Proper Destruction of Client Files

PA has long required that client files be disposed of in a manner which preserves confidentiality. That means shredding or burning. Many attorneys don’t like that answer when they contact me for guidance.

Now we can add Federal law to the mix. On June 1, 2005, the Federal Trade Commission published in the Federal Register [69 Fed. Reg.6901] the Disposal Rule under the Fair Credit Reporting Act FACTA

In an effort to protect the privacy of consumer information and reduce the risk of fraud and identity theft, this federal rule requires businesses to take appropriate measures to dispose of sensitive information held in records.

The Disposal Rule applies to:
· Consumer reporting companies
· Lenders
· Employers
· Landlords
· Government agencies
· Mortgage brokers
· Automobile dealers
· Attorneys or private investigators
· Debt collectors
· Individuals who obtain a credit report on prospective nannies, contractors, or tenants
· Entities that maintain information in consumer reports as part of their role as service providers to other organizations covered by the Rule.

What is ‘proper’ disposal?
The Disposal Rule requires disposal practices that are reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report. For example, reasonable measures for disposing of consumer report information could include establishing and complying with policies to:

· Burn, pulverize, or shred papers so that the information cannot be read or reconstructed;

· Destroy or erase electronic files or media containing information so that the information cannot be read or reconstructed;

· Conduct due diligence and hire a document destruction contractor to dispose of material .

Due diligence could include:

o Reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule;

o Obtaining information about the disposal company from several references;

o Requiring that the disposal company be certified by a recognized trade association;

o Reviewing and evaluating the disposal company’s information security policies or procedures.

My appreciation to J.R. Phelps, my counterpart at the Florida Bar Association, for passing along this information.


To return to the main page of the blog, click here. To return to the blog Index, click here.

WordPress Themes