Financial Institutions Need Secure Data Destruction Policies to Comply With The Gramm-Leach-Bliley Act (GLBA)

What is the Gramm-Leach-Bliley Act?

Financial Institutions must comply with information security and privacy regulations when they retire end-of-life computers, networking devices, servers, phones, and tablets. This article explains one of those compliance standards, the Gramm-Leach-Bliley Act (GLBA). By working with the right IT Asset Disposition Partner, your company can reduce the risk of a breach like the one that occurred at Morgan Stanley and comply with GLBA and other compliance standards. The GLBA, enacted in 1999, primarily focuses on protecting consumer financial information held by financial institutions. It includes provisions to safeguard sensitive data and mandates specific requirements for data destruction as part of its broader privacy and security framework.

GBLA Gramm-Leach-Bliley Act

The GLBA, also known as the Financial Services Modernization Act, has three main components:

  1. The Financial Privacy Rule: Governs the collection and disclosure of consumers’ personal financial information by financial institutions.
  2. The Safeguards Rule: Requires financial institutions to implement security measures to protect customer information.
  3. The Pretexting Provisions: Protect consumers from individuals who obtain personal information under false pretenses.
information security

Data Destruction under the GLBA

While the GLBA does not have explicit data destruction requirements, its mandates imply the need for proper disposal of consumer information to prevent unauthorized access and ensure data security. The critical consideration here is the Safeguards Rule, which focuses on maintaining customer information’s confidentiality, integrity, and security.

The Safeguards Rule

The Safeguards Rule took effect in 2003, but after public comment, the FTC amended it in 2021 to make sure the Rule keeps pace with current technology. “According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).”1  The rule compels financial institutions to develop, implement, and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. Data destruction is an integral part of this security program. Here’s how the Safeguards Rule translates into data destruction requirements:

Safeguard rules

Key Points of the Safeguards Rule

  1. Comprehensive Security Program:
    • Financial institutions must develop, implement, and maintain a written comprehensive information security program that includes administrative, technical, and physical safeguards.
  2. Risk Assessment:
    • Institutions must conduct risk assessments to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of their customer information.
    • This includes risks in the storage, processing, and disposal of information.
  3. Design and Implementation of Safeguards:
    • Based on the risk assessment, institutions must design and implement safeguards to control the identified risks.
    • This includes developing policies and procedures to ensure secure data handling and disposal practices. Choosing the right data destruction partner can critically influence these safeguards. 
  4. Regular Testing and Monitoring:
    • Institutions must regularly test and monitor the effectiveness of their safeguards.
    • This includes periodic review and adjustment of data destruction practices to ensure they mitigate identified risks effectively.

Securis performed on-site shredding for a financial services company. They told us that all hard drives were removed and that we could recycle the 8 server cabinets. Upon inspection, we found 86 drives (72 SSDs and 14 Hard Drives). We shredded the 86 drives, saving the company from what could have been an expensive breach. The 86 drives represented 15% of the total drives that were missed.

Data disintegration protects sensitive information

Best Practices for Data Destruction under the GLBA

Policies and Procedures:

Institutions should develop clear policies and procedures for IT Asset Disposition (ITAD) and Data Destruction. This includes outlining methods for securely destroying differing data types (e.g., paper records and electronic data).

Secure Methods:

Ensure your ITAD service partner utilizes secure data destruction methods for digital data, such as shredding, incineration, degaussing, or NIST 800-88 and IEEE-compliant software-based overwriting techniques. The chosen method should render the data unreadable and irrecoverable.

Employee Training:

Train IT employees on the importance of data sanitization and the specific procedures they must follow. Employees should understand the risks associated with improper disposal and the legal obligations under GLBA.

Hard drive shredding

Third-Party Management:

Ensure third-party service providers handling data destruction can safeguard customer information by following GLBA requirements. This includes due diligence in selecting vendors, 3rd party risk assessments, and agreements specifying data destruction standards.

Documentation and Audit Trails:

Maintain documentation of data destruction activities, including the types of data destroyed or overwritten, methods used, and verification of destruction.  This information should be readily available for audit in your IT Asset Management system or the portal of your ITAD vendor.   This audit trail can be reviewed to ensure compliance with the Safeguards Rule. In addition to an audit, ensure you receive a Certificate of Destruction from a certified IT asset disposition vendor. 

Incident Response:

Develop an incident response plan for addressing and mitigating any breaches related to data destruction.  If an IT asset goes missing, it should be investigated.   IT Asset Management best practices allow organizations to understand where assets are at all times.  Ensuring all assets are logged and inventoried and that records are kept current will allow you to examine where an asset was lost if it cannot be accounted for later.  

Incident response should include procedures for investigating and remediating instances where your IT Department or ITAD vendor did not follow best practices for data sanitization or destruction.

Conclusion

The Gramm-Leach-Bliley Act’s emphasis on protecting consumer financial information inherently requires robust data destruction practices. Through the Safeguards Rule, the GLBA mandates financial institutions to establish or procure comprehensive security programs that include secure data disposal. Working with an experienced and certified ITAD partner like Securis, financial institutions can safeguard sensitive information, maintain consumer trust, protect shareholders, and ensure regulatory compliance. 

 

https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know

Balancing Data Security, Sustainability, and Disposal Costs for IT Asset Disposition (ITAD)

Finding Balance

Electronic waste disposal (e-waste) has become a pressing issue in today’s technology-driven world. E-waste, which includes discarded electronic devices like computers, smartphones, and other data-bearing equipment, presents significant sustainability, budgetary, and data security challenges.  According to the EPA, only 12.5 percent of U.S. E-waste is properly recycled. E-waste represents just 2 percent of America’s waste in landfills but makes up 70 percent of overall toxic waste.

Companies and government entities must balance the need to comply with data security regulations and dispose of e-waste in the least ecologically damaging way possible while managing their budgets by avoiding exorbitant disposal costs. Organizations that focus too much on information security will likely blow out their budgets and won’t meet their sustainability goals.   Organizations that focus too much on sustainability or cost could create a situation where they have a significant data breach.

An Information Technology Asset Disposition (ITAD) company that employs Certified Secure Data Destruction Specialists (CSDS) can ask you questions about your requirements and help you determine the most effective method of computer recycling.

Data Security

Data security is a paramount concern when disposing of e-waste. Electronic devices often contain sensitive personal and corporate information that, if improperly handled, can lead to data breaches and identity theft.   Technology is constantly changing, and our teams regularly find data on company devices that their IT teams miss.  Working with an expert service provider meets the best practice of separation of duty and provides a double check to your IT teams.

Data security is a paramount concern when disposing of e-waste

Ensuring that data is irretrievably destroyed before reuse or recycling is crucial. For example, Morgan Stanley was fined 100 Million dollars after hiring a company with no experience or expertise in data destruction to decommission thousands of hard drives and servers.   In addition a Healthcare Provider in Maine exposed the medical record of 100,000 citizens because of improper data sanitization practices. ITAD vendors that employ CSDS and are NAID AAA Certified can help your organization comply with security best practices.

Environmental Concerns

Improper disposal of e-waste can have severe environmental consequences. Electronic devices contain hazardous materials like lead, mercury, and cadmium, which can leach into soil and water, causing pollution and health risks and even fines.   If your ITAD vendor or their downstream recycling vendors don’t follow the law and go out of business your company could be at risk.

E-waste damages the environment

Strategies for Minimizing Environmental Impact:

1. Reuse: An ITAD service provider may be able to resell late-model computers, which is the best way to lower your carbon footprint. Before selling, your ITAD provider must follow NIST 800-88 or IEEE best practices to remove all data from storage devices.

2. Recycling: Older electronics and computers that must be shredded because they have classified information on them may have limited value. In these cases, recycling individual components ensures that valuable materials are recovered and reused, reducing the need for raw material extraction and minimizing environmental damage. Partnering with an IT disposal vendor with a robust recycling and reuse plan simplifies this process.

3. Responsible Disposal: Work with R2v3 certified e-waste recyclers who follow environmentally sound practices, including the safe handling and disposal of hazardous substances. Sending e-waste overseas could violate laws and create security risks.   A NAID AAA and R2v3 certification means your ITAD vendor is required to follow strict standards. R2v3 certification involves rigorous audits by an independent third party to evaluate recycling practices in over 50 areas of operational and environmental performance. R2v3 is the leading standard for the electronics recycling industry, ensuring practices that protect the environment, human health, safety, and the security of the recycling process.

Disposal Costs

The cost of e-waste disposal can be a significant barrier for many organizations. Balancing the financial aspect of e-waste management with the need for data security and environmental protection is a top priority for many organizations.   Organizations who evaluate price alone could risk fines, their reputation, and future stock valuation.

Cost-Effective Disposal Solutions:

1. Bulk Disposal Discounts: Organizations can negotiate bulk disposal agreements and long-term contracts with certified recyclers to reduce per-unit costs.

2. Resale: Thoroughly sanitized servers and drives can be resold, reducing the volume of e-waste and offsetting disposal costs through a value recovery program

Disposal costs

Conclusion:

In summary, balancing data security, environmental concerns, and disposal costs requires partnering with an industry leader that ensures secure and environmentally sound computer recycling processes while offering cost-effective solutions. Vendors with industry certifications in data destruction and environmentally friendly recycling and a robust value recovery program, are best positioned to help advise your organization on asset management best practices and effectively dispose of IT Assets.