Protecting Financial and Insurance Data: Key Compliance Mandates to Know

September 20, 2024 at 8:30 am by Amanda Canale

Every day, financial institutions face threats of data breaches, making cybersecurity a critical aspect of their operations. As technology evolves, so do the malicious tactics used by cybercriminals to exploit vulnerabilities in the financial sector. This is where compliance regulations come into play. These regulations are designed to protect sensitive financial information, mitigate cyber risks, and maintain the integrity of the financial system.

At the heart of financial compliance is the responsibility to safeguard consumer data and financial information. Financial institutions, from banks to insurance firms, collect and process vast amounts of personal and financial data, that if breached, can be a major liability to both organizations and individuals alike. This data can include everything from credit card numbers and social security details to transaction histories and insurance policies. Given the sensitivity of this information, these regulatory frameworks were developed to ensure its constant protection. 

Here’s an overview of some of the critical regulations shaping the world of finance compliance.

credit card finance isa

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act (SOX), passed in 2002, was established to protect investors by improving the accuracy and reliability of corporate financial disclosures and reporting. Although the act focuses on financial transparency and corporate governance, SOX compliance is mandatory for all public companies.

A crucial part of SOX compliance is record retention. Financial and insurance companies must keep a wide range of documents, from financial statements and accounting records to emails and client information, for a specific timeframe. While SOX doesn’t dictate exactly how records should be destroyed, it stresses the importance of maintaining accurate, unaltered data, for specific lengths of time.

When it’s time to securely dispose of expired records, organizations should, at a minimum, implement a risk management  and destruction plan that falls in compliance with NIST 800-88 data disposal standards to ensure sensitive information is destroyed responsibly and in line with SOX requirements.

 Fair and Accurate Credit Transactions Act (FACTA)

The Fair and Accurate Credit Transactions Act (FACTA), enacted in 2003, is a crucial piece of legislation aimed at enhancing the accuracy, privacy, and security of consumer information. FACTA as it stands today, amended the Fair Credit Reporting Act (FCRA) and was introduced to address growing concerns about identity theft and consumer credit reporting practices. 

At its core, FACTA provides consumers with greater access to their credit reports and includes measures to assist with fraud prevention. One of its most notable impacts is allowing consumers to request a free annual credit report from each of the major credit reporting agencies, ensuring individuals can monitor their credit history and identify potential discrepancies. 

While FACTA doesn’t mandate just one specific method for disposing of consumer report information, it allows some flexibility, enabling organizations to choose their disposal method based on the sensitivity of the data and the associated costs. It is, however, recommended to follow NIST 800-88 data disposal standards for secure and compliant destruction of consumer reports.

credit-card-data

General Data Protection Regulation (GDPR)

The European Union’s General Data Protection Regulation (GDPR) has had a profound impact on global financial institutions and their operations. GDPR focuses on data privacy within the European Union and was designed to protect the personal data of the region’s citizens from cyberattacks. Organizations that process data from EU citizens must comply with GDPR, meaning organizations with EU customers, visitors, branches, those offering goods or services in the region, and even cloud computing companies. Essentially, regardless of where the organization is located, if the data of EU residents is involved, compliance with GDPR standards and regulations is non-negotiable. 

The mandate also grants individuals the freedom to have a say in what happens with their data, giving them the right to access, correct, and destroy their data. Organizations must also implement enforce stringent security measures to protect that information from unauthorized access or breaches and maintain transparency about how data is used.  

The GDPR checklist for data controllers is a phenomenal tool designed to help keep organizations on the road towards data security compliance. More information on GDPR’s data destruction best practices can be found here.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA), passed in 1999, focuses on the protection of non-public personal information (NPI) in the financial services sector. The GLBA primarily governs how financial institutions handle the privacy of sensitive customer data and sets strict regulations on how that information can be collected, stored, and shared. By ensuring that businesses adopt responsible data management practices, the GLBA aims to protect consumers from financial and insurance fraud. Financial institutions, such as banks, credit unions, and insurance companies, are required to provide clear and transparent privacy policies, informing customers about the ways their information may be used or shared with third parties.

A key component of the GLBA is the Financial Privacy Rule, which outlines specific guidelines that financial institutions must follow when collecting personal data. This rule requires institutions to give customers the option to “opt-out” of having their information shared with non-affiliated third parties, thereby empowering consumers to have more control over their personal data. 

In 2021, responding to the rise in data breaches, the Federal Trade Commission strengthened data security protocols under GLBA with an updated Safeguards Rule. This rule extends to all non-bank financial institutions, including mortgage companies, car dealers, and insurance companies, ensuring customer financial data is securely protected.

One of the key requirements of the Safeguards Rule is that these institutions must implement a secure disposal policy for customer information within two years of its last use—unless retention is legally or operationally necessary. Although the rule doesn’t list a specific disposal method, following NIST 800-88 data disposal standards is widely regarded as a best practice.

identity-theft

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards established by major credit card companies to protect payment card information and ensure the secure handling of credit and debit card transactions. Established in 2004 by major credit card companies, including Visa, MasterCard, and American Express, PCI DSS applies to any organization that processes, stores, or transmits payment card information. The goal of these standards is to minimize the risk of breaches, fraud, and identity theft, and quicken data breach response times by enforcing strict security practices across all entities involved in the payment process. 

PCI Requirement 3.1 specifically mandates that organizations securely dispose of cardholder data that is no longer needed, with the principle, “if you don’t need it, don’t store it.” Retaining unnecessary data creates a significant liability, and only legally required data should be kept. This applies to any organization involved in processing, storing, or transmitting payment card information—from retail businesses and payment processors to banks and card manufacturers.

While PCI DSS does not prescribe a specific method for data destruction, the consequences of non-compliance are severe. To mitigate risks, organizations should have clear policies in place for securely destroying all unnecessary data, including both hardcopy documents and electronic media like hard drives, servers, and storage devices.

For PCI DSS compliance, it’s recommended to follow NIST 800-88 data disposal standards to ensure secure and thorough destruction of cardholder data.

Conclusion

Understanding and complying with these mandates is crucial for financial institutions to navigate the complex regulatory environment. By implementing robust internal controls, risk management protocols, and staying informed about regulatory changes, organizations can uphold the principles of transparency, security, and trust that are fundamental to the industry.

History of Federal Data Privacy Regulations in the US

July 3, 2019 at 2:52 pm by Paul Falcone

Throughout history, the United States has passed quite a few different laws to protect privacy for its citizens. Generally, the laws focus on protecting one specific aspect of privacy, but they are extremely specific and in-depth on that one aspect. With the growing of the digital age, it is important to wonder if the United States is doing a good enough job keeping up with cybersecurity and data privacy.

data-privacy-history

4th Amendment

One of the first privacy laws the United States passed was the 4th Amendment, which protects people from unlawful searches. While the 4th Amendment protects people from physical and apparent searches, it has birthed some confusion regarding modern technology. In the case of Carpenter v. United States, it was ruled that the 4th Amendment protects searches of cell phone location data, but it went all the way to The Supreme Court, and was ruled 5-4 in favor of the cell phone privacy.

Fair Credit Reporting Act (FCRA) 1970

The FCRA protects citizens from their consumer reporting agencies files being used against them. A consumer reporting agency file holds personal information used to decide credit, insurance, banking info, and more. It prevents the use of information in their file being used without their knowledge and it allows a person to know what is in their file. The FCRA also allows a person to dispute inaccuracies and forces agencies to delete false or inaccurate information as well as incomplete information.

US Department of Health, Education, and Welfare (HEW) 1973 Computers and the Rights of Citizens

HEW is a report that was focused on the growing use of computers, and how that could impact the future of data keeping and protection. It focused on consequences of using automated personal data systems, how to stop those consequences, and policy for social security numbers.

Privacy Act of 1974

The Privacy Act of 1974 was a turning point in data privacy and security. It protects information that would be retrieved by an individual through their name or any other personally identifiable mark, and prevents said information from being disclosed without written consent of the individual in question. The Privacy Act of 1974 is the biggest step the United States took for data privacy and paved the way for more specific data privacy laws in the future.

Federal Educational Rights and Privacy Act (FERPA) 1974

FERPA protects educational information from being disclosed. Essentially, the Act prohibits schools from sending out information to anyone. Parents are allowed access to the educational info, but once the student turns 18 and continues schooling beyond high school, the rights transfer to the student. There are of course, certain people to whom the schools can send information, but they are all either financial, for the good of the student’s education, or for legal purposes. Schools can disclose certain information, such as name and date of birth of a student, but to do so, they must contact said student beforehand and give them a reasonable amount of time to request it not be shared.

Right to Financial Privacy Act (RFPA) 1978

RFPA protects the financial privacy of people. Essentially, it does not allow anyone to view financial information of a person without the person being notified and given a chance to object. In the words of this law, a “person” is judged to be an individual or a partnership of five or less individuals. In other words, it does not extend to corporations or large partnerships.

Video Privacy Protection Act of 1988 (VPPA)

The VPPA protects from the disclosure of rental records of “prerecorded video cassette tapes or similar audio-visual material.” Effectively, it means that without written consent or a valid warrant, no one can get the information of what a person has rented in the past.

The Gramm-Leach-Bliley Act of 1999 (GLBA)

GLBA ensures that financial institutions explain their information sharing processes with a customer. It also makes the institutions safeguard their consumer’s sensitive information. A financial institution constitutes a company that deals in the business of loans, investment advice, or insurance.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA protects the health information of individuals. It forces the protection and integrity of health information and it expects institutions to protect against anticipated threats against the security of the info as well as illegal disclosure.

Driver’s Privacy Protection Act of 1994 (DPPA)

The DPPA protects the information held by any state DMV. It disallows the use or release of personal info obtained from any department in relation to a motor vehicle. The information covered by this act includes name, address, SSN, phone number, and other personal effects. It does not cover traffic violations, accidents, or license status.

Children’s Online Privacy Protection Act of 1998 (COPPA)

COPPA protects children’s privacy from being collected or used. A child is defined as being under the age of 13. It requires the consent of a parent for the information of a child to be taken or used. This act works specifically for websites and online services that were targeted at children.

Federal Information Security Management Act of 2002 (FISMA)

FISMA in short is the government protecting its own cybersecurity and set guidelines for their own security moving forward. This act was the government acknowledging the importance of cybersecurity. It has since been replaced by the Federal Information Modernization Act of 2014, which is commonly referred to as FISMA reform or FISMA2014. FISMA2014 amended laws to give the government more room to increase their own cybersecurity.

Fair and Accurate Credit Transactions Act of 2003 (FACTA)

FACTA provides consumers with more accurate credit related records and entitles them to one free credit report per year from the three credit reporting agencies — Experian, Equifax, and TransUnion. It also grants consumers the ability to purchase additional credit reports for a reasonable price. The act also allows consumers to place alerts on their credit histories, to help prevent identity theft.

Telephone Records and Privacy Protection Act of 2006 (TRPPA)

TRPPA prevents pretexting – the imitation or impersonation of someone else in order to gain personal information – to buy or sell personal phone records. It should be noted that it does not affect information agencies or law officials.

State Laws and Federal Mandate

As it currently stands, many of the states have their own specific data privacy laws. Some states have more protection than others. For instance, Massachusetts have passed more data security laws than Tennessee, which has stayed closer to the federal laws alone.

In the digital era we live in, data security is a rising problem. As technology improves, more personal information becomes digital, and more security is needed. There needs to be a federal mandate that brings a unified guideline to all states that will encourage stronger cybersecurity protocols. In this current day and age, individual citizens want to be 100% certain that their personal information is well protected. Furthermore, if all the states have different laws, companies will not be able to comply with all of them, and will be forced to adhere to the strictest policies, or discontinue business with certain states all together.

The United States has consistently been putting out laws to protect privacy and enforce cybersecurity. With the way history has been it is safe to assume that they will continue to do so into the future. It is clear the cybersecurity is a major concern of the United States. The next step would logically be the United States releasing a federal mandate to standardize the data privacy laws for all states. Moving into the future, the United States needs to stay on top of new technology, and pass laws to better protect their citizens from cybercriminals.

Data Security Regulation Compliance: Challenges and Solutions

July 1, 2019 at 8:28 pm by Paul Falcone

GDPR. GLBA. FACTA. These are just a few of the recent onslaught of acronyms that have risen to govern federal and state privacy and data security regulations for businesses and organizations. Some are truly new, while others have been established for quite some time and are just getting more attention now. Indeed, consumer privacy laws and protocols have been the focus of society’s conversation at large for the last two years. And, this global conversation is only just getting started.

If you’re just joining in on the discussion, or even if you’re not and you want a quick refresher, continue reading for a quick overview of the most important national and international data security regulations currently in effect.

The Top 8 Data Security Regulations

HIPAA Privacy & Security Rules

Providers, professionals, and clearinghouses (hereto referred as covered entities) in the healthcare industry that are covered under HIPAA must also adhere to specific security regulations for all Protected Health Information (PHI) that the organization collects.

The HIPAA Privacy Rule requires the covered entity to implement appropriate physical (e.g., facility access and control; workstation and device security), technical (e.g., access control; audit controls; integrity controls; transmission security), and administrative (e.g., security management process; security personnel; information access management; workforce training; policy and procedure evaluation) safeguards for PHI to avoid prohibited as well as incidental use and disclosure of the PHI data. See 45 CFR 164.530(c). In addition, the HIPAA Security Rule also requires the covered entity to set policies and procedures for the disposal of electronic PHI (ePHI). As part of this mandatory safeguard process, covered entities must also train their workforce members on the proper disposal policies and procedures erected and enforce these policies. See 45 CFR 164.310(d)(2)(i).These rules hold especially true with the disposal of PHI and requires the covered entity to not only destroy the ePHI and the hardware or electronic media on which it is stored, but to first properly dispose of the ePHI data on the media before that media is made ready for reuse. Failure to adhere to the HIPAA Security and Privacy Rules could result in unlawful release of PHI, and consequently, the potential for identity theft, employment discrimination, or even harm to the individual’s reputation. Moreover, the covered entity can face serious penalties for noncompliance.

FACTA

The Fair and Accurate Credit Transactions Act (FACTA) is an addendum to the Fair Credit Reporting Act (FCRA) and covers creditors, accountants, lawyers, financial institutions, and other organizations dealing with consumer credit information. FACTA limits how consumer information can be shared as well as controls how this private data is disposed of, to ensure protection of the individual to whom the information pertains from identity theft.

When it comes to the proper disposal of consumer information, FACTA stipulates that reasonable measures must be taken by the organization to prevent the theft or otherwise unauthorized access and use of the protected data. The Rule mandates said data be destroyed by the pulverization, shredding, or burning of all papers in which the consumer information is printed, rendering the information unreadable and otherwise unable to be reconstructed in any manner. FACTA disposal policies also extend to the electronic media housing the protected consumer information.

Organizations under FACTA may also need to incorporate their data disposal policies into the organization’s security information program as required by the Federal Trade Commission’s Standards for Safeguarding Customer Information, 16 CFR part 314 (“Safeguards Rule”) and for persons subject to the Gramm-Leach-Bliley Act.

GLBA

The Gramm-Leach-Bliley Act (GLBA) of 1999 mandates that financial institutions and any other companies that offer financial products to consumers such as loans, financial or investment advice, and insurance must have safeguards to protect their customers’ sensitive data and must also disclose in full their information-sharing practices and data security policies to their customers.

Check-cashing businesses, payday lenders, real estate appraisers, professional tax preparers, courier services, mortgage brokers, and nonbank lenders are examples of businesses that don’t necessarily fall under the “financial institution” category yet are included in the GLBA. Because these organizations are significantly involved in providing financial products and services, they therefore have access to personally identifiable and sensitive data like social security numbers, phone numbers, addresses, bank and credit card numbers, and income and credit histories.

GLBA-covered organizations must develop a written information security plan that details the policies put in place at the organization to protect customer information. The security measures must be appropriate to the size of the business and the complexity of the data collected. Moreover, each company must designate an employee or a group of personnel to coordinate and enforce its security measures. Lastly, the organization must continually evaluate the effectiveness of its developed security measures, identifying and assessing risks to improve upon the policy and measures taken as needed.

FISMA

To ensure the protection of proprietary United States data within government agencies and affiliated organizations, legislation to regulate proper data and information security management was passed as part of the Electronic Government Act of 2002. Called the Federal Information Security Management Act (FISMA), this law focuses on the importance of data security as it relates to the economic and national security interests of the US. As such, FISMA stipulates that all US government agencies, government contractors, and any organization that exchanges data directly with a government system must safeguard all of their information technology (IT) systems, including stored data, by developing, documenting, and implementing an information security program.

In 2014, this law was amended to the Federal Information Security Modernization Act (FISMA 2014) to bolster the authority of the Department of Homeland Security (DHS) to administer, implement, and provide technical assistance with policies for information security for non-national (civilian) security federal Executive Branch systems. FISMA 2014 also updated and clarified the oversight authority of the Office of Management and Budget (OMB) and its ability to eliminate inefficient and wasteful reporting of any organization under FISMA. It also sanctions DHS’ role in assisting OMB with this responsibility.

The purpose of FISMA is to protect government information, assets, and operations against natural threats and criminal activity, whether from within the US or outside. Therefore, any US organization directly related to or doing business with the US government, including federal- and state-level government agencies and contractors, state government departments, military subcontractors, and even data clearinghouses fall under FISMA regulations.

Failure to pass a FISMA inspection by DHS or OMB can result in unfavorable publicity for the organization and an IT budget cut, as well as significant administrative ramifications to the organization. However, failure to comply with FISMA, especially when it comes to breach-avoidance and proper data destruction, can have much grander and more catastrophic implications. Should any private, secured federal data be compromised and the organization was found to be noncompliant, there are serious civil and criminal federal consequences.

GDPR

While a security regulation of the EU, the General Data Protection Regulation (GDPR) of 2016 is applicable to those US-based organizations that do business internationally. GDPR effectively puts the customer first over the business, ruling that all private data is owned by the customer and not the business in which it was collected.

GDPR ensures the protection and privacy of consumer data as it is handled, stored, disclosed, and disposed of by the organization that holds it. Following GDPR requires obtaining consumer consent before collecting any data, providing consumers with a full report on what data has been collected and how it’s used if they request it, as well as a copy of the data itself and the immediate and proper destruction of data if the consumer requests it to be deleted. The organization must also have proper security controls in place for the safeguarding of consumer data and must place someone within the company to oversee and manage these compliance policies, including for data disposal.

gdpr-data-center

An organization under GDPR that is found to be noncompliant is subject to a fine equaling two to four percent of its global annual revenue for the most recent fiscal year (on average, calculated at as much as $11-24 million).

PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal privacy law for the handling of personal information by all federally regulated organizations as well as private-sector commercial organizations, regardless of the industry.

Like GDPR, organizations covered by this law must first obtain a consumer’s permission and consent before collecting, using, disclosing, and/or storing any personally identifiable information (PII). In addition, PIPEDA mandates that the information obtained can only be used for the purpose in which it was originally collected or else the organization needs to obtain renewed consent by the consumer for the use change. Moreover, consumers have the right to access their stored personal information as well as the right to challenge its accuracy. (The only organizations exempt from PIPEDA are those that are already subject to the similar privacy laws for private-sector organizations within Alberta, British Columbia, and Quebec provinces.) Canadian-based organizations that handle PII crossing provincial or national borders are also subject to PIPEDA compliance.

SOX

Aptly referred to as the “Corporate and Auditing Accountability and Responsibility Act” or the “Public Company Accounting Reform and Investor Protection Act,” the Sarbanes-Oxley (SOX) Act of 2002 addresses the standards by which the management and board of directors of any US-domestic public company handle the financial information and financial reporting of the organization. The SOX Act also extends to public accounting firms as well as to other companies that do business with publicly traded companies, even if said company is not a publicly traded entity.

The SOX Act is made up of two main clauses. According to Section 404 under the Management Assessment of Internal Controls, Clause A requires these publicly traded companies to create a commission on behalf of the company that develops and enforces rules for maintaining an internal control report for each annual financial report by section 13(a) or 15(d) of the Securities
Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)). This internal control report must include information and policies on how management establishes and maintains an adequate structure for internal control as it pertains to the financial reporting of the company. Clause A also requires the commission to write up an annual report on the effectiveness of the internal control policies and financial reporting procedures at the end of each fiscal year.

Clause B expands on the regulations for the internal control evaluation and reporting, adding in required responsibility of the commission or registered public accounting firm issuing the audit report to accurately prepare the audit as stated in Clause A. That is, said commission or public accounting firm is also held liable to the reported information claimed about the management of the stated financial information in the internal control report.

Maintaining compliance with the SOX Act therefore means ensuring all financial information and reporting that pertains to the organization is kept secure and protected from unauthorized personnel and possible theft.

PCI DSS

The Payment Card Industry (PCI) Data Security Standard (DSS) protects consumer cardholder data by helping to alleviate the vulnerabilities experienced by credit card merchants for payment card transactions and processing systems.

Following common sense, PCI DSS mandates the credit processing merchant organization adhere to the following three steps: 1) Assessment, as in analyzing the IT assets and payment card processing protocols for the organization to identify any vulnerabilities with regard to the storage of cardholder data; 2) Remediation, as in the fixing of all identified vulnerabilities, and also applicable to ensuring cardholder data is not stored unless it is needed by the business; and 3) Reporting, as in the compilation of records to ensure validity of any remediation actions and the submission of all compliance reports to the bank and card brands with whom the organization does business. Finally, these DSS rules apply to all entities globally that store, process, and/or transmit cardholder data, and with guidance for software developers and manufacturers of applications and devices used in those transactions.

A Standard for Compliance

Depending on the type of business you manage or own, your organization may be subject to one or more of these data and privacy security laws. Rather than create varied sets of rules and policies for each, which could cause issues in overhead and personnel costs, not to mention unnecessary protocol confusion and training needs, it would behoove your business to develop one data security protocol to cover all applicable regulations.

Data Disposal Best Practices

This one-size-fits-all mindset is especially cost-effective when it comes to the data destruction policies under the various laws and regulations.

No matter which regulation your organization follows, it’s recommended that you first create a private space within your organization to house a data and/or drive destruction machine rather than work off-site with a third party at their establishment. You should also create a limited group of personnel with the sole authorization to oversee all data security compliance processes as it pertains to the destruction of data that’s reached end-of-life.

Furthermore, when it comes to the end-of-life cycle, both data and the device in which the data is housed must be destroyed via shredding, degaussing, disintegrating, incinerating, melting, or pulverizing machinery so that neither device nor data can be read or otherwise reconstructed. It may also behoove your organization to keep a record audit of all data destruction events to prove your company’s compliance if a breach at this level does occur.

To ensure these procedures remain as cost-effective as possible, you’ll want to choose a third-party vendor like SEM that has both documentation software, like the iWitness, as well as NIST- and NSA-approved data destruction machinery to purchase and keep at your organization.

The Criticality of FACTA-Compliant Data Disposal

January 31, 2019 at 8:58 pm by Heidi White

Along with the Fair Credit Reporting Act (FCRA), creditors, accountants, lawyers, financial institutions, and other organizations dealing with consumer credit information must follow the regulations set by the Fair and Accurate Credit Transactions Act (FACTA). FACTA is an addendum to the FCRA and limits how consumer information can be shared as well as controls how this private data is disposed of, to ensure protection of the individual in which the information pertains from identity theft.

FACTA-Compliant Data Disposal

0101 crusher
Destroying a rotational hard drive in a SEM 0101 crusher

When it comes to the proper disposal of consumer information, FACTA stipulates that reasonable measures must be taken by the organization to prevent the theft or otherwise unauthorized access and use of the protected data.

The Rule mandates said data be destroyed by the pulverization, shredding, or burning of all papers in which the consumer information is printed, rendering the information unreadable and otherwise unable to be reconstructed in any manner. FACTA disposal policies also extend to the electronic media housing the protected consumer information. Appropriate disposal methods for electronic media include overwriting non-sensitive information with software or hardware to clear the data, degaussing the media and rendering the magnetic field permanently unusable, or destroying the media by shredding, melting, pulverization, disintegration, or incineration. As with the actual data, the electronic media must be rendered unreadable and otherwise unable to be reconstructed.

If you’re working with a third party data disposal company to comply with FACTA data destruction, you are required to conduct an independent audit of the process to ensure the integrity of the disposal and to ensure complete data destruction.

Lastly, you may need to incorporate your data disposal policies into your organization’s security information program as required by the Federal Trade Commission’s Standards for Safeguarding Customer Information, 16 CFR part 314 (“Safeguards Rule”) and for persons subject to the Gramm-Leach-Bliley Act.

Consequences of a FACTA Violation

FACTA-data-disposal
Failing to adhere to FACTA data disposal requirements can lead to hefty fines

Failure to comply with FACTA for either the data or the drive destruction can result in major damage to your company’s reputation and financial standing. If you become victim to a data breach and have not maintained FACTA regulations, the affected individuals of the breach can seek damages under the law. Your organization may face a class action lawsuit and fines up to $1,000 per individual violation, regardless of whether the persons suffered identity theft.

Moreover, the reputation of your company may be tarnished by the data breach and subsequent FACTA violations. This could mean the loss of existing customers and potential new business, furthering your organization’s financial loss and eroding economic stability.

When it comes to working with third-parties for data destruction, however, there is a reality of risk that needs to be considered. If your third-party experiences a breach, your organization maintains its sole liability for the data you have collected and stored; meaning you will still face civil penalties, and not the third-party.

It is therefore highly recommended that you partner with a vendor like SEM who can provide both data and drive destruction devices for your organization to use and keep in-house. By controlling who, where, when and how your data and drives are destroyed, you can better ensure data protection at every step during destruction.