Tri-State Shred : Gramm-Leach-Bliley Act

THE GRAMM-LEACH-BLILEY ACT

Summary: Any business providing financial services is required to ensure the security and confidentiality of customer personal information. The FTC suggests businesses “shred or recycle customer information recorded on paper and store it in a secure area until a recycling service picks it up.”

Below is text from a Federal Trade Commission series of publications called Facts for Businesses. This publication is titled “Financial Institutions and Customer Data: Complying with the Safeguards Rule”. Only sections that pertain to the privacy of printed records have been included. The full text of the document can be found at http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm.

Financial Institutions and Customer Data: Complying with the Safeguards Rule
Many financial institutions collect personal information from their customers, such as their names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. The Gramm-Leach-Bliley (GLB) Act requires financial institutions to ensure the security and confidentiality of this type of information. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) has issued the Safeguards Rule. This Rule requires financial institutions under FTC jurisdiction to secure customer records and information.

Who Must Comply
The Safeguards Rule applies to businesses, regardless of size, that are “significantly engaged” in providing financial products or services to consumers. This includes check-cashing businesses, data processors, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, courier services, and retailers that issue credit cards to consumers.

How to Comply
The Safeguards Rule requires financial institutions to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the financial institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles.

Securing Information
When a firm implements safeguards, the Safeguards Rule requires it to consider all areas of its operation, including three areas that are particularly important to information security: employee management and training; information systems; and managing system failures.

Information Systems
Information systems include network and software design, and information processing, storage, transmission, retrieval, and disposal. Here are some suggestions on how to maintain security throughout the life cycle of customer information — that is, from data entry to data disposal:
• Store records in a secure area. Make sure only authorized employees have access to the area.
• Dispose of customer information in a secure manner. For example:
• hire or designate a records retention manager to supervise the disposal of records containing nonpublic personal information;
• shred or recycle customer information recorded on paper and store it in a secure area until a recycling service picks it up;
• erase all data when disposing of computers, diskettes, magnetic tapes, hard drives, or any other electronic media that contains customer information;
• promptly dispose of outdated customer information.