On June 1, 2005,
the Federal Trade Commission enacted new rules regarding proper data destruction
relating to personal information such as names, addresses, and social security numbers. It's yet another provision of the Fair and Accurate Credit Transactions Act of 2003 (FACTA)
, an act which among other things allows everyone in the United States and its territories to request a free credit report once a year from each of the major credit bureaus
. But many of the FACTA provisions, though well intentioned, remain obscure. As the old saying goes, if a tree falls in the forest and no one's around to hear it, does it still make a sound? In other words, do you know whether this rule applies to you (chances are it does), and do you know how to purge data (chances are you don't)?
The fine print
The new FTC rules apply to just about anyone doing business these days, perhaps even you. Beyond the obvious candidates, credit bureaus and financial institutions, the new FTC requirements, or the FACTA Disposal rule, extends to employers, landlords, automobile dealers, private investigators, debt collectors, and any individual who obtains credit reports on prospective contractors, such as nannies. According to the new FACTA rules, if you possess personal data within your workplace, you must make every effort to:
- Burn, pulverize, or shred papers containing credit report information so that the information cannot be read or reconstructed.
- Destroy or erase electronic files or media containing credit report information so that the information cannot be read or reconstructed.
- Conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as credit report information consistent with the rule.
The FACTA Disposal rule extends to employers, landlords, automobile dealers, private investigators, debt collectors, and any individual who obtains credit reports on prospective contractors, such as nannies.
That means you can no longer toss credit report printouts in the trash; you must burn, pulverize, or shred them instead. Failure to comply with the new regulations can result in civil and state penalties up to $1,000 per violation. Federal penalties can be as high as $2,500 for each incident. Violators also may open themselves up to class-action suits.
So what about digital versions of credit information? Destroying or erasing data covers a lot of territory.
Digital deletion is much harder than it seems
Destroying a hard drive includes smashing it to pieces or drilling holes into the case so that the magnetic disk inside is destroyed. But erasing digital data "so that the information cannot be read or reconstructed" is ill-defined within the new FTC rule.
Just because you delete a file within Windows doesn't mean that it's gone--on the contrary.
What if I told you that I could read all the deleted Windows OS files on any intact Windows OS hard drive? Or that law enforcement officers could reconstruct files you thought were long gone? Or that the hard drive you just bought on eBay might contain a gold mine in account information and passwords belonging to its previous owners? Back in 2001, I wrote about this in greater detail in a ZDNet AnchorDesk column on Windows data destruction
and how hard it is to get rid of a single file.
In short, just because you delete a file within Windows doesn't mean that it's gone. On the contrary, within Windows there's plenty of evidence the file existed (temporary backups, earlier saved drafts), often stored in spaces where there appears to be no data (this is called slack space). The solution is to overwrite the data with new data (usually ones and zeros) and to do that several times--the more the better.
Out, out, damn file
There are several free and downloadable products that work. One, Eraser, is notable because it will overwrite your data up to 35 times. By comparison, the government's own standard is 7 passes. I personally use the data shredder included within the Steganos Security Suite, which can overwrite data up to 100 times, more than enough to purge any data.
Even if you don't run a business, I recommend getting into the habit of shredding your electronic data. You never know when you might want to donate your old computer to a local school or charity or sell it on eBay. For more on FTC safeguards regarding consumer information see this PDF file.
Do you destroy electronic files? If not, why not? Talk back to me.