Beginning June 1, 2005, the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) went into effect. It is targeted at combating identity theft by requiring all organizations and businesses (including associations and insurance agents and brokers) that use consumer reports to "take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal," whether it is stored in paper or electronic form.
In other words, information cannot be disposed of in a way that makes it easy for potential thieves to obtain it. For example, it is easy for someone to "dumpster dive" to get information thrown in the trash, so it is unlikely that simply throwing sensitive information in the trash will be considered a reasonable measure to prevent unauthorized access to it. Similarly, if the information is stored electronically on a computer, the computer should not be thrown out, sold or donated until the information has been deleted properly.
While the FACT Act cites examples of how to dispose of paper by burning, pulverizing or shredding it so that the information on it cannot be reconstructed, what is "reasonable" will be determined on an individual basis, taking into account the sensitivity of the consumer information, the nature and size of the insurance agent or broker’s business, the costs and benefits of different disposal methods and relevant technological changes.
Depending on the circumstances, reasonable measures may include shredding paper documents, destroying CDs and properly deleting electronic copies. Reasonable measures also are likely to include establishing policies and procedures to governing disposal, as well as appropriate employee training on those policies and procedures.
Also under the FACT Act, businesses accepting credit or debit cards for payment may not print more than the last five digits of the card number nor may they print the expiration date upon any receipt provided to the cardholder at the point of sale. This applies only to receipts that are electronically printed.
It does not apply to handwritten receipts or receipts displaying an imprint or copy of the card. The effective date of this restriction is Dec. 4, 2006 for any machine or device that prints receipts for credit or debit card transactions that is in use before Jan. 1, 2005, and was Dec. 4, 2004 for any machine or device that prints receipts for credit or debit card transactions that was first put into use on or after Jan. 1, 2005.
In addition, the FACT Act provides that:
- Consumer reporting agencies must disclose to a consumer his/her credit report for a "fair and reasonable fee" (currently set by the Federal Trade Commission at up to $9.50, but if state law requires a free or reduced rate, the state law controls)
- Consumers are entitled to receive a free consumer report from the three major consumer reporting agencies (i.e., Equifax, Experian and TransUnion) on an annual basis
- Consumers may post a fraud alert on their files with consumer reporting agencies, which requires potential creditors to contact the consumer directly before extending credit
- Consumers must be allowed to opt-out of affiliate marketing
- Consumer reporting agencies may not include medical information in reports used for employment, credit or insurance transactions without the consumer’s prior written consent.
IIABA’s Office of the General Counsel recently updated a memorandum which discusses the FACT Act as well as two other federal statutes, the Fair Credit Reporting Act (FCRA) and the Drivers Privacy Protection Act (DPPA) and their impact upon the ability of insurance agents and brokers to use driving records, consumer reports and credit scores.
IIABA may publish updated information at www.independentagent.com, log on as a member and go to the Legal Advocacy section’s "What’s New." For questions or additional information, contact Amy Hendricks, IIABA Assistant General Counsel at firstname.lastname@example.org; 800-221-7917.