Formulating An Asset Disposition (ITAD) Plan In The Financial Services Industry

Businesses in all industries should take the time to establish an IT asset disposition (ITAD) plan, however this task is especially important for businesses in the financial services industry. Formulating an ITAD plan can also be more difficult for businesses in this industry since they face a number of challenges that businesses in other industries do not. Despite these challenges, it’s crucial that financial companies put an ITAD plan in place as soon as possible.

What Is An ITAD Plan?

Businesses need to dispose of their IT assets once they are no longer needed or operable. However, disposing of these assets is much more complicated than simply putting them in a trash bin. Each of these assets may contain sensitive business or customer data that needs to be protected at all costs. How will you ensure that this data does not fall into the wrong hands when the asset is disposed of? By creating an ITAD plan.

An ITAD plan outlines how a company will manage the disposal of their IT assets. One of the many items this plan should cover is how sensitive data will be protected during the disposal process. In addition, an ITAD plan should also include information on:

  • Third party vendors that assist with asset disposal
  • Transportation of the assets
  • Internal reporting of assets
  • Data destruction

If a business does not have one of these plans, they are not prepared to properly recycle their electronic devices and protect their data when an asset is no longer needed in their facility.

Laws Regulating ITAD in the Financial Services Industry

Because businesses in the financial services industry deal with consumer credit card numbers, bank accounts, and other sensitive information, they are more heavily regulated than businesses in other industries. In fact, there are several laws that regulate how businesses in this industry can store and destroy their data.

The Gramm-Leach-Biley Act (GLB) requires all businesses in the financial industry to protect sensitive data at all times—even when the asset is being sent off-site for destruction. Because of this law, financial businesses are legally obligated to destroy sensitive data so it can no longer be read or reconstructed. Companies are also required to frequently review the ITAD plan they have in place to look for flaws and ways to improve upon it. If a security flaw is found in the business’s current plan, it must be corrected immediately to protect sensitive data collected from customers.

Businesses in the financial industry must also comply with the Dodd-Frank Wall Street Reform and Consumer Act. This law can be applied to many different areas of business, including the disposal of IT assets. The Dodd-Frank legislation prohibits businesses in the financial industry from making misleading statements to consumers about their business practices. Therefore, financial businesses must be transparent with customers when describing how their sensitive data is destroyed, otherwise they could be violating this law. For example, if a business tells consumers that their data will be destroyed after a certain period of time, it must actually follow this rule. If it doesn’t, the business has misled consumers into thinking their data will be completely destroyed at a certain point when that’s not the case.

These are just two of the many laws that financial businesses must comply with when disposing of IT assets. Violating one of these laws can lead to substantial fines, which is why it’s so important to establish an ITAD plan to stay compliant.

Tips For Establishing ITAD Plans in the Financial Services Industry

Creating an ITAD plan is crucial, but it’s even more important to share this plan with everyone in the organization who is involved in the disposal of IT assets. Some companies utilize a lot of their resources to create the plan, but then fail to fill everyone in on the details. If everyone is not on the same page, the strategies in the ITAD plan will not be effective. Be sure to identify all parties that should be involved in this process and keep them in the loop throughout the creation of the plan.

All IT assets that contain sensitive data should be disposed of in a responsible manner. However, some companies do not realize that computers, smartphones, and tablets are not the only devices that store data. For example, a fax machine could have stored images of documents that were recently faxed. Other devices such as copiers and printers can also house sensitive data that needs to be destroyed. Therefore, it’s recommended that financial businesses follow their ITAD plan when disposing of any IT asset, not just those that are known to contain data. 

Since the data that financial businesses collect from customers is so sensitive, it’s best to look for a third party vendor that can assist with data destruction. Handling the destruction of this sensitive data internally is usually not a good idea since the vast majority of companies do not have the resources to properly complete this task. When choosing a third party, look for an e-waste recycler that has been certified by the National Association for Information Destruction (NAID). The NAID AAA certification is only given to e-waste recyclers that have proven their ability to keep clients’ data protected at all stages in the disposal process.

The Importance of Including ERI in Your ITAD Plan

ERI is the nation’s largest e-waste recycling provider, and the only nationwide company to offer 100 percent guaranteed data destruction. ERI’s guaranteed data destruction helps banks and financial institutions remain compliant with the Sarbanes-Oxley Act, Gramm-Leach-Billey Act, FACTA Disposal regulations, the Patriot Act of 2002, PCI Data security standards and the Identity Theft Deterrence Act. For more information on recycling your electronics, or to request a quote for your company, contact us today.