What Is the GLBA Safeguards Rule?
The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, codified at 16 CFR Part 314, requires financial institutions to protect the security, confidentiality, and integrity of customer financial information by implementing a written information security program. Proper disposal of that information is a core component of the program. The FTC enforces the Safeguards Rule for non-bank financial institutions. Federal banking regulators enforce parallel requirements for banks.
Governing statute: Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 et seq.
Key regulation: 16 CFR Part 314 (Safeguards Rule)
Current version: Amended rule, effective June 9, 2023
Enforcement body: Federal Trade Commission (FTC) for non-bank financial institutions; OCC, Federal Reserve, FDIC, and NCUA for banks and credit unions
Official source: ftc.gov/safeguards-rule
The 2023 amended rule is a substantial expansion of the original 2003 Safeguards Rule. The 2023 version adds specific technical requirements that were absent from the original, including explicit disposal requirements, encryption mandates, access control standards, and the requirement to designate a qualified individual (CISO) to oversee the information security program.
Note on scope: The Safeguards Rule covers the security of customer information. The GLBA Privacy Rule (16 CFR Part 313) governs consumer notice and opt-out rights. These are separate rules. This page covers the Safeguards Rule only.
What the GLBA Safeguards Rule Requires
The amended Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program with 9 core elements. Disposal is addressed under Section 314.4(f).
Requirement 1: Disposal of Customer Information (§314.4(f)(3))
Citation: 16 CFR §314.4(f)(3)
What it requires: Implement policies and procedures for the secure disposal of customer information in any format no longer needed for business purposes or as required by law.
Plain English: When a financial institution no longer needs customer financial records, it must destroy them. Leaving old hard drives in a storage room or disposing of them in a dumpster violates this requirement. The rule applies to both paper and electronic formats.
Acceptable disposal for electronic media: The FTC interprets “secure disposal” to require methods that render customer information unreadable and unrecoverable. NIST SP 800-88 r2 Destroy-level destruction (shredding, crushing, disintegration) satisfies this standard.
Requirement 2: Written Information Security Program (§314.4)
Citation: 16 CFR §314.4
What it requires: Implement and maintain a comprehensive, written information security program containing administrative, technical, and physical safeguards appropriate for the size and complexity of the institution.
Plain English: A verbal policy does not satisfy the rule. The institution must have a written program that addresses disposal as one of its components. The program must be reviewed and updated annually.
Requirement 3: Qualified Individual (§314.4(a))
Citation: 16 CFR §314.4(a)
What it requires: Designate a qualified individual to oversee and implement the information security program and supervise the providers of the information security function.
Plain English: The 2023 amendment added this requirement. The institution must designate a CISO or equivalent. This individual is responsible for ensuring disposal practices comply with the program.
Requirement 4: Third-Party Service Provider Oversight (§314.4(f)(2))
Citation: 16 CFR §314.4(f)(2)
What it requires: Oversee service providers that maintain, process, or otherwise handle customer information, including ensuring their disposal practices meet Safeguards Rule standards.
Plain English: If a financial institution contracts with a destruction vendor, it must ensure that vendor uses compliant disposal methods. The institution cannot simply hand drives to a vendor and assume compliance. Verification of the vendor’s practices — through a certificate of destruction or written service agreement — is required.
How Data Destruction Inc. Satisfies the GLBA Safeguards Rule
Data Destruction Inc. provides financial institutions with a documented, NIST SP 800-88 r2 Destroy-level process that satisfies 16 CFR §314.4(f)(3).
| Service | NIST r2 Category | GLBA Compliance |
|---|---|---|
| Hard drive shredding | Destroy (§3.1.3) | Renders customer information unreadable and unrecoverable |
| Hard drive crushing | Destroy (§3.1.3) | Physical elimination of media — compliant with §314.4(f)(3) |
| Data wiping (for reuse) | Clear/Purge (§3.1.1/§3.1.2) | Removes customer information before media reuse |
| Witnessed destruction | All categories | Customer-witnessed with signature — supports third-party oversight requirement |
Certificate of Destruction: The Certificate of Destruction issued by Data Destruction Inc. documents the destruction method, date, location, serialized asset inventory, NIST r2 category and section, and technician/witness signatures. This certificate serves as the written verification required for §314.4(f)(2) third-party oversight compliance.
Who Must Comply with the GLBA Safeguards Rule?
The Safeguards Rule applies to “financial institutions” under FTC jurisdiction. The FTC defines financial institution broadly.
Covered under FTC enforcement: mortgage companies and mortgage brokers; payday lenders and non-bank auto lenders; insurance companies and insurance agents (in most states); investment advisors and financial planners not regulated by the SEC; tax preparation firms and tax filing services; auto dealerships that arrange financing; check cashing businesses; and non-bank student loan servicers.
Covered under federal banking regulator enforcement: banks, savings associations, and credit unions. These entities follow parallel interagency guidelines rather than the FTC Safeguards Rule, but the disposal requirements are substantively identical.
Size is not an exemption. The GLBA Safeguards Rule applies to financial institutions regardless of size. A two-person mortgage brokerage has the same disposal obligation as a national bank. The 2023 amendment introduced some scaled requirements for smaller institutions but did not create a size exemption for the disposal requirement.
“Customer information” defined: The Safeguards Rule protects “customer information,” meaning any record containing nonpublic personal information about a customer of a financial institution that was derived from a relationship between the institution and the customer. This includes loan files, account records, credit applications, and any information obtained in connection with providing a financial product or service.
Enforcement and Penalties
The FTC enforces the Safeguards Rule for non-bank financial institutions. The FTC Act (15 U.S.C. §45) gives the FTC authority to pursue civil penalties for Safeguards Rule violations.
Civil penalties: Up to $100,000 per violation for the institution; up to $10,000 per violation for individual officers or directors who participated in or had authority to prevent the violation.
Documented FTC enforcement actions: Drizly LLC (2022) — FTC consent order for data security failures including improper data retention and disposal practices, imposing 20 years of security program requirements. BetterHelp (2023) — $7.8M FTC settlement involving improper handling and disposal of mental health information. The FTC has also brought several cases against mortgage companies for failing to implement adequate disposal procedures for customer loan files.
State enforcement: Many states have enacted parallel financial data security laws that mirror or exceed GLBA requirements. New York’s NYDFS Cybersecurity Regulation (23 NYCRR 500) includes disposal requirements for covered financial entities and carries significant state-level penalties.
Customer Information Disposal: Method by Media Type
The GLBA Safeguards Rule requires “secure disposal” that renders customer financial information unreadable and unrecoverable. The FTC interprets NIST SP 800-88 r2 Destroy-level destruction as satisfying this requirement. Use this matrix to select the correct method for each media type that may store customer financial information.
| Media Type | GLBA Disposal Requirement | NIST r2 Category | DDI Method |
|---|---|---|---|
| Hard drives (HDD / SSD) | Unreadable and unrecoverable | Destroy (§3.1.3) | Hard drive shredding or crushing |
| Backup tapes | Unreadable and unrecoverable | Destroy (§3.1.3) | Tape shredding / degauss + shred |
| Loan files and paper records | Rendered unreadable (per GLBA §314.4(f)(3)) | Physical destruction | Cross-cut shredding |
| Mobile devices | Customer data removed / destroyed | Purge or Destroy (§3.1.2/§3.1.3) | Crypto Erase or physical shred |
| Media for reuse | Customer information removed before reuse | Clear or Purge (§3.1.1/§3.1.2) | Data wiping per NIST standard |
| USB / removable media | Unreadable and unrecoverable | Destroy (§3.1.3) | Physical shredding |
Regulations That Interact with the GLBA Safeguards Rule
Financial institutions subject to GLBA often face overlapping obligations from related federal regulations. A single NIST SP 800-88 r2 Destroy-level destruction process and a serialized Certificate of Destruction satisfy all of the following simultaneously.
NIST SP 800-88 r2
The FTC’s recognized technical benchmark for GLBA-compliant “secure disposal”
FACTA Disposal Rule
16 CFR Part 682 — financial institutions also face FACTA obligations for consumer reports
HIPAA Disposal Rule
Dual-covered entities (e.g., health insurers) face both GLBA and HIPAA disposal rules
PCI DSS v4.0.1
Banks and payment processors also face PCI DSS Requirement 9.4 for card data media
FISMA
Federal financial agencies (e.g., FDIC, Treasury) face both GLBA equivalents and FISMA
ISO 27001 / 27040
International financial institutions may align GLBA disposal with ISO Annex A.7.14
Authoritative Source and Official Regulation
Authoritative Source · ftc.gov
GLBA Safeguards Rule · 16 CFR Part 314 — FTC Safeguards Rule (amended 2023)
Enforcement Body · Federal Trade Commission (FTC)
Current Version: Amended rule, effective June 9, 2023 — 16 CFR Part 314
Major 2023 amendment added explicit disposal requirements (§314.4(f)(3)) and third-party oversight. Monitor ftc.gov for any subsequent amendments.
Frequently Asked Questions
Does the GLBA Safeguards Rule require a specific destruction method?
The rule requires “secure disposal” that renders customer information unreadable and unrecoverable. It does not mandate a specific method. The FTC interprets NIST SP 800-88 r2 Destroy-level destruction (shredding, crushing, or disintegration) as satisfying “secure disposal.” Deleting files, reformatting drives, or decommissioning devices without physical destruction does not satisfy the standard.
Does the 2023 amended GLBA Safeguards Rule change the disposal requirement?
The 2023 amendment (effective June 9, 2023) made the disposal requirement explicit at §314.4(f)(3). The original 2003 rule required “proper disposal” but did not specify written requirements. The 2023 version requires a written policy, addresses both paper and electronic formats, and adds the third-party vendor oversight requirement at §314.4(f)(2). Institutions that relied on informal disposal practices under the original rule now need a documented program.
How does Data Destruction Inc. help with the third-party oversight requirement?
The Certificate of Destruction from Data Destruction Inc. documents all information required to demonstrate third-party oversight: the vendor’s process (NIST SP 800-88 r2 Destroy), the specific assets destroyed (serialized), the date, and authorized signatures. Financial institutions retain this certificate in their information security program records to satisfy the §314.4(f)(2) verification requirement.
Does GLBA apply to banks, or just non-bank financial institutions?
Banks, savings associations, and credit unions are covered entities, but they are regulated by federal banking regulators (OCC, Federal Reserve, FDIC, NCUA) under interagency guidelines rather than the FTC Safeguards Rule directly. The interagency Appendix B to 12 CFR Part 30 and similar rules contain substantively identical disposal requirements. The practical outcome is the same: all financial institutions, bank and non-bank, must implement secure disposal of customer information.
What media types does the GLBA Safeguards Rule cover?
The rule covers any electronic media that stores customer information, including hard drives (HDD and SSD), solid-state drives, backup tapes, mobile devices, optical media, removable storage (USB drives, SD cards), and server storage. It also covers paper records. Financial services data destruction at Data Destruction Inc. covers all electronic media types relevant to financial institutions.