Crime and Punishment
So far, there are no specific consequences for companies that fail to adequately protect their customers’ personal financial data. “There is no federal requirement for how data [companies] handle information,” says Delgado, which means that there are no clear-cut punishments for mishandling the data.
But that is changing. Recently, a number of laws and regulations have sprung up to protect consumers from fraud and identity theft. In June, the FACT Act’s data destruction rules went into effect, requiring property owners to take “reasonable measures” to properly dispose of consumer reports and information.
That means that rather than simply tossing credit reports, credit scores, employment background checks, medical histories, and other records into a dumpster– where Jay Harris, vice president of business services at Registry-SafeRent, Rockville, Md., says they could be vulnerable to “Dumpster diving” by identity thieves– a property must pulverize, shred, burn, or otherwise render such documents unreadable and inaccessible.
The rules set no timetable for destroying data, leaving that schedule up to the individual business. “You are to destroy the records when you don’t need them anymore, but there are reasons that you have to hang on to records for a certain period of time,” Delgado says.
The FACT Act also spells out the obligation of the property owner and other companies to provide information to law enforcement, to properly identify a person applying to rent an apartment, to stop collection of a debt when the debt is based on identity theft, and to ensure that transaction information is not revealed to the wrong persons.
In addition to the FACT Act, Congress continues to pursue measures that would protect the consumer and put more data security responsibilities on businesses. Sen. Dianne Feinstein (D-Calif.) recently introduced a bill that would require companies to quickly inform their customers of a broad range of security breaches.