FACTA 10 Years Later

In 2003, the Fair and Accurate Credit Transaction Act of 2003 (commonly known as FACTA) was enacted to provide certain protections for consumers to thwart identity theft. Toward this end, it imposed some responsibilities on businesses. Ten years later, identity theft continues to grow and is the number-one consumer complaint today (there were more than 12.6 million cases reported in 2012). As a small business owner, what are you supposed to do?

Overview of FACTA
Businesses, regardless of size, must adopt policies and procedures to ensure that sensitive financial data, such as credit cards and Social Security numbers, are not shared. This means proper ways to mask, share, and dispose of this information as well as ways to notify individuals when their personal data has been breached.

Protecting customers
What have you done to ensure that sensitive financial information about your customers is protected? Here's a to-do list for your business:

  • Write policies and procedures for your staff to follow. Include such points as banning the practice of leaving customer files in plain sight (whether paper files on a desk or on a computer screen), implementing good password protection, and securing paper documents waiting to be shredded.
  • Train employees on these policies and procedures. For example, employees should be advised not to discuss customer information.
  • Make sure that you never display more than five numbers of a customer's credit card (violation of this rule can result in penalties of $100 to $1,000 for each such customer if your action is willful).
  • Implement proper data destruction policies, such as adequate shredding for paper documents (using a commercial shredding device or a shredding service) and deletions from electronic databases.
  • Install controls on your database to alert you to any breaches.

Note: Putting policies and procedures in writing can go a long way toward protecting your business from liability if customer data is breached.

Protecting employees
Not only do you have to protect the personal data of customers, you also have to protect the personal data of employees. This extends beyond Social Security numbers to include medical information and credit information. Here's a to-do list for your business:

  • Write policies and procedures that apply to protecting the personal data during pre-employment and employment.
  • Obtain consent from a job applicant or current employee when requesting medical information. This relates to administering drug or alcohol tests that can show a current medical condition.
  • Obtain consent from a job applicant or current employee when doing a credit check (in states where this is permissible).
  • Implement proper data destruction policies, such as adequate shredding for paper documents and deletions from electronic databases.
  • Install controls on your database to alert you to any breaches.

Bottom line
Sure, compliance with FACTA is another government-imposed burden of running a business. But think of what it means not to comply. The Federal Trade Commission (FTC) is the primary enforcement agency. If you're found to have willfully violated the rules, you can be held civilly liable to each individual harmed (including punitive damages). Check the guidance for small businesses by the FTC. When in doubt as to your policies and procedures, talk with a lawyer who is knowledgeable about FACTA as it applies to businesses.

Open
Close

Big Ideas for Small Business®
Find it for free on the App Store.
Get