SEC Disposal Rule Proposal Shows Need For Compliance Toolkit
The Security and Exchange Commission (SEC) has put forth a proposal to amend the Safeguards Rule within Gramm-Leach-Bliley and the Disposal Rule in FACTA in a manner that would expand the definition of what must be destroyed, as well as pull tens of thousands more organizations and individuals under the jurisdiction of the destruction requirement.
Among the key purposes of the proposal is to broaden the definition of what must be properly destroyed from "credit information" to all "personal information." In fact, the definition of what is considered "personal information" has itself been broadened when contrasted against earlier definitions used in regulatory language.
Furthermore, the recommendation reiterates the need to have written policies and procedures protecting information and, since the proposal itself centers on information destruction, the timing of the SEC proposal coincides nicely with the launch of the NAID Information Destruction Policy Compliance Toolkit in April.
Additionally, the proposal calls for the requirement of organizations to maintain a written record of their compliance with their information protection policies. Since outsourcing information destruction comes with a ready-made simple method for tracking compliance, this provision is viewed as very favorable to the secure destruction industry.
NAID will be commenting on the proposed SEC disposal amendment, including suggesting that incidents of improper disposal of personal information result in a notification event. NAID also expects the final amendment to contain the same examples of due diligence in selecting a service provider that are included in FACTA.
Click here to access the SEC Disposal Rule proposal.
