Understanding Financial Regulations with ITAD

Oct 30, 2017

The world of financial services and banking regulation is daunting. Organizations must ensure appropriate administrative, physical, and technical safeguards are taken to prevent unauthorized disclosures of both personally identifiable information (PII) and non-public information (NPI), whether or not it appears to be sensitive or confidential.

With traditional focus on network security and encryption to keep this data protected, the tremendous risk when taking IT resources out of service is often neglected. When planning to retire electronic equipment for resale, reuse or recycling, financial institutions must consider the following regulations in regard to off-network equipment:

Financial Industry Regulations

FACTA: In June of 2005 the Federal Trade Commission (FTC) published the Disposal Rule as a part of The Fair and Accurate Credit Transaction Act (FACTA). The Disposal Rule requires “any person who maintains or otherwise possesses consumer information, or any compilation of consumer information, for a business purpose” to adopt procedures for proper data disposal. The disposal standards outlined in the rule require businesses to “destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed.” Failure to abide by FACTA may result in harsh penalties and legal action, and may result in class-action suits with victims.

GLBA: The Gramm-Leach-Bliley Data Protection Act (GLBA) became law in 1999, requiring financial institutions to protect consumer information. Businesses that collect personal financial information from consumers must comply with the privacy rights outlined in GLBA Safeguards Rule. This includes having a comprehensive, written information security program in place as well as a contracted disposition vendor. The act establishes policies for proper administrative, technical and physical safeguards to protect the privacy of individual customer financial information. Organizations are responsible for safeguarding private information even when in the possession of an outsourced company. When selecting a partner for data destruction, it is important to use due diligence to make sure data is being handled appropriately

SOX: The Sarbanes-Oxley Act (SOX) was implemented in July of 2002, standardizing the way organizations certify their financial reports. Any publicly traded company must establish, document, test and maintain effective internal controls and data security procedures. Policies may include data destruction procedures to produce detailed audit trails of all electronic storage media and devices when disposed of or when data becomes obsolete and is no longer able to be stored.

PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) applies to any financial institution that accepts credit card transactions. The standard was developed to create consistent data security standards and requires companies to maintain secure environments for transmitting and storing cardholder data, including tracking of data-containing technology like servers, computers, laptops, mobile devices, point-of-sale (POS) devices and other IT equipment. When data storage devices are ready to be disposed of or replaced, financial institutions must, “render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.” PCI recommends a “secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media.” Organizations must be able to prove in an audit that their processes and vendors meet these requirements.

When it comes to financial security rules and regulations surrounding data containing equipment, SEAM takes care of the compliance details for you. With audit-ready reporting and data destruction services adhering to the National Institute of Standards and Technology (NIST) SP 800-88 R1 standard, SEAM helps financial industry businesses implement cost-effective, secure, and compliant IT Asset Disposition solutions. Contact us for a risk assessment or to learn more about how SEAM can help.

Download the SEAM guide to Financial Regulations when disposing of electronic equipment here.