The challenges in protecting customer data are becoming more complex for financial firms. A growing variety of...
ways to collect information, increasing in the number of places that information can be stored, and a rising number of regulations outlining how to protect information have turned data retention and destruction into a significant challenge for financial corporations.
The Texas Insurance Claims Services case
In June, Texas Insurance Claims Services, a Richardson, Tex.-based company that processes people's claims, threw hundreds of files with customer names, Social Security numbers and policy numbers into a dumpster. A passerby found the information and notified the media.
Because of its actions, Texas Insurance Claims Services may pay for its transgression. In December 2007, Scotch Plains, N.J.-based American United Mortgage Corp.was fined $50,000 for leaving consumers' sensitive personal and financial information in a dumpster. In addition, the mortgage company must undergo a third-party audit every two years for the next 10 years.
To avoid embarrassing public disclosures, companies need to understand what data they need to protect, next what procedures to put in place to protect said data, and then how to safely dispose of personal data. The steps sound simple to map out, but the implementation has become quite complicated.
Don't forget the hardcopy
While there has been a lot of emphasis on hackers devising elaborate ruses to steal personal information, such cases illustrate tried-and-true methods, such as dumper diving, can still be effective.
"Electronic and paper information is information, and, as such, need to be treated the same from a policy stand point," said Robert Johnson, executive director at National Association for Information Destruction, Inc., a Phoenix-based ad-hoc agency that helps companies deal with information retention issues. "But from a procedural standpoint, the methods for securing and destroying information are very different."
With electronic information, companies' focus centers on moving information from one type of device (say hard disk storage) to another (say tape). With paper information, companies need to put procedures in places that identify where that information is housed, how long it must be retained, and how it is destroyed.
New regulations are just around the corner
"Corporations can now collect more information about their customers than ever before, and this data is stored in different places and in a variety of formats," said Brian Babineau, senior analyst at the Milford, Mass.-based Enterprise Strategy Group.
In response, regulators have been developing new data retention and data disposal mandates. The Federal Trade Commission passed the Fair and Accurate Credit Transactions Act (FACTA) Disposal Rule, which outlines what companies should do when disposing of personal information and goes into effect Nov. 1.
In December, amendments to the Federal Rules of Civil Procedure (FRCP) that outline data retention requirements for new areas, such as email messages, will go into effect. In addition, 28 states have must-shred laws, including Texas, and 44 have notification requirements for disclosing privacy breaches.
Yet even putting shredding procedures in place may no longer be sufficient to satisfy the government. Changes to FACTA's Disposal Rule 1 require that companies generate reports on how they destroy paper data and put auditing policies and procedures in place to make sure the task is done in an appropriate fashion.
As these laws come into effect, financial companies need to understand what is required of them. While it's clear you shouldn't leave customer data in dumpsters, there is plenty of gray in the new regulations. "The laws typically require that a corporation make a good faith effort to establish reasonable data retention policies," said Babineau.
Good faith and reasonable are subjective terms, and at the moment, it is unclear how the government will interpret them. What is clear that the government's role in monitoring data disposal is increasing and corporations who do not emphasis it could face stiff penalties.
About the author:
Paul Korzeniowski is a freelance writer who focuses on security issues. He is based in Sudbury, Mass. and can be reached at firstname.lastname@example.org.