Businesses in the financial industry handle a great deal of sensitive information, including Social Security numbers, customer contact information, bank account numbers, and credit card numbers. This data is incredibly valuable to unauthorized users who would be able to commit identity theft and fraud if they gained access to this information. For this reason, businesses in the financial industry must use extreme caution when handling their customers’ sensitive data. This means that financial businesses must ensure the data is completely secure at all times—even when the devices containing the data are being destroyed. Here are some of the IT asset disposition (ITAD) best practices for businesses in the financial industry:
Learn the Laws
There are a number of federal laws that regulate how businesses in the financial industry store and destroy their data. The first is the Gramm-Leach-Biley Act (GLB), which requires businesses in the financial industry to keep sensitive data confidential at all times, even when it is being destroyed. To comply with this law, financial businesses must ensure data is being destroyed so it cannot be read or reconstructed. They must also conduct frequent audits of their data protection procedures to identify weaknesses in their strategy. If any issues are found in the audit, the company must work to correct them immediately so consumers’ data cannot be accessed by unauthorized users.
The Dodd-Frank Wall Street Reform and Consumer Act is another law that affects the financial industry. According to this law, businesses in the financial industry cannot make misleading or inaccurate statements to consumers about the way their data will be protected. This means a company must be upfront with consumers about how their data is stored and destroyed so consumers can decide whether to trust the business or not.
Because financial institutions often have access to consumers’ credit reports, they are also obligated to comply with the Fair and Accurate Credit & Transaction Act (FACTA) and Fair Credit Reporting Act (FCRA). These laws require businesses to put policies and procedures in place that outline how consumers’ data will be protected. These documented policies and procedures should describe how the data will remain confidential while it is stored on-site and while it is being destroyed by a third party e-waste recycler.
Any business in the financial industry that does not comply with these laws is subject to fines. If consumers find out a business is not compliant with a federal law that protects their sensitive information, they may also stop doing business with the company. For these reasons, it’s crucial that your IT team knows what rules and regulations they must abide by in order to remain compliant.
Identify Devices With Data
A business in the financial industry cannot comply with federal laws and protect their customers’ sensitive information if they don’t know which devices within the organization contain data. Everyone knows that a computer or smartphone stores data, but what about a copier, fax machine, or printer? Many people are unaware that these devices can contain sensitive information, so they don’t protect them in the same manner that they would protect a computer with sensitive information. Therefore, it’s important that everyone who is responsible for managing IT assets is aware of which devices may contain sensitive information. If you don’t already know which devices contain data, conduct an internal audit right away to identify assets with sensitive information.
Back Up the Data
Most companies in the financial industry do not want to lose data forever just because the device that it is being stored on is being disposed of. Before sending electronic devices to the recycler, back up all of the data so that it can still be accessed once it has been removed from the devices you no longer need. Taking the time to make another copy of the data may seem like a waste of time. But, you will be thankful that your company incorporated this step into the ITAD plan if you ever need to access the information that would have been destroyed forever.
Research Recyclers/ITAD Providers
Spend time researching e-waste recyclers so you can find one that shares your commitment to protecting sensitive data. Businesses in the financial industry should only work with e-waste recyclers that are certified by the National Association for Information Destruction (NAID). E-waste recyclers with this certification have proven that they go to great lengths to destroy data so it can no longer be read or recreated.
An e-waste recycler should also have the e-Stewards certification in addition to the NAID certification. The e-Stewards certification is only given to the best of the best in the e-waste recycling industry. Furthermore, businesses with this certification do not send their e-waste overseas for processing. This means your devices that contain sensitive data will not end up in a junkyard in a developing country.
It’s important to note that some e-waste recyclers may try to say they are certified by the Environmental Protection Agency (EPA), but there’s no such thing as an EPA certification. Every e-waste recycler is given an EPA ID number, which is not the same as a certification. If an e-waste recycler makes this claim, this is a red flag that the company should not be trusted to destroy your data.
ERI is the world’s largest recycler of electronic waste, with facilities in seven different states in the U.S. We have been certified by e-Stewards and the National Association for Information Destruction. ERI regularly works with clients in the banking and finance industry, so we know the importance of destroying data and disposing of IT assets in a responsible manner. For more information on recycling your electronics, or to request a quote for your company, contact us today.