This series explores how recent changes in U.S. privacy and data security laws are elevating retention schedules and data disposal from merely prudent practices to compliance requirements.
As discussed previously in this series, there’s a shift in U.S. data security laws toward requiring data retention scheduling and disposal of unnecessary data. Recent changes in state laws with data security requirements for financial services businesses are an excellent example of this trend.
First, some brief context. The primary driver of financial sector data security has long been the Gramm-Leach-Bliley Act (GLBA), which requires the regulators of financial institutions to establish safeguards standards for the security and confidentiality of customer data. 15 U.S.C. § 6801(b). The various regulators obliged, with different approaches typical of the idiosyncratic U.S. regulatory ecosystem. The federal banking agencies (FRB, OCC, & FDIC) promulgated the Interagency Guidelines Establishing Information Security Standards, see 12 C.F.R. Part 30, App. B, with detailed, granular security requirements. The NCUA adopted similarly specific safeguards for credit unions. 12 C.F.R. Part 748, App. A. In contrast, the SEC (Regulation S-P, 17 C.F.R. § 248.30(a)) and the FTC (16 C.F.R. Part 314) took a high-level approach with their respective standards, requiring safeguards reasonably designed to ensure security and confidentiality and to protect against anticipated threats and unauthorized access or use. And for the insurance industry, GLBA security standards were left to state insurance regulators, consistent with federal deference to the state-level regulation of insurance.
The salient point here is that none of the GLBA federal regulators crafted security standards that directly require either data retention scheduling or disposal of customer data once no longer required for legal compliance or business purposes. The SEC and FTC standards are silent on these topics, and the banking agencies’ and NCUA’s standards speak only to the proper means of disposal, not when customer data must be disposed of.
But this is beginning to change. And as seen elsewhere in this series, states are leading the way:
Continue Reading Less data is more than ever: state-level data security laws for the financial services sector