Data Destruction for Financial Services
The Gramm-Leach-Bliley Act (GLBA) is the grand father of Federal data privacy regulations. GLBA requires that all financial institutions protect their clients personal and financial information. Data destruction for Financial Services is a costly and complex challenge because you are required to maintain control and security of the devices that contain information over the entire life span of the data.
No other industry has more regulators concerned with data privacy than financial services.
The final disposal of this information needs to be documented. This can be a cumbersome and tedious task, but failure to document the destruction of your devices can cause significant organizational liability. Most financial organizations utilize third party vendors to provide for the destruction and disposal of the obsolete media. Choosing the a vendor with the right qualifications is important.
“WE SPEND AN OCEAN OF MONEY ON CYBER-SECURITY…
IT’S THE ONLY EXPENSE WHERE I ASK IF IT’S ENOUGH.”
John G. Stumpf, CEO – Wells Fargo
Why outsource your data destruction?
Increasingly, financial services organizations are absorbing the burdens of ever-changing data privacy regulatory requirements that force you into workflows that are not efficient, and that demand management time and attention.
Our Safe Harbor Express (or SHE) turnkey secure data destruction service represents an attractive solution to the challenges associated to destroying obsolete data assets. We take the complex GLBA record keeping requirements and the time-consuming tasks of manually controlling and destroying obsolete data assets off your plate. It frees both management and employee time so that you can focus on core IT functions.
The importance of vendor due diligence for secure data destruction vendors
Disposing of retired IT assets represents a very real data security risk. Recent surveys have shown that the #1 concern of CIOs when disposing of IT assets is security.
Can you trust your IT asset disposal vendor?
A recent Wall Street Journal article about cybersecurity “What Keeps CIOs Up at Night” states that the security practices and capabilities of 3rd party vendors is a major concern. This is not only an important internal data security question but also a required regulatory issue. You are required to have documentation supporting your 3rd party’s qualifications and experience.
GLBA data privacy compliance requires that any 3rd party service provider that comes in contact with your clients sensitive information must sign a “GLB Security Agreement” This agreement requires the vendor to provide the same level of data care and protection that your organization provides.
Please Read:
Distrust of Vendors Raises Security, Compliance Questions
3rd party risk management of data destruction for financial services
If you choose to utilize a third party vendor for hard drive shredding, the Office of Controller of the Currency has issued OCC Bulletin 2013-29 “Risk Management Guidance for Third Party Relationships”, requiring banks to conduct due diligence on all potential third party vendors prior to selection and entering into contracts/relationships (read more here).
Payment card industry data security standard
All Banks must comply with Payment Card Industry Data Security Standard (PCI DSS) compliance requirements. Protection of your customer’s payment card information is fundamental to a banks’ reputation. PCI DSS requires that not only do you protect cardholder information you must also maintain the integrity of your card data collection system. You must regularly monitor all collection devices to make sure they function properly and have not been tampered with. There are 12 security issues that must be maintained for PCI DSS Compliance
3rd party service providers must be certified PCI DSS compliant
You are required to confirm that any 3rd party service provider that comes in contact with card holder data which includes data storage media as well as card data collection devices is certified by the PCI DSS council for that activity.
PCI defines a service provider as: A Business entity that is not a payment brand, directly involved in processing,storage, or transmission of cardholder data. This also includes companies that provide services that control or impact the security of card holder data.
Back Thru The Future provides secure data destruction services for the shredding of data media that holds cardholder data as well a product destruction services for card reading devices. Back Thru The Future has met the PCI DSS third party compliance certification requirements of completing the 96 page PCI Third Party Self Assessment Questionnaire “SAQ”
Over 30 Years of experience providing data destruction for financial services
Back Thru The Future® specializes in providing secure onsite data destruction services to the financial industry in the Northeast business corridor. Our clients include some of the largest international banking enterprises as well as the Federal Reserve. In the State of NJ we service nearly 70% of the entire community banking industry. This specific experience, along with our unique credentials as a Federal EPA permitted universal waste destination facility electronic recycler and NAID AAA certified secure data destruction provider, meet with the OCC requirements for a qualified third party service provider.
A one stop regulatory compliant solution to your secure data destruction needs
Destroying non-public personal information (NPPI) recorded on your old hard drives, cell phones, PDAs and other data media is both technically complex and time consuming. Back Thru The Future’s Safe Harbor Express® (or SHE) is a turnkey annual contract for scheduled onsite GLBA compliant NPPI destruction. It replaces ad-hoc, inconsistent data destruction processes that put your business at risk. This service is a highly affordable, easily implemented and simple to manage solution to the GLBA NPPI destruction requirements (more details here).