Protecting Financial Data with ITAD

The financial services and banking sector is covered by a few different regulations, including FACTA (the Fair and Accurate Credit Transaction Act), PCI DSS (the Payment Card Industry Data Security Standard), GLBA (the Gramm-Leach-Bliley Data Protection Act), and SOX (the Sarbanes-Oxley Act). Organisations in the financial and banking sector are required to have in place the proper administrative, technical, and physical safeguards under these regulations. This is to prevent unauthorized disclosure of both non-public information (NPI) and personally identifiable information (PII).  

There is widespread adoption of cybersecurity measures across the financial sector to ensure the protection of data when IT resources are in active use. However, there is a huge amount of risk that arises when a company decides to take its IT equipment out of service. The financial sector therefore must consider each of the following regulations when deciding to dispose of IT equipment:  

FACTA 

The Fair and Accurate Credit Transaction Act (FACTA) is designed to enhance consumer protections particularly against identity theft. FACTA’s Disposal Rule details the actions businesses must take to prevent unauthorized access to or use of consumer information.   

Businesses must therefore take the appropriate measures to dispose of sensitive information about consumers and requires businesses to “destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed.” There are serious legal penalties for failure to comply with the FACTA disposal rule.  

PCI DSS 

If you store, process, and/or transmit cardholder data, then the Payment Card Industry Data Security Standard (PCI DSS) applies to your business. PCI DSS was created to standardise data security. It requires businesses to maintain secure environments for storing and transmitting cardholder data. For example, businesses must have a system in place to track data-containing technology like mobile devices, laptops, computers, servers and other IT equipment. When planning to retire such devices, data must be rendered unrecoverable so that the data cannot be reconstructed. PCI DSS expressly recommends using a secure data sanitization in accordance with industry-accepted standards for secure deletion, such as the software used here at Techbuyer.  

GLBA 

The Gramm-Leach-Bliley Data Protection Act (GLBA) requires financial institutions to safeguard consumer data. GLBA defines financial institutions as companies that are “significantly engaged” in providing financial products or services. To prevent the unauthorized collection, use, and disclosure of NPI, GLBA imposes two “Rules” - the Privacy Rule, and the Safeguards Rule.  

The GLBA Privacy Rule states that financial institutions must provide privacy notices to consumers. The privacy notice must be provided at the moment the consumer relationship is formed and on an annual basis. The consumer privacy notice must state what NPI the financial institution collects, how it manages it, how the consumer can opt out, and how the data is protected.  

The GLBA Safeguards Rule specifically outlines privacy rights and dictates that financial institutions must have in place a robust information security program and a contracted disposition vendor. The organization is responsible for safeguarding NPI even when this data is in the hands of an outsourced company. Ensuring that data is being handled appropriately throughout its life cycle is paramount.  

SOX 

The Sarbanes-Oxley Act (SOX) helps protect investors from fraudulent financial reporting by corporations and requires strict rules for financial record keeping and reporting for corporations. SOX requires any publicly traded company to establish, document, test, and maintain effective internal controls and data security processes. Such procedures must ensure that there is no unauthorized disclosure of any data across its lifecycle. Overall, the best way to achieve SOX compliance is through exercising due diligence, implementing comprehensive policies and procedures.  

Data Breach Risk 

The cost of a data breach is high, and according to the latest IBM data, the United States was the top country for the average total cost of a data breach for the 11th year in a row. As for the financial sector specifically, data breach costs averaged a total cost of $5.72 million in 2021. The data also uncovered that customer PII is the most common type of record lost, occurring in 44% of data breaches.  

Lost business due to a data breach accounted for 38% of the overall average cost of a data breach. Lost business costs include lost revenue due to system downtime, increased customer turnover, and increased costs of acquiring new business due to damaged brand reputation. In the months and years following a data breach, regulatory and legal costs kick in which contribute to higher costs to the business.  

IT Asset Disposition

If your organization is required to comply with any of the regulations outlined above it is a good idea to have policies and procedures in place. For example, this might involve documenting what equipment and/or data was destroyed and when, having comprehensive policies in place for secure data destruction, and procedures in place for employee training.  

Many organizations turn to IT Asset Disposition, or ITAD, as a holistic solution to their IT equipment removal requirements. ITAD is the most secure and sustainable way to dispose of your used IT equipment.  

The Techbuyer ITAD Services 

Complying with financial security rules and regulations can be a hassle. The Techbuyer ITAD services can take care of this for you. With audit-ready reporting and a secure data destruction method that is backed by the National Cyber Security Center’s Commercial Product Assurance (CPA) certification, we provide a fully trusted ITAD solution. Techbuyer assists organizations in the financial industry with a cost-effective, secure, and compliant ITAD solution for banks and other organizations. Contact us to learn more about how we can help you securely dispose of IT equipment.