Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherBrowse by ChannelAbout the NetworkJoin the NetworkProductsSub-MenuProducts OverviewBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAbout UsContactSubscribeSupport
Book a Demo
Search
Close

Less Data #2: New FTC Safeguards Rule requirements for data disposal

By Peter Sloan on March 29, 2023
Email this postTweet this postLike this postShare this post on LinkedIn

The FTC has updated its data security regulations for the financial institutions it regulates under the Gramm-Leach-Bliley Act (GLBA). The FTC’s revised requirements for information security programs, effective June 1, 2023, will now mandate data retention policies and disposal of unnecessary customer information.

To appreciate what this means, we must take a quick look at how we got here. GLBA, enacted back in 1999, required financial institution regulators to establish standards for safeguarding the security and confidentiality of customer data.  15 U.S.C. § 6801(b).  The regulators obliged, with varying approaches typical of our idiosyncratic U.S. financial regulatory ecosystem.  The federal banking agencies (FRB, OCC, & FDIC) promulgated the Interagency Guidelines Establishing Information Security Standards, see 12 C.F.R. Part 30, App. B, with detailed, granular security controls requirements.  The NCUA adopted similarly specific safeguards for credit unions.  12 C.F.R. Part 748, App. A.    In contrast, the SEC (Regulation S-P, 17 C.F.R. § 248.30(a)) and the FTC (16 C.F.R. Part 314) took a high-level approach with their respective standards, requiring safeguards reasonably designed to ensure security and confidentiality and to protect against anticipated threats and unauthorized access or use.  For the insurance industry, GLBA security standards were left to state departments of insurance, consistent with federal deference to state-level regulation of insurance.

The key point here is that no federal GLBA regulator established security standards that directly required either data retention scheduling or the disposal of customer data no longer required for legal compliance or business purposes.  The banking agencies’ and NCUA’s standards spoke only to the proper means of disposal, not when customer data must be disposed of. And the SEC and FTC standards were silent on these topics.

Until now.

In 2021 the FTC took a fresh look at its Safeguards Rule, 16 C.F.R. Part 314, which was essentially untouched since first promulgated back in 2003. The resulting amendments updated the Rule to better address the current cyber-risk environment. And the amended Rule is more specific and granular in its required elements for the mandated information security program.

The significant point here is that the updated FTC Safeguards Rule for the first time adds data retention schedules and disposal of unnecessary data as required elements of a compliant security program for customer information. Entities subject to the amended Safeguards Rule must, effective June 1, 2023:

  • Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained; and
  • Periodically review your data retention policy to minimize the unnecessary retention of data. 16 C.F.R. § 314.4(c)(6).

This focus, on data retention schedules and data disposal as essential security controls for financial institutions, echoes a similar recent trend in state-level insurance laws under GLBA, discussed here, and also the New York DFS cybersecurity regulations for financial institutions, mentioned in Less Data #1. Yet it is also aligns with the FTC’s current view that retention schedules and data disposal are crucial to data security for all types of businesses. For example, the FTC’s 2016 guidance document Protecting Personal Information:  A Guide for Business stressed the “Scale Down” principle, which is to keep only what you need for your business:

“If you don’t have a legitimate business need for sensitive personally identifying information, don’t keep it. In fact, don’t even collect it. If you have a legitimate business need for the information, keep it only as long as it’s necessary. …  If you must keep information for business reasons or to comply with the law, develop a written records retention policy to identify what information must be kept, how to secure it, how long to keep it, and how to dispose of it securely when you no longer need it.”

So for some time now the FTC has been moving toward the position that data retention schedules and data disposal are essential for reasonable data security. This position is clearly reflected in the FTC’s amended GLBA Safeguards Rule. But how deeply has this position permeated the FTC’s actual enforcement of reasonable data security beyond the GLBA financial institution setting? We’ll explore that in Less Data #3.

Peter Sloan

Peter Sloan is the Managing Attorney at the law firm Information Governance Group, LLC.  Peter advises clients on how best to retain, secure, preserve, and dispose of information. He helps clients throughout the United States create, validate, and update retention schedules; implement compliant…

Peter Sloan is the Managing Attorney at the law firm Information Governance Group, LLC.  Peter advises clients on how best to retain, secure, preserve, and dispose of information. He helps clients throughout the United States create, validate, and update retention schedules; implement compliant information management policies and processes; and defensibly dispose of information. Peter also counsels clients on data security compliance and breach response readiness, and he works with clients to manage data breach response.

Peter has served clients across a broad range of industries, including energy, financial services, healthcare, engineering and construction, manufacturing, retail, technology, and transportation.

For more information about the Firm, please visit www.infogovgroup.com, or the Firm’s blog, Information Bytes.

Read more about Peter SloanEmail
Show more Show less
  • Posted in:
    Privacy & Data Security
  • Blog:
    Information Bytes
  • Organization:
    Information Governance Group
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • Resource Center
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center
  • Blogging 101

New to the Network

  • Beyond the First 100 Days
  • In the Legal Interest
  • Cooking with SALT
  • The Fiduciary Litigator
  • CCN Mexico Report™
Copyright © 2025, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo