Javascript Menu by Deluxe-Menu.com
 
 
Onsite Data Erasure Services
 
800-781-4799
Summary of Gramm Leach Bliley Legislation
KNOWLEDGE BASE
> What is the new standard for electronic media destruction?

> What is the difference between renting and leasing?

> What is the difference between leasing and licensing fees?

> What is Secure Erase?

> What is the DoD 5220.22-M?

> What is the difference between 1x / 3x / 7x wipes?

> What is the difference between erasure and physical destruction?

> On-site data destruction vs. offsite services

> Software vs. hardware vs. software/hardware integration

> Data Destruction Topics
> Media Sanitization Scenarios

Federal Trade Commission logo for FACTA summary page
Gramm Leach Bliley Act
[GLBA] (Safeguards Rule / Disposal Rule)

STATUS: GLB Safeguards Rule issued May 2003
The Disposal Rule in effect June 1, 2005
FULL NAME: The Gramm-Leach-Bliley Act of 1999 (GLBA)
(The Financial Modernization Act of 1999)

TARGET: Companies that collect personal information from their customers, including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. The GLBA universe includes banks, credit unions, securities brokers, real estate appraisers, insurance companies, auto leasing companies, retailers issuing credit cards. The Safeguards Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services. Under the final Rule, service providers are expressly covered, and bear responsibility for proper disposal of consumer information that they maintain or otherwise possess.

DESCRIPTION: In general, GLB requires that financial institutions provide notices to Gramm-Leach-Bliley) their customers about their information collection and sharing practices, and restricts their ability to disclose a consumer’s personal financial information to nonaffiliated third parties. The GLB has directed the FTC to develop the Safeguards Rule, which applies to the protection of private information and requires companies to ensure security and confidentiality. A key component of the Rule deals with data storage and proper destruction (see next section).

AGENCIES: Federal Trade Commission (FTC), Federal Reserve Board (FRB), Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), Office of Thrift Supervision (OTS), National Credit Union Administration (NCUA), Securities and Exchange Commission (SEC), and Federal Trade Commission (FTC).

DATA SECURITY FACTORS:: The Federal Trade Commission (FTC) issued the Safeguards Rule as part of GLB Act implementation. It requires financial institutions to have measures in place to keep customer information secure. It further requires disposal of customer information in a secure way, consistent with the FTC Disposal Rule. Section 682.1(c) of the Rule defines “disposal” as including the discarding or abandonment of consumer information, as well as the sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored. The FTC recommends that financial institutions incorporate secure data disposal practices into the information security program required by the Safeguards Rule.

Under the Disposal Rule, the FTC allows covered entities to consider their unique scenarios when determining disposal methods, which it refers to as “reasonable measures”. The method may reflect the sensitivity of the consumer information, the nature and size of the entity’s operations, the costs and benefits of different disposal methods, and relevant technological changes*. In non-committal language, the Rule is likely to require elements such as the establishment of policies and procedures governing disposal, as well as appropriate employee training.

With regard to computers, disks, CDs, magnetic tapes, hard drives, laptops, PDAs, cell phones or other electronic media, the Safeguards Rule directs the data be erased or destroyed so that the information “cannot practicably be read or reconstructed”. The Rule also includes service providers in the examples, which suggest monitoring compliance when a contract with a third party engaged in the business of record destruction to dispose of material. Due diligence could include reviewing an independent audit of the disposal company’s operations, requiring that the disposal company be certified by a recognized trade association or similar third party, plus reviewing and evaluating the disposal company’s information security policies.

ENFORCEMENT / PENALTIES: The GLB Act provides severe penalties for noncompliance: Fines up to $100,000 per violation Imprisonment up to five years The officers and directors of the financial institution could be subject to, and personally liable for, a civil penalty of up to $10,000.
*Both the Safeguards Rule and Disposal Rule were issued prior to the issuance of Special Publication 800-88.

Complete listing and links for data security regulations and legislation.
  
Solutions
Compliance Resources
Technology
Downloads
About
 
Copywrite 2010 by DestructData, Inc. All rights reserved.