September 27, 2021
Keeping personally identifiable information (PII) safe and secure is a hot topic right now, given the steep rise in identity theft over the past few years. The following article delves into the Gramm-Leach-Bliley Act (GLBA), a key piece of legislation that governs how financial institutions safeguard customers’ personally identifiable financial information.
What Is the Intent of the Gramm-Leach-Bliley-Act?
The Gramm-Leach-Bliley Act (GLBA)—also known as the Financial Modernization Act of 1999—is meant to protect consumers and hold financial institutions accountable for how they safeguard sensitive information.
One aspect of the GLBA is the Privacy of Consumer Financial Information Rule, which requires financial companies to clearly explain the kinds of information they collect and the types of businesses or companies with which they may share that information. As part of this rule, customers must be allowed to opt-out of any information-sharing activities. It is the customers’ right to decide if they don’t want their information given to certain third parties.
Another critical component of the GLBA is the Safeguards Rule, which requires financial institutions to protect the consumer information they collect. This rule states that companies must develop a written information security plan that outlines, “the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.” Since the GLBA applies to electronic and paper-based information, safeguards could include firewalls and encryption software as well as secure document disposal.
The Federal Trade Commission administers the GLBA, and compliance is mandatory. There can be severe consequences if a company does not comply. A financial institution can be fined up to $100,000 for each violation, and the institution’s officers and directors can be fined up to $10,000 for each violation.
The GLBA applies to any company that offers financial products or services to consumers. Such companies may include banks, credit unions, insurance companies, tax preparers, and brokerage firms. The law may also apply to debt collectors, real estate appraisers, check-cashing businesses, and mortgage brokers. Some retailers and automobile dealers that extend or arrange credit or issue credit cards must also comply. In addition to developing and implementing their own safeguards, companies covered by the rule must ensure their affiliates and service providers secure and protect any customer information in their care.
The GLBA governs any financial information provided by a consumer to a company that offers financial products or services that could be used, along with demographic information, to identify that individual. This definition is intentionally broad and can be interpreted in many ways. For example, a bank may need to protect account numbers, credit card numbers, account balances, or transaction history, among other things. A mortgage company may need to secure payment histories and the assessed value of homes. Other items like insurance policies and employment verifications may fall under this rule as well. Basically, it applies to any financial information that when used in conjunction with an individual’s name, contact information, or social security number could be used to commit identity theft or other malicious acts.
There are many nuances involved in meeting the tenets of the GLBA; however, ensuring the safe and secure disposal of documents that contain financial PII is especially critical to the work. Here are some considerations to keep in mind when developing a document disposal strategy.
Determine the right timing. One of the challenges with GLBA compliance is when to throw away documents that are no longer needed. Even if an organization is finished with a document, it may be legally required to hold on to it for a certain period. To keep track of what documents can be destroyed and what should be kept, it can be helpful to create and maintain a records retention schedule. This is a guidance document that describes the types of information the company typically collects, the legal and regulatory requirements for retaining the information, who owns the information, and what the schedule is for disposing of it. Based on this document, organizations can create a plan of what information to throw away and when, track disposal, and ensure they reduce risk by getting rid of things that aren’t necessary while still meeting legal demands.
Select a secure disposal method. While many of the documents that contain financial PII will be electronic, a significant amount will still be in paper form. It is important to think through how to dispose of these records so they don’t introduce risk of breach of financial PII. Tossing confidential documents in the regular trash is not safe because dumpster divers can and do access these materials relatively easily. Similarly, shredding documents with a personal or small office shredder may not go far enough in fully destroying the information. Most of these machines shred paper into strips, which can be reconstructed without too much effort. The optimal destruction strategy involves working with a professional shredding company like Shred-it. We use industrial shredders that turn documents into confetti, which prevents reassembly. Because we recycle the confetti, we also help preserve the environment. We offer a chain of custody, guaranteeing that any sensitive documents will remain secure from the time of disposal through destruction and will issue a certificate of destruction listing what records were destroyed, when, and how.
It is also wise to have a method of full disposal of any outdated or non-functioning electronic equipment that may house confidential financial information. Legacy technology can present a hidden risk in that information can still be accessed and used for nefarious purposes, even if the equipment does not appear to be working. Wiping, erasing, or reformatting a hard drive or other electronic device doesn’t go far enough in safeguarding the information because these methods do not completely remove data from the device, and forensic software programs exist that can recover the information. Complete, physical destruction is a better strategy. This may include slicing the equipment into pieces or punching a hole in it, eliminating the chances of data access.
Set staff up for success. Organizations must make sure their employees are familiar with the GLBA and what their role is in ensuring compliance. Training should cover proper document disposal for electronic and paper documents and address what to do in the office versus when working from home. In addition to comprehensive training, organizations should be intentional about where they place disposal equipment to make it easy for staff to throw things away safely and securely. This may include providing lockable storage containers at easily accessible drop-off points. Monitoring disposal efforts ensures people are following the proper processes and can help uncover improvement opportunities early to mitigate risk.
To learn more about the GLBA and how Shred-it can help your financial organization comply with the law, visit our Financial Services page.