The FDIC was formed by the Banking Act of 1933 during the Great Depression, a time when Americans had lost faith in the financial system. Its purpose was to restore trust by providing deposit insurance to safeguard funds in case of a bank failure. The FDIC also monitors financial institutions to ensure they follow ethical business practices and comply with regulations. Since these institutions handle sensitive consumer data, such as Social Security numbers, credit card information, birthdates, and other financial details, they are obligated to protect this information.
Background of the Interagency Guidelines
Several financial regulatory agencies such as the FDIC, the Office of the Comptroller of the Currency, and the Board of Governors of the Federal Reserve System came together in the early 2000s to amend the existing information security guidelines for safeguarding consumer data as laid by Gramm-Leach-Bliley Act. These agencies together implemented Section 216 of FACTA, which required the proper disposal of consumer information.
The Interagency Guidelines Establishing Information Security Standards were set forth for financial institutions pursuant to Sec 39 of the Federal Deposit Insurance Act and GLBA. These guidelines provide the framework to develop & implement physical, administrative, and technical safeguards to ensure the security and integrity of consumer information. They further provide guidance for the proper disposal of consumer information. The Interagency Guidelines official document can be found on the Code of Federal Regulations website under Appendix B to Part 364.
Note: Section 216 is codified in the Fair Credit Reporting Act (FCRA) as 15 U.S. Code § 1681w 628 – Disposal of Records.
Who has to Comply with the Interagency Guidelines?
All entities that come under the ambit of FDIC have to comply with these guidelines. These entities are known as “insured depository institution” or “institution,” representing all the banks (Excluding the Federal Reserve system) that have been insured by the FDIC.
Further, the following entities also need to comply with Interagency Guidelines:
- State Saving Associations
- State Branches of Foreign Banks
- Any subsidiary of the above
Information Security Requirements for FDIC-Insured Entities
Insured entities are required to create a comprehensive written Information Security program that is appropriate according to the size of organizations and the complexity of their operations. The objective of implementing the Infosec program is to ensure that consumer information confidentiality is maintained, it is protected against threats and hazards, no unauthorized access to information takes place, and it is properly disposed of. Technical measures for Infosec may include data encryption, firewalls, and access authorization, amongst other controls. For disposing of data, insured entities, and institutions can consider using logical data sanitization techniques like overwriting, a.k.a data erasure, to permanently erase consumer information beyond the scope of recovery.
Developing & Implementing an Information Security Program
The Infosec program should be developed under the overview of the insured entity’s Boards of Directors or under another appropriate committee. The entity must do a risk assessment and define protocols for implementing the information security measures to safeguard data.
- Perform a risk analysis of both insider and outsider threats and their damage potential. Entities should compare the same with existing safeguards.
- Protocols should be created to manage the risk and control its potential outcome. Physical, administrative, and technical safeguards should be defined and implemented.
- The entities must ensure that any third-party service provider that is engaged like an IT Asset Disposition company or an MSP, must have an Infosec program that complies with the FDIC guidelines.
- The program must be updated in order to accommodate technological updates, evolving business landscape, information classification, etc.
- Entities under FDIC must at least once a year, report to the Board of Directors and provide an update on the Infosec program.
Although the Interagency Standard became effective on July 1, 2001, the Guidelines for Data Disposal became effective on July 1, 2005.
How to Comply with FDIC Data Disposal Guidelines?
The FDIC guidelines for data disposal are critical for safeguarding data and preventing unauthorized access and identity theft. FDIC recommends financial institutions follow the FFIEC Information Technology Examination Handbook (II.C.13(c) Disposal of Information) for choosing the right method for disposing of data stored on electronic devices. Data destruction methods must be chosen based on the sensitivity of the data, media type, and the disposal challenges. Deletion is not recommended as the data can be recovered by data recovery tools. Instead, Overwriting is the preferred method for data destruction as it replaces the existing data with new, random information, making the device reusable. Other disposal techniques, such as degaussing and shredding, physically destroy the device, rendering it unusable. Management should choose the most effective method as part of their data destruction policy. Here’s how:
- Perform Risk Assessment: The insured entity should conduct a thorough risk assessment of the data stored by them, including backups. Sensitive data that can pose a risk must be carefully handled from its creation to its disposal. It is suggested to classify data based on the sensitivity of the information. Once the data retention period is over or the device is upgraded, the sensitive consumer information must be disposed of using the right technique.
- Choose Data Disposal Method: The method should be chosen based on the device type. For Example, while Degaussing might work on magnetic disk drives, it is ineffective on flash media like SSDs. Degaussed drives cannot be reused and go against an organization’s environmental sustainability goals (ESG). Financial entities should, therefore, follow the NIST Cybersecurity Framework that promotes software-based approaches like overwriting, Secure Erase, Block Erase, or Cryptographic Erase and only recommends physical destruction for devices that have bad sectors or are inaccessible.
- Maintain Data Destruction Records: For all data disposal activities, organizations must maintain detailed records, even if disposal is outsourced to a third-party vendor. The records must contain the date of disposal, media type, hardware serial number, and method of disposal. Even in the case of rented devices, media sanitization must be addressed contractually before devices are rented.
- Use Certified Third-Party Vendor: If the financial organization outsources data disposal to a third-party vendor, they must ensure that the vendor is certified by a recognized program like R2, e-Stewards, or ADISA and has safeguards in place that are compatible with FDIC guidelines.
By following the above recommendations, financial institutions and banks can ensure compliance with FDIC Data Disposal Guidelines. BitRaser is a software that helps erase data using overwriting, Crypto Erase, and other techniques, as recommended by NIST 800-88 and US DoD NISPOM guidelines. The software permanently removes data and generates records of destruction, thereby helping organizations comply with FDIC, FACTA, and GLBA guidelines, amongst many others.
+1-844-775-0101
