Privacy Rights in Self-Storage Safeguarding tenant and employee information
|By Scott I. Zucker|
|3/1/2006 – By Scott I. Zucker
What obligation does a self-storage operator have to protect tenants and employees from the risk of identity theft? Although the answer generally depends on federal and state laws, it is ultimately based on the operator’s individual effort to safeguard customer and staff information. Following are some updates in privacy issues as they apply to the storage industry.
Social Security Numbers
One of the first questions that comes up when a tenant signs his lease agreement is whether he needs to provide his Social Security number (SSN). When SSNs were first issued in 1936, the federal government assured the public that their use would be limited to Social Security programs. Today, however, they are frequently used in all sorts of applications. And because these numbers are so accessible, it’s relatively easy for someone to use an SSN to assume another’s identity and gain access to his bank accounts, credit accounts, utility records and other sources of personal information. Identity thieves can even establish new credit and bank accounts in the victim’s name.
There’s no law preventing a self-storage or other business from requesting an SSN as part of a transaction, and few restrictions on what it can do with the information once it has it. A customer may claim you can’t request his SSN under privacy laws; however, the Privacy Act of 1974 only applies to government agencies.
Under the act, all federal, state and local agencies must provide a disclosure statement explaining how the SSN will be used and under what statutory or other authority the number is requested. The act also states that an individual cannot be denied a government benefit or service if he refuses to disclose his SSN unless the disclosure is required by federal law.
Disposal of Records
Identity thieves can often find a wealth of personal data simply by “dumpster diving,” and the irresponsible disposal of consumer information by businesses has been cited in numerous instances of fraud. As a remedy, the Fair and Accurate Credit Transactions Act (FACTA) was passed in December 2003, a federal law designed to minimize the risks of identity theft and fraud. Under FACTA, the Federal Trade Commission was charged with developing information-disposal rules, which went into effect on June 1, 2005.
The scope of the rules is quite broad. They apply to “any employer, regardless of industry or size, that obtains a consumer report (whether a full credit report or a pre-employment check of public records).” In essence, they apply to anyone who maintains or possesses consumer information for business purposes. Consumer information is “any record about an individual, whether in paper, electronic or other form, that is a consumer report or derived from a consumer report.”
If a self-storage operator performs any credit or background checks on prospective tenants or employees, or uses any information taken from any type of consumer report, he is subject to the FCC’s disposal rules. As such, he must properly discard consumer information by taking reasonable measures to protect against its unauthorized access or use. He can handle the disposal himself or hire a third-party document-destruction service.
In most instances, proper disposal involves shredding or burning paper documents or wiping a computer clean of electronic data. Smaller operations can purchase a paper-shredder from an office-supply store to do their own shredding. They can also buy a software utility from a local computer store to clean their hard drives of sensitive information. Larger operations generally have an information-technology department to handle these tasks.
If you’re ever in doubt as to whether your disposal practices are sufficient, consult the rules directly. If you mishandle consumer information, you could be held liable for any resulting identity theft. If accused, you’ll need to demonstrate what you did to destroy the data.
As long as you’ve made a good-faith effort, you’re probably safe. Any willful violation of the disposal rules, however, can result in fees of $100 to $1,000 per violation plus the cost of the legal action, including attorneys’ fees. You might also be held liable for punitive damages. Fees for negligence are limited to the consumer’s actual damages plus the cost of action, including attorneys’ fees. In addition, the rules provide for administrative enforcement, which could include federal fines of up to $2,500 per violation.
Given the increased awareness of identity theft, fraud and other privacy issues, storage operators should develop policies to ensure the actual destruction of discarded records, particularly when they contain sensitive information. This also applies to personal records stored in units. If you’re ever left with boxes of records as the result of a delinquency, you should dispose of them properly. While the law may not extend to these abandoned records, it’s always better to be safe than sorry.
California and Texas
The names and addresses of the third parties that received his information in the preceding calendar year.
The Texas law, HB-698, took effect on Sept. 1, 2005. It requires businesses to destroy a broad range of discarded personal information that could be used to commit identity theft, including Social Security and other government-issued identification numbers, financial-account numbers and even e-mail addresses. Businesses that fail to comply can face fines of up to $500 per record.
The Fair Credit Reporting Act
The Fair Credit Reporting Act (FCRA) is intended to help consumers fight the growing crime of identity theft. For example, it provides that receipts for credit- and debit-card transactions can’t include more than the last five digits of the card number. Congress also adopted a new rule that entitles individuals to a free copy of their credit report annually.
FCRA gives an identity-theft victim the right to contact the credit-reporting agencies and flag his account. This new procedure, called a “fraud alert,” has already been incorporated by the three major credit bureaus: Equifax, Experian and TransUnion. The alert is initially effective for 90 days but can be extended, on request, for up to seven years. Once an alert is issued, any business asked to extend credit to the person in question must contact the applicant by phone or take other reasonable steps to ensure the credit application was not made by an imposter.
In addition, FACTA requires any business that provides credit, products or services to an identity thief to provide copies of all documents and transactions to the victim. The business must also provide copies of the requested documents to any federal, state or local law-enforcement agency specified by the victim.
These days, employers feel an increasing need to know the backgrounds of prospective and current staff. Since it’s important to employer and employee that the information accessed is truthful, it’s best to use consumer reports prepared by a third-party reporting agency, as these fall under the jurisdiction of the FCRA. Part of the purpose of the FCRA is to ensure that reports used to make important decisions, such as those related to a person’s employment, are accurate. Since privacy is obviously a factor, it also limits who has legitimate access to background information.
Public records may be a part of an employment-background check. This could include information regarding bankruptcy, civil judgments or tax liens. The FCRA imposes limits on the length of time such information can be reported by a consumer-reporting agency. For example, civil judgments and tax liens should not be reported after seven years, and bankruptcy should not be reported after 10 years. When noting a consumer’s bankruptcy, the report should include the type of bankruptcy filed.
An employer has certain obligations when performing a background check. First, he must get permission from the applicant or employee. This consent must be given on a separate form and cannot be included with other documents, such as an employment application. The employer must generate special notice if he’s seeking medical information. He must also notify the subject of a background check before taking any adverse action based on information disclosed.
Privacy rights are of significant concern to consumers and business operators, and the self-storage industry is not immune from risks associated with the use and access of customers’ personal data. It is the duty of every operator to be aware of local, state and federal laws that impact his business. It is also his obligation to use discretion and good judgment when disposing of tenant and employee information that could lead to identity theft.
A partner in the law firm of Weissmann & Zucker P.C. in Atlanta, Scott Zucker specializes in business litigation, with an emphasis on real estate, landlord-tenant and construction law. He is a frequent speaker at national conventions and the author of Legal Topics in Self-storage: A Sourcebook for Owners and Managers. He is also a partner in the Self-Storage Legal Network, a subscription-based legal service for self-storage owners and managers. For more information, e-mail email@example.com