Relation to Other Laws; Effective Date
248.16 — Protection of Fair Credit Reporting Act.
Nothing in this subpart shall be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), and no inference shall be drawn on the basis of the provisions of this subpart regarding whether information is transaction or experience information under section 603 of that Act.
248.17 — Relation to State laws.
(a) In general. This subpart shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any State, except to the extent that such State statute, regulation, order, or interpretation is inconsistent with the provisions of this subpart, and then only to the extent of the inconsistency.
(b) Greater protection under State law. For purposes of this section, a State statute, regulation, order, or interpretation is not inconsistent with the provisions of this subpart if the protection such statute, regulation, order, or interpretation affords any consumer is greater than the protection provided under this subpart, as determined by the Federal Trade Commission, after consultation with the Commission, on the Federal Trade Commission's own motion, or upon the petition of any interested party.
248.18 — Effective date; transition rule.
(a) Effective date. This subpart is effective November 13, 2000. In order to provide sufficient time for you to establish policies and systems to comply with the requirements of this subpart, the compliance date for this subpart is July 1, 2001.
(b)(1) Notice requirement for consumers who are your customers on the compliance date. By July 1, 2001, you must have provided an initial notice, as required by § 248.4, to consumers who are your customers on July 1, 2001.
(2) Example. You provide an initial notice to consumers who are your customers on July 1, 2001, if, by that date, you have established a system for providing an initial notice to all new customers and have mailed the initial notice to all your existing customers.
(c) Two-year grandfathering of service agreements. Until July 1, 2002, a contract that you have entered into with a nonaffiliated third party to perform services for you or functions on your behalf satisfies the provisions of § 248.13(a)(2), even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal information, as long as you entered into the agreement on or before July 1, 2000.
248.19-248.29 — [Reserved]
248.30 — Procedures to safeguard customer records and information; disposal of consumer report information.
(a) Every broker, dealer, and investment company, and every investment adviser registered with the Commission must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to:
(1) Insure the security and confidentiality of customer records and information;
(2) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
(3) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
(b) Disposal of consumer report information and records — (1) Definitions (i) Consumer report has the same meaning as in section 603(d) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)).
(ii) Consumer report information means any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report. Consumer report information also means a compilation of such records. Consumer report information does not include information that does not identify individuals, such as aggregate information or blind data.
(iii) Disposal means:
(A) The discarding or abandonment of consumer report information; or
(B) The sale, donation, or transfer of any medium, including computer equipment, on which consumer report information is stored.
(iv) Notice-registered broker-dealers means a broker or dealer registered by notice with the Commission under section 15(b)(11) of the Securities Exchange Act of 1934 (15 U.S.C. 78o(b)(11)).
(v) Transfer agent has the same meaning as in section 3(a)(25) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(25)).
(2) Proper disposal requirements — (i) Standard. Every broker and dealer other than notice-registered broker-dealers, every investment company, and every investment adviser and transfer agent registered with the Commission, that maintains or otherwise possesses consumer report information for a business purpose must properly dispose of the information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.
(ii) Relation to other laws. Nothing in this section shall be construed:
(A) To require any broker, dealer, or investment company, or any investment adviser or transfer agent registered with the Commission to maintain or destroy any record pertaining to an individual that is not imposed under other law; or
(B) To alter or affect any requirement imposed under any other provision of law to maintain or destroy any of those records.
[65 FR 40362, June 29, 2000, as amended at 69 FR 71329, Dec. 8, 2004]