Handling Tenant Credit Reports: The “Disposal Rule”
Landlords typically get credit reports on prospective tenants, and use this information to choose or reject applicants. Under federal law, landlords must take special care that credit reports (and any information stored elsewhere that is derived from credit reports) are stored in a secure place where only those who “need to know” have access. (“Disposal Rule” of the Fair and Accurate Credit Transactions Act of 2003, known as the FACT Act, 69 Fed. Reg. 68690.)
In addition, landlords must carefully dispose of credit reports and such records when they’re done with them—for example, by using a shredder. This portion of the FACT Act was passed in order to combat the increasing reports of identity theft. It applies to every landlord who pulls a credit report, no matter how small your operation. The Federal Trade Commission, which interprets the Act, encourages you to similarly safeguard and dispose of any record that contains a tenant’s or applicant’s personal or financial information. This would include the rental application itself, as well as any notes you make that include such information.
How Landlords Should Handle Tenants’ Credit Reports
Implementing the Disposal Rule will require some effort and follow-through, though it need not be a burdensome chore. Here are some suggestions for landlords:
Maintain applicant, tenant, and employee files in a locked cabinet. This is a good practice for many reasons. Only you and your manager should have access to these files.
Determine when you no longer have a legitimate business reason to keep an applicant’s credit report. The Act requires you to dispose of credit reports or any information taken from them when you no longer need them. Unfortunately, you may need these reports long after you’ve rejected or accepted an applicant—they may be essential in refuting a fair housing claim. Under federal law, such claims must be filed within two years of the claimed discrimination, but some states set longer periods. Keep the records at least two years, and longer if your state gives plaintiffs extra time.
Establish a system for purging old credit reports. Don’t rely on haphazard file purges to keep you legal when it comes to destroying old reports. Establish a purge date for every applicant for whom you pull a report and use a tickle system.
Choose an effective purging method. The Disposal Rule requires you to choose a level of document destruction that is reasonable in the context of your business. For example, a landlord with a few rentals would do just fine with an inexpensive shredder, but a multiproperty operation might want to contract with a shredding service.
Don’t forget computer files. Reports stored on your computer, BlackBerry, iPhone, or other device, or information derived from them, must also be kept secure and deleted when no longer needed. Purchase a utility that will “wipe” the data completely—that is, a program that will delete not only the directory, but the text as well.
The Disposal Rule comes with teeth for landlords who willfully disregard it—that is, for those who know about the law and how to comply, but who deliberately refuse to do so. You could be liable for a tenant’s actual damages (say, the cost of covering a portion of a credit card’s unauthorized use), or damages per violation of between $100 and $1,000, plus the tenant’s attorney fees and costs of suit, plus punitive damages. The FTC and state counterparts can also enforce the Act and impose fines.
How Landlords Should Respond to Security Breaches
Despite your best efforts, information about your tenants may become lost or stolen. If you lose a laptop, become prey to a computer hacker, or suffer the consequences of a dishonest employee, sensitive identifying information about residents and applicants may result in their identify theft. The majority of states require landlords (and anyone keeping consumers’ sensitive information) to promptly notify consumers when a theft or loss of Social Security numbers, drivers’ license numbers, or account details occurs, so that the victims can take prompt action. For details on state security breach notification laws, see the National Conference of State Legislatures’ website.
The Federal Trade Commission (FTC) gives excellent guidance on how to alert applicants and residents if you experience a security breach. Check the article, “Information Compromise and the Risk of Identity Theft” on the FTC website, especially the “Identity Theft Resources” section.