What Your Business Needs to Know
Businesses of all types must comply with document retention guidelines. Depending on your industry niche, that could include HIPAA rules, FACTA retention guidelines, or stipulations published by organizations such as the IRS. Changes to FACTA guidelines in 2003 created a subjective approach to document retention rules that some businesses may not be aware of.
FACTA Retention Guidelines – 2 or 5 years
The concern regarding FACTA-related document retention comes into play in a situation of alleged liability regarding the handling of consumer credit information. The Fair and Accurate Credit Transactions Act modified the Fair Credit Reporting Act in 2003. One change FACTA brought was to change the statute of limitations for when a complaint or suit can be brought against an organization that is liable in a data breach. Prior to FACTA, the statute of limitations was two years after the liability occurred.
FACTA changed the limitation to two years after a plaintiff discovered the liability or five years after the liability occurred. The earlier of the two dates would serve as the statute of limitations in any case, but experts point out that it can be very difficult for defendants to prove that a plaintiff had discovery of an occurrence. Effectively, that sets the statute of limitations for almost any case at five years.
What Does it Mean for Businesses?
Businesses must keep records according to FACTA retention guidelines and ensure that they follow appropriate laws regarding breach notification and data protection. Because consumers can bring complaints up to five years after a breach occurs, data should be kept at least that long. Businesses should also consider using certified methods of notification when informing consumers of a breach or issue. Certified receipt of the notification proves the consumer “discovered” the event, allowing the two-year statute to take precedence.
Is shredding part of your FACTA compliance efforts?