Financial Institutions Need Secure Data Destruction Policies to Comply With The Gramm-Leach-Bliley Act (GLBA)

Posted on

Sep 27th, 2024

Category

Blog

Share on

What is the Gramm-Leach-Bliley Act?

Financial Institutions must comply with information security and privacy regulations when they retire end-of-life computers, networking devices, servers, phones, and tablets. This article explains one of those compliance standards, the Gramm-Leach-Bliley Act (GLBA). By working with the right IT Asset Disposition Partner, your company can reduce the risk of a breach like the one that occurred at Morgan Stanley and comply with GLBA and other compliance standards. The GLBA, enacted in 1999, primarily focuses on protecting consumer financial information held by financial institutions. It includes provisions to safeguard sensitive data and mandates specific requirements for data destruction as part of its broader privacy and security framework.

GBLA Gramm-Leach-Bliley Act

The GLBA, also known as the Financial Services Modernization Act, has three main components:

  1. The Financial Privacy Rule: Governs the collection and disclosure of consumers’ personal financial information by financial institutions.
  2. The Safeguards Rule: Requires financial institutions to implement security measures to protect customer information.
  3. The Pretexting Provisions: Protect consumers from individuals who obtain personal information under false pretenses.
information security

Data Destruction under the GLBA

While the GLBA does not have explicit data destruction requirements, its mandates imply the need for proper disposal of consumer information to prevent unauthorized access and ensure data security. The critical consideration here is the Safeguards Rule, which focuses on maintaining customer information’s confidentiality, integrity, and security.

The Safeguards Rule

The Safeguards Rule took effect in 2003, but after public comment, the FTC amended it in 2021 to make sure the Rule keeps pace with current technology. “According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).”1  The rule compels financial institutions to develop, implement, and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. Data destruction is an integral part of this security program. Here’s how the Safeguards Rule translates into data destruction requirements:

Safeguard rules

Key Points of the Safeguards Rule

  1. Comprehensive Security Program:
    • Financial institutions must develop, implement, and maintain a written comprehensive information security program that includes administrative, technical, and physical safeguards.
  2. Risk Assessment:
    • Institutions must conduct risk assessments to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of their customer information.
    • This includes risks in the storage, processing, and disposal of information.
  3. Design and Implementation of Safeguards:
    • Based on the risk assessment, institutions must design and implement safeguards to control the identified risks.
    • This includes developing policies and procedures to ensure secure data handling and disposal practices. Choosing the right data destruction partner can critically influence these safeguards. 
  4. Regular Testing and Monitoring:
    • Institutions must regularly test and monitor the effectiveness of their safeguards.
    • This includes periodic review and adjustment of data destruction practices to ensure they mitigate identified risks effectively.

Securis performed on-site shredding for a financial services company. They told us that all hard drives were removed and that we could recycle the 8 server cabinets. Upon inspection, we found 86 drives (72 SSDs and 14 Hard Drives). We shredded the 86 drives, saving the company from what could have been an expensive breach. The 86 drives represented 15% of the total drives that were missed.

Data disintegration protects sensitive information

Best Practices for Data Destruction under the GLBA

Policies and Procedures:

Institutions should develop clear policies and procedures for IT Asset Disposition (ITAD) and Data Destruction. This includes outlining methods for securely destroying differing data types (e.g., paper records and electronic data).

Secure Methods:

Ensure your ITAD service partner utilizes secure data destruction methods for digital data, such as shredding, incineration, degaussing, or NIST 800-88 and IEEE-compliant software-based overwriting techniques. The chosen method should render the data unreadable and irrecoverable.

Employee Training:

Train IT employees on the importance of data sanitization and the specific procedures they must follow. Employees should understand the risks associated with improper disposal and the legal obligations under GLBA.

Hard drive shredding

Third-Party Management:

Ensure third-party service providers handling data destruction can safeguard customer information by following GLBA requirements. This includes due diligence in selecting vendors, 3rd party risk assessments, and agreements specifying data destruction standards.

Documentation and Audit Trails:

Maintain documentation of data destruction activities, including the types of data destroyed or overwritten, methods used, and verification of destruction.  This information should be readily available for audit in your IT Asset Management system or the portal of your ITAD vendor.   This audit trail can be reviewed to ensure compliance with the Safeguards Rule. In addition to an audit, ensure you receive a Certificate of Destruction from a certified IT asset disposition vendor. 

Incident Response:

Develop an incident response plan for addressing and mitigating any breaches related to data destruction.  If an IT asset goes missing, it should be investigated.   IT Asset Management best practices allow organizations to understand where assets are at all times.  Ensuring all assets are logged and inventoried and that records are kept current will allow you to examine where an asset was lost if it cannot be accounted for later.  

Incident response should include procedures for investigating and remediating instances where your IT Department or ITAD vendor did not follow best practices for data sanitization or destruction.

Conclusion

The Gramm-Leach-Bliley Act’s emphasis on protecting consumer financial information inherently requires robust data destruction practices. Through the Safeguards Rule, the GLBA mandates financial institutions to establish or procure comprehensive security programs that include secure data disposal. Working with an experienced and certified ITAD partner like Securis, financial institutions can safeguard sensitive information, maintain consumer trust, protect shareholders, and ensure regulatory compliance. 

 

https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know