Financial Institutions Need Secure Data Destruction Policies to Comply With The Gramm-Leach-Bliley Act (GLBA)

Posted on

Sep 27th, 2024

Category

Blog

Share on

What is the Gramm-Leach-Bliley Act?

Financial Institutions must comply with information security and privacy regulations when they retire end-of-life computers, networking devices, servers, phones, and tablets. This article explains one of those compliance standards, the Gramm-Leach-Bliley Act (GLBA). By working with the right IT Asset Disposition Partner, your company can reduce the risk of a breach like the one that occurred at Morgan Stanley and comply with GLBA and other compliance standards. The GLBA, enacted in 1999, primarily focuses on protecting consumer financial information held by financial institutions. It includes provisions to safeguard sensitive data and mandates specific requirements for data destruction as part of its broader privacy and security framework.

GBLA Gramm-Leach-Bliley Act

The GLBA, also known as the Financial Services Modernization Act, has three main components:

  1. The Financial Privacy Rule: Governs the collection and disclosure of consumers’ personal financial information by financial institutions.
  2. The Safeguards Rule: Requires financial institutions to implement security measures to protect customer information.
  3. The Pretexting Provisions: Protect consumers from individuals who obtain personal information under false pretenses.
information security

Data Destruction under the GLBA

While the GLBA does not have explicit data destruction requirements, its mandates imply the need for proper disposal of consumer information to prevent unauthorized access and ensure data security. The critical consideration here is the Safeguards Rule, which focuses on maintaining customer information’s confidentiality, integrity, and security.

The Safeguards Rule

The Safeguards Rule took effect in 2003, but after public comment, the FTC amended it in 2021 to make sure the Rule keeps pace with current technology. “According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).”1  The rule compels financial institutions to develop, implement, and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. Data destruction is an integral part of this security program. Here’s how the Safeguards Rule translates into data destruction requirements:

Safeguard rules

Key Points of the Safeguards Rule

  1. Comprehensive Security Program:
    • Financial institutions must develop, implement, and maintain a written comprehensive information security program that includes administrative, technical, and physical safeguards.
  2. Risk Assessment:
    • Institutions must conduct risk assessments to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of their customer information.
    • This includes risks in the storage, processing, and disposal of information.
  3. Design and Implementation of Safeguards:
    • Based on the risk assessment, institutions must design and implement safeguards to control the identified risks.
    • This includes developing policies and procedures to ensure secure data handling and disposal practices. Choosing the right data destruction partner can critically influence these safeguards. 
  4. Regular Testing and Monitoring:
    • Institutions must regularly test and monitor the effectiveness of their safeguards.
    • This includes periodic review and adjustment of data destruction practices to ensure they mitigate identified risks effectively.

Securis performed on-site shredding for a financial services company. They told us that all hard drives were removed and that we could recycle the 8 server cabinets. Upon inspection, we found 86 drives (72 SSDs and 14 Hard Drives). We shredded the 86 drives, saving the company from what could have been an expensive breach. The 86 drives represented 15% of the total drives that were missed.

Data disintegration protects sensitive information

Best Practices for Data Destruction under the GLBA

Policies and Procedures:

Institutions should develop clear policies and procedures for IT Asset Disposition (ITAD) and Data Destruction. This includes outlining methods for securely destroying differing data types (e.g., paper records and electronic data).

Secure Methods:

Ensure your ITAD service partner utilizes secure data destruction methods for digital data, such as shredding, incineration, degaussing, or NIST 800-88 and IEEE-compliant software-based overwriting techniques. The chosen method should render the data unreadable and irrecoverable.

Employee Training:

Train IT employees on the importance of data sanitization and the specific procedures they must follow. Employees should understand the risks associated with improper disposal and the legal obligations under GLBA.

Hard drive shredding

Third-Party Management:

Ensure third-party service providers handling data destruction can safeguard customer information by following GLBA requirements. This includes due diligence in selecting vendors, 3rd party risk assessments, and agreements specifying data destruction standards.

Documentation and Audit Trails:

Maintain documentation of data destruction activities, including the types of data destroyed or overwritten, methods used, and verification of destruction.  This information should be readily available for audit in your IT Asset Management system or the portal of your ITAD vendor.   This audit trail can be reviewed to ensure compliance with the Safeguards Rule. In addition to an audit, ensure you receive a Certificate of Destruction from a certified IT asset disposition vendor. 

Incident Response:

Develop an incident response plan for addressing and mitigating any breaches related to data destruction.  If an IT asset goes missing, it should be investigated.   IT Asset Management best practices allow organizations to understand where assets are at all times.  Ensuring all assets are logged and inventoried and that records are kept current will allow you to examine where an asset was lost if it cannot be accounted for later.  

Incident response should include procedures for investigating and remediating instances where your IT Department or ITAD vendor did not follow best practices for data sanitization or destruction.

Conclusion

The Gramm-Leach-Bliley Act’s emphasis on protecting consumer financial information inherently requires robust data destruction practices. Through the Safeguards Rule, the GLBA mandates financial institutions to establish or procure comprehensive security programs that include secure data disposal. Working with an experienced and certified ITAD partner like Securis, financial institutions can safeguard sensitive information, maintain consumer trust, protect shareholders, and ensure regulatory compliance. 

 

https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know

  • Christopher Madeira

    Christopher Madeira

    Director of Marketing

    ITAD Communications & Strategy Expert

    Snapshot / Quick Stats

    • 15+ years of experience in marketing strategy, brand development, and communications
    • Specialized in IT asset disposition (ITAD) messaging for compliance-driven industries
    • Former leadership roles at The Chronicle of Higher Education, CQ Press, and other respected publishers
    • Key focus areas: Market Trends, Client Education, ITAD Compliance Messaging, Thought Leadership, SEO-Driven Strategy

    Areas of Specialization

    • Market Trends & Competitive Analysis – Tracks shifts in ITAD, resale, and sustainability markets to shape strategy and keep Securis ahead of industry developments.
    • ITAD Compliance & Security Messaging – Crafts clear narratives that translate regulatory and data security requirements into approachable guidance for IT leaders.
    • Client & Stakeholder Education – Builds educational resources and thought leadership content that empower clients to make informed ITAD decisions with confidence.

    Professional Narrative (Career Journey)

    Christopher Madeira is the Director of Marketing at Securis, where he shapes how the company communicates its mission of Secure, Accurate, and Sustainable IT Asset Disposition to regulated industries, government agencies, and enterprise clients. With more than 25 years of experience in marketing and communications, Christopher brings a unique perspective on how to bridge technical ITAD processes with clear, client-centered storytelling.

    Before joining Securis, Christopher served in senior marketing roles across publishing and education organizations, including The Chronicle of Higher Education, CQ Press, and Congressional Quarterly. These positions gave him deep expertise in shaping brand positioning, leading cross-functional teams, and delivering content that informs and engages decision-makers.

    At Securis, Christopher drives marketing strategies that not only build awareness but also educate IT leaders on data security, compliance, and sustainability best practices. His work ensures that Securis remains a trusted voice in the ITAD industry, aligning brand authority with the company’s core differentiators: Secure, Accurate, and Sustainable services.

    Quote

    “Clear communication makes complex ITAD issues approachable for IT leaders.”

    Thought Leadership & Recognition

    Christopher is the author of numerous Securis blog articles on compliance, sustainability, and ITAD strategy. He has also developed content campaigns that help IT decision-makers understand the evolving landscape of secure data destruction, ESG reporting, and value recovery.

    Personal 

    A strategist at heart, Christopher is passionate about helping organizations cut through the noise and understand the real risks — and opportunities — in ITAD. Outside of his professional work, he enjoys exploring D.C.’s history, traveling,  connecting with his community, and aviation photography. 

    Trust & Transparency

    Christopher ensures that every piece of Securis’ external communication is not only accurate but also aligned with the certifications and compliance standards that define the company’s reputation. His commitment to transparency reinforces Securis’ standing as a trusted partner for IT asset disposition.