Compliance Resources
FACTA / FTC Disposal Rule
The FACTA Disposal Rule is the compliance obligation most businesses do not know they have. It applies to consumer report information — background checks, credit reports, tenant and employment screening — and it reaches nearly every employer and landlord, not just banks.
What the Disposal Rule says
Under the Fair and Accurate Credit Transactions Act, the FTC's Disposal Rule requires any person who maintains consumer report information for a business purpose to take reasonable measures to protect against unauthorized access when disposing of it. For electronic media, the rule's examples of reasonable measures include destroying or erasing media so the information cannot practicably be read or reconstructed.
"Any person" is the operative phrase. If your business has ever run a credit check on an applicant, screened a tenant, or pulled a background report, some of that information likely lives on your systems — and the rule follows it to disposal.
Where this bites in practice
HR machines and shared drives hold applicant screening results. Property managers hold tenant reports. Auto dealers, staffing firms, and landlords are squarely in scope. And the riskiest disposal events are the unplanned ones: an office cleanout, a company wind-down, equipment a former tenant abandoned — situations where nobody is thinking about what is on the drives.
This is also the rule that outlives a business. When a company closes, its disposal obligations do not dissolve with the entity — which is why trustees, receivers, and landlords handling leftover equipment should insist on documented media handling.
How our process supports Disposal Rule obligations
We are not providing legal advice — we are providing "reasonable measures" in documented form: storage media sanitized following NIST 800-88 guidelines, certificates of data sanitization, and serialized manifests on request, with paid onsite shredding available where physical destruction is preferred.
For the unplanned scenarios — cleanouts, wind-downs, abandoned suites — the process is built to start from photos and finish with paper, fast.
This page is general information, not legal advice. Regulations change and their application depends on your situation — confirm your obligations with your counsel or compliance advisor. What we provide is documented disposal: sanitization following NIST 800-88 guidelines, certificates, and manifests that support the procedures your advisors design.
Common Questions
We are a small office — does this rule really apply to us?
If you maintain consumer report information — background checks, credit pulls, tenant screening — for business purposes, the Disposal Rule applies regardless of company size. The measures just need to be reasonable for the sensitivity of the information.
Does the rule require a specific destruction method?
No. It requires reasonable measures, and its examples for electronic media are destruction or erasure that makes the information unreadable and unrecoverable. NIST 800-88-aligned sanitization with a certificate is a widely used way to meet that bar.
Who is responsible for equipment a defunct business left behind?
It depends on the situation, which is a question for counsel — but whoever disposes of it is the one making disposal decisions. That is why landlords and fiduciaries handling leftover equipment should use a documented process rather than a dumpster.
Retiring Equipment With Data On It?
Free pickup for qualifying business IT equipment across DFW — with the sanitization certificates and manifests your records need.
Schedule a Documented Pickup