COUNTY OF SACRAMENTO Consumer Information Disposal Policy

Transcription

1

2 COUNTY OF SACRAMENTO Consumer Information Disposal Policy Effective 12/12/ Purpose of the Policy As part of the federal effort to combat identify theft and other forms of consumer fraud, Congress passed the Fair and Accurate Credit Transaction Act (FACTA). In compliance with FACTA s mandate, the Federal Trade Commission (FTC) has issued regulations governing the disposal of consumer credit information (Disposal Rule). The regulations require that reasonable measures be taken to protect against unauthorized access to or use of consumer credit information in connection with its disposal. The County of Sacramento is committed to reducing identity theft and other fraud through protection of individually identifiable information. This document states the Consumer Information Disposal Policy for the County of Sacramento. 2.0 Definitions 1. A consumer report under the Fair Credit Reporting Act (FCRA) means any oral, paper, computer, or other communication of any information by a consumer reporting agency regarding a consumer s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used as a fact or to establish the consumer s eligibility for employment. 2. A consumer reporting agency under the FCRA means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties. 3. The Disposal Rule defines consumer information as any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from consumer reports. 4. The workforce is defined as employees, volunteers, trainees, and other persons whose conduct, in the performance of work for the County of Sacramento, is under the direct control of the County of Sacramento, whether or not they are paid by the County of Sacramento. 3.0 Scope of this Policy These regulations apply only to disposal of narrowly defined consumer report information, obtained from third party consumer reporting agencies, that identifies particular individuals. To the extent that members of the County workforce conduct credit and/or background checks, the regulations are not applicable. However, any consumer report or information derived from the report of a third party consumer reporting agency, as that term is defined by federal law, is subject to the regulations. 4.0 Policy for Disposal of Consumer Information It shall be the policy of the County of Sacramento that consumer report information will be disposed of in such a way that personal information is unreadable or incapable of being reconstructed. It is the responsibility of departments and agencies to become familiar with the standards for compliance and to apply these standards in the disposal of consumer report information. Sacramento County Consumer Information Disposal Policy Effective December 12, 2005 Page 1 of 4

3 Each department that utilizes consumer credit information shall document written procedures to track and dispose of paper or electronic media used for consumer information. 5.0 Effective Date of this Policy The effective date of the Disposal Rule is June 1, The effective date of this policy is December 12, Compliance Review for this Policy The Countywide Services Agency, Department of Compliance or its designated representatives will conduct a periodic review for compliance with this policy. This policy will be updated as required when new regulations (or court cases) impacting the disposal of consumer information are released. 7.0 Standards in Order to Comply with the Policy The standard is one of reasonableness. It requires implementation and monitoring compliance with adopted policies and procedures relating to the destruction of consumer information. There are a number of accepted methods of document destruction so that the information cannot be practicably read or reconstructed: 7.1 Paper Paper with consumer information must be disposed of by burning, pulverizing or shredding so that the information cannot practicably be read or reconstructed. 7.2 Electronic media Computer equipment that previously contained consumer information must be disposed of by destroying or erasing the information. A. If erased, the method shall meet the Department of Defense (DOD) standards, which states, the method of destruction shall preclude recognition or reconstruction of the classified information or material. All computer equipment shall be tested to ensure information cannot be retrieved. B. All other media shall have all the consumer information removed (the mechanism may vary depending on the media type) and tested to ensure the information cannot be retrieved. C. If the media is not technology capable of being erased, the media shall be overwritten or destroyed. 7.3 Use of a third party to dispose of consumer information The reasonableness measures standard requires monitoring compliance of any contract with another party who has been contracted to dispose of consumer information. Due diligence must be exercised in monitoring compliance, including: A. Any contracts entered into with a third party for the purpose of destroying consumer information shall include language requiring vendors to adhere to the County s Disposal Policy. A copy of the Policy shall be included in the bid solicitation (if applicable) and contract. B. Reviewing an independent audit of the disposal company s operations and/or its compliance; C. Obtaining information about the disposal company from references or other reliable sources; D. Requiring that the disposal be certified; E. Reviewing and evaluating of the disposal company s information security measures to determine the competency and integrity of the potential disposal company. Sacramento County Consumer Information Disposal Policy Effective December 12, 2005 Page 2 of 4

4 8.0 Policy Responsibilities: The following responsibilities are required of Managers and Supervisors, IT Support, the general County workforce, the Department of General Services, Contract and Purchasing Division, the Department of General Services, Support Services Division, Surplus Property and the Department of Compliance. 8.1 Responsibilities of Managers & Supervisors: A. Ensure that reasonable measures are taken to protect against unauthorized access to or use of consumer credit information in connection with its disposal. B. Ensure that any workforce members that access consumer credit information are aware of this policy and associated responsibilities. C. Monitor compliance by the workforce. D. Ensure that any third party who has been contracted to dispose of consumer credit information does so in a manner consistent with this policy and departmental procedures. E. Ensure that procedures to track and dispose of paper and electronic media use for consumer information are developed, documented and submitted to the Department of Compliance for review. Any procedures developed by departments shall be consistent with the County s Consumer Information Disposal Policy and not deviate from the County standard. 8.2 Responsibilities of IT Support: A. Ensure all hard drives are wiped clean before disposal or reuse. B. Test hard drives to ensure they are clean. C. Maintain an inventory and a record of movements of hardware and electronic media such as workstations, servers, or backup tapes. D. Ensure that a disposal tag is applied to PCs sent to Surplus subsequent to confirmation that the hard drive meets DOD standards. E. Ensure that identifying tags, such as names or phone numbers, have been removed. 8.3 Responsibilities of General Workforce: A. Workforce members shall follow their department procedures and adhere to County policy when disposing of consumer information. B. Protect against unauthorized access to or use of information in connection with its disposal. 8.4 Responsibilities of Department of General Services, Contract and Purchasing Division: A. Workforce members shall ensure that any contracts entered into with a third party for the purpose of destroying consumer information shall include language requiring vendors to adhere to the County s Disposal Policy. A copy of the Policy shall be included in the bid solicitation (if applicable) and contract. B. Workforce shall maintain due diligence, including reviewing an independent audit of the company s operations for compliance with the Disposal Rule, obtaining information from references or other reliable sources, taking appropriate measures to determine the competency and integrity of the potential disposal company. 8.5 Responsibilities of Department of General Services, Support Services Division, Surplus Property: A. Workforce members shall ensure computer equipment is authorized for surplus. Sacramento County Consumer Information Disposal Policy Effective December 12, 2005 Page 3 of 4

5 8.6 Responsibilities of Department of Compliance: A. Review all new and revised procedures submitted by the departments that utilize consumer credit information for approval and ongoing evaluation. Any procedures developed by Departments shall be consistent with the County s Consumer Information Disposal Policy and not deviate from the County standard. B. Work with Department of General Services, Contract and Purchasing Division ensuring that appropriate measures are taken to determine the competency and integrity of the potential disposal company. C. The Department of Compliance or its designated representatives will conduct periodic reviews for compliance with this policy. Sacramento County Consumer Information Disposal Policy Effective December 12, 2005 Page 4 of 4