Tag: SOX act

Protecting Financial and Insurance Data: Key Compliance Mandates to Know

September 20, 2024 at 8:30 am by Amanda Canale

Every day, financial institutions face threats of data breaches, making cybersecurity a critical aspect of their operations. As technology evolves, so do the malicious tactics used by cybercriminals to exploit vulnerabilities in the financial sector. This is where compliance regulations come into play. These regulations are designed to protect sensitive financial information, mitigate cyber risks, and maintain the integrity of the financial system.

At the heart of financial compliance is the responsibility to safeguard consumer data and financial information. Financial institutions, from banks to insurance firms, collect and process vast amounts of personal and financial data, that if breached, can be a major liability to both organizations and individuals alike. This data can include everything from credit card numbers and social security details to transaction histories and insurance policies. Given the sensitivity of this information, these regulatory frameworks were developed to ensure its constant protection. 

Here’s an overview of some of the critical regulations shaping the world of finance compliance.

credit card finance isa

Sarbanes-Oxley Act (SOX)

The Sarbanes-Oxley Act (SOX), passed in 2002, was established to protect investors by improving the accuracy and reliability of corporate financial disclosures and reporting. Although the act focuses on financial transparency and corporate governance, SOX compliance is mandatory for all public companies.

A crucial part of SOX compliance is record retention. Financial and insurance companies must keep a wide range of documents, from financial statements and accounting records to emails and client information, for a specific timeframe. While SOX doesn’t dictate exactly how records should be destroyed, it stresses the importance of maintaining accurate, unaltered data, for specific lengths of time.

When it’s time to securely dispose of expired records, organizations should, at a minimum, implement a risk management  and destruction plan that falls in compliance with NIST 800-88 data disposal standards to ensure sensitive information is destroyed responsibly and in line with SOX requirements.

 Fair and Accurate Credit Transactions Act (FACTA)

The Fair and Accurate Credit Transactions Act (FACTA), enacted in 2003, is a crucial piece of legislation aimed at enhancing the accuracy, privacy, and security of consumer information. FACTA as it stands today, amended the Fair Credit Reporting Act (FCRA) and was introduced to address growing concerns about identity theft and consumer credit reporting practices. 

At its core, FACTA provides consumers with greater access to their credit reports and includes measures to assist with fraud prevention. One of its most notable impacts is allowing consumers to request a free annual credit report from each of the major credit reporting agencies, ensuring individuals can monitor their credit history and identify potential discrepancies. 

While FACTA doesn’t mandate just one specific method for disposing of consumer report information, it allows some flexibility, enabling organizations to choose their disposal method based on the sensitivity of the data and the associated costs. It is, however, recommended to follow NIST 800-88 data disposal standards for secure and compliant destruction of consumer reports.

credit-card-data

General Data Protection Regulation (GDPR)

The European Union’s General Data Protection Regulation (GDPR) has had a profound impact on global financial institutions and their operations. GDPR focuses on data privacy within the European Union and was designed to protect the personal data of the region’s citizens from cyberattacks. Organizations that process data from EU citizens must comply with GDPR, meaning organizations with EU customers, visitors, branches, those offering goods or services in the region, and even cloud computing companies. Essentially, regardless of where the organization is located, if the data of EU residents is involved, compliance with GDPR standards and regulations is non-negotiable. 

The mandate also grants individuals the freedom to have a say in what happens with their data, giving them the right to access, correct, and destroy their data. Organizations must also implement enforce stringent security measures to protect that information from unauthorized access or breaches and maintain transparency about how data is used.  

The GDPR checklist for data controllers is a phenomenal tool designed to help keep organizations on the road towards data security compliance. More information on GDPR’s data destruction best practices can be found here.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA), passed in 1999, focuses on the protection of non-public personal information (NPI) in the financial services sector. The GLBA primarily governs how financial institutions handle the privacy of sensitive customer data and sets strict regulations on how that information can be collected, stored, and shared. By ensuring that businesses adopt responsible data management practices, the GLBA aims to protect consumers from financial and insurance fraud. Financial institutions, such as banks, credit unions, and insurance companies, are required to provide clear and transparent privacy policies, informing customers about the ways their information may be used or shared with third parties.

A key component of the GLBA is the Financial Privacy Rule, which outlines specific guidelines that financial institutions must follow when collecting personal data. This rule requires institutions to give customers the option to “opt-out” of having their information shared with non-affiliated third parties, thereby empowering consumers to have more control over their personal data. 

In 2021, responding to the rise in data breaches, the Federal Trade Commission strengthened data security protocols under GLBA with an updated Safeguards Rule. This rule extends to all non-bank financial institutions, including mortgage companies, car dealers, and insurance companies, ensuring customer financial data is securely protected.

One of the key requirements of the Safeguards Rule is that these institutions must implement a secure disposal policy for customer information within two years of its last use—unless retention is legally or operationally necessary. Although the rule doesn’t list a specific disposal method, following NIST 800-88 data disposal standards is widely regarded as a best practice.

identity-theft

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards established by major credit card companies to protect payment card information and ensure the secure handling of credit and debit card transactions. Established in 2004 by major credit card companies, including Visa, MasterCard, and American Express, PCI DSS applies to any organization that processes, stores, or transmits payment card information. The goal of these standards is to minimize the risk of breaches, fraud, and identity theft, and quicken data breach response times by enforcing strict security practices across all entities involved in the payment process. 

PCI Requirement 3.1 specifically mandates that organizations securely dispose of cardholder data that is no longer needed, with the principle, “if you don’t need it, don’t store it.” Retaining unnecessary data creates a significant liability, and only legally required data should be kept. This applies to any organization involved in processing, storing, or transmitting payment card information—from retail businesses and payment processors to banks and card manufacturers.

While PCI DSS does not prescribe a specific method for data destruction, the consequences of non-compliance are severe. To mitigate risks, organizations should have clear policies in place for securely destroying all unnecessary data, including both hardcopy documents and electronic media like hard drives, servers, and storage devices.

For PCI DSS compliance, it’s recommended to follow NIST 800-88 data disposal standards to ensure secure and thorough destruction of cardholder data.

Conclusion

Understanding and complying with these mandates is crucial for financial institutions to navigate the complex regulatory environment. By implementing robust internal controls, risk management protocols, and staying informed about regulatory changes, organizations can uphold the principles of transparency, security, and trust that are fundamental to the industry.

Sarbanes-Oxley and Data Destruction: How to Best Comply 

March 11, 2019 at 4:00 pm by Paul Falcone

If you operate or manage a public company or a non-public company with publicly traded debt securities, you’ve certainly heard of the Sarbanes-Oxley (SOX) Act of 2002. This law is also aptly referred to as the “Corporate and Auditing Accountability and Responsibility Act” or the “Public Company Accounting Reform and Investor Protection Act”. 

The SOX Act was enacted by the US federal government to address the standards by which the management and board of directors of any domestic public company handle the financial information and financial reporting of the organization. The SOX Act also extends to public accounting firms as well as to other companies that do business with publicly traded companies, even if said company is not a publicly traded entity. 

The SOX Act aims to strengthen the audit committees of these US-based public companies as well as hold the management and officers liable to the accuracy of the financial statements for the business. In so doing, this Act works to prevent securities and investment fraud by the organizations covered under SOX.  

SOX Act

General Regulations of the SOX Act 

The Sarbanes-Oxley Act is made up of two main clauses. According to Section 404 under the Management Assessment of Internal Controls, Clause A requires these publicly traded companies to create a commission on behalf of the company that develops and enforces rules for maintaining an internal control report for each annual financial report by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)). This internal control report must include information and policies on how management establishes and maintains an adequate structure for internal control as it pertains to the financial reporting of the company. Clause A also requires the commission to write up an annual report on the effectiveness of the internal control policies and financial reporting procedures at the end of each fiscal year.  

Clause B expands on the regulations for the internal control evaluation and reporting, adding in required responsibility of the commission or registered public accounting firm issuing the audit report to accurately prepare the audit as stated in Clause A. That is, said commission or public accounting firm is also held liable to the reported information claimed about the management of the stated financial information in the internal control report.  

Maintaining compliance with the SOX Act therefore means ensuring all financial information and reporting that pertains to the organization is kept secure and protected from unauthorized personnel and possible theft.  

SOX data destruction

 Data Security Best Practices 

When it comes to financial data end-of-life cycles, it’s therefore extremely important for companies covered under the SOX Act to appropriately destroy their data so that the information contained cannot be accessed or reconstructed. In so doing, the company further maintains SOX compliance and ensures fraud prevention of its financial reporting, even as the data has been slated for decommission.  

This means not only proper disposal of the data, but also of the hard drives or electronic storage media housing the data. Organizations covered under the SOX Act must use the proper channels and procedures for data destruction. Such methods include overwriting non-sensitive information with software or hardware to clear the data (not recommended due to the recoverability of data from “erased” drives),  degaussing the media  and rendering the magnetic field permanently unusable, or  destroying the media by disintegration, pulverization, shredding, melting, or incineration. 

Rather than work with a third party off-site to destroy the data and drives, it’s recommended that the organization create a designated, private space within its premises for the data destruction and drive disposal. The organization should also consider limiting access to the data and drive destruction procedures within the private space to only a select number of authorized personnel. Enforcing restricted access within a private, on-site space further protects and secures the data from theft and misuse.  

Final Considerations for Data Destruction 

Working with a vendor like SEM that provides on-site data destruction machinery is essential to maintaining control and security over your financial data. Allowing your data to leave your premises by a third party can be extremely risky because they are not liable for your data security. For instance, imagine if that third party you hired did not actually destroy your drives but instead sold your financial data to an outside party. 

It’s also a good idea to check that the vendor you are working with has machinery that adheres to NSA and NIST 800-88 guidelines for data destruction and SOX Act compliance.