule applies.
What counts as “consumer information” under FACTA?
Consumer information under FACTA is any record about an individual that is derived from a consumer report. A consumer report is a report from a consumer reporting agency (like a credit bureau or background check company) bearing on creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. Credit applications, background check results, employment screening reports, and tenant screening reports are all consumer information.
What is the difference between FACTA and FCRA for disposal purposes?
The Fair Credit Reporting Act (FCRA) is the underlying statute. FACTA is a 2003 amendment to FCRA. The Disposal Rule was created under FACTA at 15 U.S.C. §1681w and promulgated by the FTC at 16 CFR Part 682. For practical compliance purposes, the Disposal Rule at 16 CFR Part 682 is the operative requirement. FCRA’s enforcement provisions (§616 and §617) govern the penalties for Disposal Rule violations.
Does data wiping satisfy the FACTA Disposal Rule for electronic media?
Data wiping satisfies the rule when it meets an “accepted industry standard.” NIST SP 800-88 r2 Clear or Purge-level wiping satisfies this standard for media scheduled for reuse. For end-of-life media, physical destruction (Destroy-level per NIST r2) is the standard approach. For high-sensitivity consumer information, physical shredding is the recommended method because it eliminates any recovery pathway regardless of media type.
How does the FACTA Disposal Rule interact with HIPAA and GLBA?
FACTA, HIPAA, and GLBA create overlapping disposal obligations for organizations operating in multiple regulated categories. A hospital that runs employment background checks on staff has both HIPAA disposal obligations for PHI and FACTA disposal obligations for the background check data. A mortgage company has both GLBA and FACTA obligations. In practice, a single NIST SP 800-88 r2 Destroy-level destruction process satisfies all three simultaneously. The Certificate of Destruction documents the process for all three sets of auditors.