The Gramm-Leach-Bliley (GLBA) Safeguards Rule

Customer information protection is top of mind for businesses everywhere, small and large alike. The Federal Trade Commission’s (FTC) Standards for Safeguarding Customer Information, otherwise known as the Safeguards Rule, requires entities covered by the rule to have measures to protect customer information.

The Safeguards Rule is a part of the larger Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, which is meant to protect consumers and hold the financial services industry accountable for how they handle customer information.

The Safeguards Rule applies to financial institutions that are subject to the FTC’s authority and aren’t subject to another regulator under the GLBA. Financial institutions are significantly engaged in financial activities and include mortgage lenders, collection agencies, credit counselors, and more. For a full list of financial institutions, refer to the FTC’s website.

The Safeguards Rule was updated in 2021 to provide more direction to financial institutions regarding what businesses are covered and how to stay compliant. Businesses were to comply with the updated Safeguards Rule by June 9, 2023.

The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. Non-compliance can result in penalties outlined in the GLBA, including:

• Fines of $100,000 per violation for financial institutions found in violation.
• Fines of $10,000 per violation for individuals found in violation.
• Criminal penalties, including imprisonment for up to five years for individuals found in violation.

The Safeguards Rule has nine steps for businesses to take to build a compliant information security program:

1. Designate a qualified individual to implement and supervise your business’ information security program.  The qualified individual can be an employee of your company or can work for an affiliate or service provider.
2. Conduct a risk assessment of the utilized business processes and systems that store customer information.  Your risk assessment must be written and must include criteria for evaluating risks and threats.
3. Design and implement safeguards, including secure disposal of customer information, to control the risks identified in your risk assessment.
4. Regularly monitor and test the effectiveness of your safeguards.  For information systems, testing can be accomplished through continuous system monitoring.
5. Train your staff on data protection risks and threats.
6. Monitor your service providers to verify that they are maintaining appropriate safeguards.  Your contracts must spell out your security expectations, build in ways to monitor your service provider’s work, and provide for periodic reassessments of their suitability for the job.
7. Keep your information security program current.  The best programs are flexible enough to accommodate periodic modifications.
8. Create, maintain, and periodically test a written incident response plan.
9. Require your qualified individual to report to your Board of Directors.  Your qualified individual must report in writing at least annually.

How Can Shred-it^® Help?

We help our customers securely destroy information that may be subject to the GLBA or other data protection laws.

How Can My Business Securely Destroy Customer Information?

Businesses can use a trusted professional shredding service, like Shred-it^®, that offers a variety of shredding options and destroys items to make them nearly impossible to put back together, therefore protecting customer information. These shredding services include:

• One-time shredding: Shred-it^® will perform a one-time collection of documents.
• Regularly-scheduled shredding: Lockable containers are provided in addition to regularly scheduled pickups.
• Drop-off shredding: Drop off documents at a local Shred-it^® office.
• Mobile shredding services: Shred-it^® performs the shredding of documents on-site.
• Specialty shredding services: Shred-it^® securely destroys non-paper items such as price books, media, medical records, exams, expired IDs, old uniforms, and more.
• Hard drive destruction: Data can be recovered from devices, even if it has been manually deleted. Shred-it^® offers state-of-the-art technology to permanently delete hard drive data by physically destroying the device. Contact Shred-it^® for availability.

Download our fact sheet for more information. To learn more about the GLBA and how Shred-it^® can help your financial organization compliantly destroy customer information, visit our Financial Services page.