Security of Personal Customer Information

Answered by:

Question:

Is it true that a financial institution's overall data liability, particularly with respect to Gramm-Leach-Bliley, extends to the actual hardware they dispose of? Some banks seem to take this very seriously and are willing to spend money to secure their retired assets and ensure that customer is permanently erased. But other firms seem more interested in getting money for their old systems than protecting themselves from data liability issues. I have heard situations where laptops bought on Ebay were found to contain customer data. Could a firm or its officers be prosecuted for allowing such security lapses to take place?

Answer:

I can't say that individuals would be held personally responsible, but certainly safeguarding customer information extends to the destruction of hard drives which have this data. Either the data must be completely erased so it is not retrievable or the drives should be destroyed and not resold.

The costs a bank could have in notifying customers that their data was sold on eBay by mistake, converting accounts and the reputation risks would cost many, many times more than the value of selling used equipment.

First published on BankersOnline.com 10/4/04

Security of Personal Customer Information

Related Q&As

Red Flag Program as Part of Information Security Program

About a Separate Identity Theft Prevention Program

Man-in-the-Browser

Related Tools View All

Privacy Police Tools

Clean Desk Policy & Privacy Citation and Commendation

Information Security Access Assessment

OFAC Updates View All

Sanctions List Search

Specially Designated Nationals List (SDN)

Sanctions Programs and Information

Search Topics