Gramm-Leach-Bliley Act (GLBA)
Covered Entities: Non-Bank Financial Institutions
Governed by the Federal Trade Commission (FTC)
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is a United States federal law requiring financial institutions to explain how they share and protect their customers’ private and nonpublic personal information (NPI). Covered entities must develop, implement, and maintain a comprehensive information security program that includes physical safeguards appropriate to defining attributes of the affected organization and the sensitivity of the NPI at issue.
In 2021, in direct response to widespread and devastating data breaches, the Federal Trade Commission enacted an updated rule under GLBA that strengthens data security safeguards (the “Safeguards Rule”) that financial institutions must implement to protect their customers’ financial information. The Safeguards Rule applies to all non-bank financial institutions, even loosely identified as such, including mortgage companies, pawn brokers, and car dealers.
A key aspect of the Safeguards Rule requires that non-bank financial institutions implement a policy for the secure disposal of customer information no later than two years after the last date that the information was used, unless retention is otherwise required for legal, regulatory, or legitimate business purposes.
While the Safeguards Rule under GLBA requires data disposal after two years of non-use, it does not mandate a specific data destruction methodology. Best practice for complying with the 2021 Safeguards Rule includes following NIST 800-88 data disposal requirements. All of SEM’s high security paper shredders, disintegrators, IT shredders, IT crushers, and degaussers are appropriate for the disposal of GLBA covered data following NIST 800-88 protocols.