Are You Ready for Brazil’s New Data Protection Law?
27 December 2018
The Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), passed by Congress on 14 August 2018, will come into effect on...
Blog: Chronicle of Data Protection | 16 June 2010
On July 1, 2010, final regulations will go into effect that impose new obligations on entities that furnish information about individuals (“data furnishers”) to consumer reporting agencies (“CRAs”) for use in reports about those individuals. These regulations require data furnishers to institute reasonable policies and procedures that (1) ensure the accuracy and integrity of furnished information and (2) allow individuals to formally dispute the correctness of certain information that is furnished about them to CRAs directly with the data furnisher.
What Is a CRA, and Who Is a Data Furnisher?
The regulations were issued on July 1, 2009 jointly by a number of federal agencies pursuant to the Fair and Accurate Credit Transactions Act of 2003, which amended the Fair Credit Reporting Act (“FCRA”). Under the FCRA, a CRA is generally defined as an entity that regularly engages in assembling any information about individuals for the purpose of providing a report to a third party bearing on the individual’s creditworthiness, character, general reputation, personal characteristics, or mode of living, where such a report is expected to be used as a factor in establishing the individual’s eligibility for personal credit, insurance, or employment purposes. As the name sounds, the most common type of CRA is a credit bureau, but companies that perform background checks for employment purposes, or compile such information about a company’s employees to report for employment purposes, are also considered CRAs.
Accuracy and Integrity Rules and Guidelines
The accuracy and integrity rules within the new regulations require data furnishers to “establish and implement reasonable written policies and procedures regarding the accuracy and integrity of the information relating to consumers that it furnishes to a consumer reporting agency.” “Accuracy” means that information furnished about an individual correctly:
“Integrity” means that information furnished about an individual:
Although this mandate is worded broadly, the regulation also specifically requires that data furnishers “consider” detailed guidelines (which are appended to the regulations) and “incorporate those guidelines that are appropriate.” By requiring data furnishers to “consider” and “incorporate” these guidelines, the regulation requires data furnishers to conduct an audit of their current furnishing policies and procedures. Moreover, the guidelines contain a list of specific components of policies and procedures that a furnisher “should address,” making these components de facto requirements of any written policies and procedures that result. These components include:
The regulation also specifies that policies and procedures must be appropriate to the nature, size, complexity, and scope of each furnisher’s activities. In addition, the regulation requires that furnishers review their policies and procedures “periodically” and update them as necessary to ensure their continued effectiveness.
Direct Dispute Rules
In addition to the accuracy and integrity rules, the new regulations also contain rules requiring data furnishers in most cases to investigate disputes that individuals submit directly to them regarding the accuracy of information that the furnishers reported to a CRA. Previously, the law encouraged individuals to submit their disputes through a CRA, rather than directly to data furnishers.
The new rules require data furnishers to conduct “a reasonable investigation” of any such dispute initiated by an individual over furnished data. Data furnishers do not need to conduct such an investigation, however, if any of a number of exceptions apply, including if the dispute is about the consumer’s identifying information; the identity of past or present employers; inquiries or requests for a consumer report; information derived from public records; information related to fraud alerts or active duty alerts; or information provided to a CRA by another furnisher.
The rules require a data furnisher to respond to disputes received at any business address, unless the furnisher has previously specified an address to the individual submitting the dispute or a specific address is listed on the report of the CRA incorporating the disputed information. After receiving a valid dispute notice from an individual, the data furnisher must conduct and complete an investigation within thirty days (unless the disputer provides additional information within that period). If the investigation finds that the information reported was inaccurate, the data furnisher must promptly notify and provide corrections to each CRA to which the furnisher provided inaccurate information.
Compliance Steps
At minimum, data furnishers must establish written policies and procedures regarding the accuracy and integrity of the information relating to its employees that it provides to CRAs. This will involve conducting a review of existing policies and procedures, both formal and informal, to determine if they comply with the guidelines appended to the regulations, and making modifications as needed. Data furnishers also must consider the specific components of policies and procedures listed in the guidelines appended to the regulations, and include those specific components in written policies and procedures if applicable. Further, data furnishers must adopt a process to review these policies and procedures periodically and update them as necessary to ensure their continued effectiveness.
To comply with the direct dispute rules, data furnishers should determine if they furnish any information to CRAs which is not subject to any of the exceptions in the regulation, and if they do, they must establish formal policies and procedures to ensure that they conduct a “reasonable investigation” of all direct disputes about individuals’ information provided CRAs.