Thief Steals Credit Card Information from Dumpster and Buys Computer; Remember the Disposal Rule

Today the Edmonton Sun reported that:

"A crook used stolen credit card information to buy a laptop computer after an Edmonton company dumped 2,606 credit and debit card sales receipts in an unlocked dumpster, says the Information and Privacy Commissioner’s office. Monarch Beauty Supply came to the attention of Information and Privacy Commissioner Frank Work last September after Edmonton city cops advised that someone had turned over documents containing personal information from the Monarch Beauty Supply store in west Edmonton. The documents included the store’s daily financial records along with customer credit and debit sales receipts containing customers’ names, credit card numbers, expiry dates, customers’ signatures and debit card numbers. The receipts were for transactions over a two-year period. Work investigated and found that Monarch Beauty Supply had contravened the Personal Information Protection Act by dumping the sensitive information in the unlocked dumpster."

I’ve seen multiple organizations that have invested huge amounts of financial and human resources to protect their networks, and then have non-existent security over the data and computers they dispose of…many doing similar things, such as dumping large amounts of papers with confidential information into open dumpsters.  This incident happened in Canada, but these types of situations happen all the time in the U.S., and other countries, as well. 

I don’t think a lot of U.S. organizations, especially small- and medium-sized businesses, are aware of the Disposal Rule that is part of the U.S. Fair and Accurate Credit Transactions Act (FACTA).  The Disposal Rule went into effect on June 1, 2005.  The FTC provides a guidance document about how to comply with this rule.

Do you need to comply with the Disposal Rule?  The FTC says:

"The Disposal Rule applies to people and both large and small organizations that use consumer reports. Among those who must comply with the Rule are:

Consumer reporting companies
Lenders
Insurers
Employers
Landlords
Government agencies
Mortgage brokers
Automobile dealers
Attorneys or private investigators
Debt collectors
Individuals who obtain a credit report on prospective nannies, contractors, or tenants
Entities that maintain information in consumer reports as part of their role as service providers to other organizations covered by the Rule."

Technorati Tags







This entry was posted on Thursday, April 20th, 2006 at 9:31 am and is filed under Information Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply