Skip to content

Security/Compliance: Latest Big Issue ...Trash!

I knew when I saw the look in the chimney sweep's eyes that I had been a bad, bad girl. As he approached the fireplace to begin the inspection and cleaning process, he looked aghast at the huge stack of paper sitting on the grate where the logs should be. He gazed at it, then looked at me and said, "Lady, you weren't planning to burn all this paper in your fireplace, were you?" His tone of voice made it clear that the only acceptable answer was "No," but I couldn't lie. That had been precisely my intent. Sounded like a great way to dispose of financial records more than a decade old. Guess not ...

Congress also had some concerns about disposal of sensitive financial information, and, as a result, the FACT Act contains Section 216 which requires the bank regulatory agencies to adopt a final rule requiring each financial institution to develop, implement, and maintain "appropriate measures" to properly dispose of consumer information derived from consumer reports to address the risks associated with identity theft. The final rule was published in December 2004 and becomes effective July 1, 2005.

Prior to the July effective date, some institutions may need to amend their existing information security programs to incorporate the new measures. The starting point is understanding what constitutes "consumer information" for purposes of the new rule. From there, your institution will need to figure out what it holds that would be classified as "consumer information," where it is stored, how it is used, and when it's prudent to dispose of it.

The term consumer information is defined to mean any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by your institution (or on your behalf) for a business purpose.

Examples include a consumer report you pull on someone - whether they become a borrower, a guarantor, an employee or prospective employee, or are an unsuccessful applicant for credit . It also includes information derived from such a report, as well as information obtained about a consumer from an affiliate, other than mere transactions and experiences data.

As with other data protected by your information security program, risk assessment is a critical first step. The goal is to implement and maintain security measures designed to guard against misuse, alteration or destruction.


  • Who has access to this type of information?
  • Who really needs access? You may be able to reduce the number of employees who access consumer information.
  • At what point is the information no longer needed?

Examine how you guard against unauthorized users pulling credit reports. Track copies that are made, memos that extract data from the reports.

Basically, you will then evaluate the same eight categories of security measures you evaluated when adopting your original information security program:

  1. logical access controls
  2. physical access controls
  3. encryption
  4. system modification procedures
  5. dual controls, segregation of duties, background checks
  6. IDS
  7. incident response program
  8. emergency plan

Then, after your risk assessment and evaluation of the categories of security measures, you will need to adopt the security measures that would be appropriate.

The regulators say they anticipate any changes to an institution's existing information security program likely will be minimal because the measures already in place to dispose of "customer information" could be adapted to properly dispose of "consumer information."

Don't assume, however, that no action is warranted on your part. Take a thoughtful, reasoned approach to analyzing the storage and use of consumer information, document your analysis, document your decisions, obtain board approval prior to July 1, 2005 of any new measures being incorporated into your information security program, and, of course, train your staff on any new procedures that come about as a result. Oh, yeah. And don't plan to simply heft the consumer information into your fireplace either. Chimney sweeps frown on that.

Mary Beth Guard, Esq. is CEO of Glia Group, Inc., Executive Editor of, and an advisor to In a career spanning more than two decades, she has gained a national reputation as a banking attorney, speaker, writer and Internet expert. You can contact Mary Beth via email at

Copyright © 2005 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 14, No. 12, 1/05

First published on 01/01/2005

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Topics