The Fair and Accurate Credit Transactions Act—commonly known as FACTA—is a federal law that most New York businesses interact with every day without realizing it. If your business pulls credit reports on employees, contractors, tenants, or customers; if you receive consumer report information from a credit bureau or background check vendor; or if you use any consumer report data in making business decisions, FACTA compliance shredding requirements apply to your organization. The FACTA Disposal Rule, codified at 16 CFR Part 682, requires that any consumer report information be destroyed in a way that protects against unauthorized access—and the Federal Trade Commission has brought enforcement actions against companies that failed to comply.
For New York businesses—from banks and lenders in the Financial District to property management companies in Nassau County to retail employers in Westchester—the volume of consumer report information generated in daily operations is substantial. Understanding exactly what must be destroyed, how it must be destroyed, and how to document that destruction is not just a legal obligation but a practical defense against data breach liability. This guide provides a comprehensive look at FACTA compliance shredding for New York businesses.
What the FACTA Disposal Rule Requires
The FACTA Disposal Rule (FTC’s 16 CFR Part 682) applies to any person who maintains or otherwise possesses consumer information for a business purpose. “Consumer information” is defined as any record about an individual—whether in paper or electronic form—that is a consumer report or is derived from a consumer report. The Disposal Rule requires that such information be disposed of properly to protect against unauthorized access or use.
The Rule lists specific examples of reasonable disposal methods:
- Burning, pulverizing, or shredding papers containing consumer report information so that the information cannot be read or reconstructed
- Destroying or erasing electronic files or media containing consumer information so that it cannot be read or reconstructed
- Hiring a shredding business to destroy consumer report materials, provided the business engages in due diligence by reviewing an independent audit of the shredding company’s operations, obtaining references and checking them, and requiring the vendor to provide certificates of destruction
The “reasonable measures” standard means that simply tossing old credit reports into a recycling bin is not compliant—and the FTC has demonstrated a willingness to pursue enforcement. Visit our compliance resources for guidance on FACTA-compliant document handling.
What Types of Documents Are Covered
FACTA compliance shredding applies to a broader range of documents than many businesses realize. Any document that contains information from a consumer report—or that was generated using consumer report data—is covered. Common examples in New York business contexts include:
- Credit reports and background check results used in employee screening
- Tenant credit applications and screening results used by property managers
- Customer credit applications and supporting financial documents used by lenders
- Printouts of credit bureau data used in underwriting decisions
- Internal documents (memos, emails, decision summaries) that reproduce or quote consumer report information
- Rejected applications that include consumer report data as supporting documentation
Note that the Disposal Rule applies to consumer information regardless of whether a credit decision was ultimately made. A rejected loan application file that includes a credit bureau report must be disposed of properly even though no credit was extended. Our one-time purge service is designed for businesses conducting periodic cleanouts of old application files and other FACTA-covered records.
FACTA and New York State Law: A Double Layer
New York businesses face FACTA compliance shredding obligations at the federal level while simultaneously operating under state-level requirements from the NY SHIELD Act and, where applicable, the New York Banking Law and Department of Financial Services (NYDFS) regulations. The overlapping frameworks share a common thread: consumer and employee personal information must be securely destroyed, and businesses must be able to demonstrate that secure destruction occurred.
Key state requirements that intersect with FACTA for New York businesses include:
- NY SHIELD Act physical safeguards requirements for any “private information” (which includes much of what FACTA covers)
- NYDFS Cybersecurity Regulation (23 NYCRR 500) for covered financial institutions, which requires secure disposal of nonpublic information
- New York Labor Law Section 203-d, which protects employee personal information and requires secure disposal when it is no longer needed
A single NAID AAA Certified shredding program with documented destruction procedures meets the physical disposal requirements of all these overlapping frameworks simultaneously. Explore our service areas to confirm we cover your New York location.
Due Diligence When Hiring a Shredding Vendor Under FACTA
FACTA specifically authorizes businesses to use a third-party shredding vendor to satisfy the Disposal Rule, but only if the business exercises appropriate due diligence in selecting and overseeing that vendor. The FTC’s guidance identifies three types of due diligence activities that businesses should undertake:
- Independent audit: Review an independent audit of the shredding company’s operations to verify that their security practices meet the Disposal Rule’s standard. NAID AAA Certification provides exactly this—an unannounced, independent audit of the vendor’s security procedures.
- References: Obtain and check references from other businesses that have used the vendor
- Certificates of Destruction: Require the vendor to provide Certificates of Destruction that document what was destroyed, when, and how
Document all three of these due diligence steps and retain that documentation. If the FTC ever investigates your disposal practices, your ability to demonstrate that you selected a vetted, certified vendor with documented due diligence is your primary defense. Contact New York Shredding for our NAID certification documentation and references.
Building a FACTA-Compliant Shredding Schedule for Your Business
The most effective FACTA compliance programs do not treat document destruction as an occasional event—they integrate it into routine business operations:
- Deploy locked shredding consoles in HR, lending, property management, and other areas where consumer report information is regularly handled
- Establish a retention schedule that defines the maximum period for retaining consumer report documents and triggers automatic destruction when those periods expire
- Train employees on what documents are FACTA-covered and ensure they understand that consumer report documents must go into locked consoles—not trash bins or recycling
- Schedule regular shredding service and retain all Certificates of Destruction for at least seven years
- Conduct periodic internal audits to verify that consumer report documents are being handled properly
Why New York Businesses Choose New York Shredding
For over a decade, New York Shredding Document Destruction, Inc. has helped businesses across New York City, Long Island, Westchester, and the Hudson Valley protect their sensitive information through certified, HIPAA-compliant shredding services. Our industrial-grade shredding equipment, locked on-site consoles, and Certificate of Destruction give your business the proof it needs for any compliance audit.
Whether you need scheduled shredding, a one-time purge, or hard drive destruction, we serve all five boroughs and surrounding areas with fast, reliable service. Request a free quote today and get your office on a shredding schedule that keeps you protected year-round.
Ready to get started? Contact New York Shredding for a free quote, or explore our full range of shredding services.

