Data privacy and data protection rules are hot topics, having prompted us to consider exactly how we share, store and dispose of our personal information from the individual to the corporate level. Indeed, most (if not all) businesses must now adhere to some sort of data protection and privacy policy as set forth by industry standards.
But what happens if your business interacts with other businesses that have their own policies and regulations to follow? Do you have to adopt those rulings for your business to continue working together? In most cases, the answer is 'yes.'
Take data centers. If you operate such a business, you likely have stringent rules in place for securing the data you house on behalf of your clients. But do you also follow the data regulations and privacy policies set forth by your clients? If your answer is 'no' and your clientele is covered under the Gramm-Leach-Bliley Act (GLBA), you’ll need to revisit your information security plan to incorporate GLBA compliance immediately.
What is GLBA?
The Gramm-Leach-Bliley Act of 1999 mandates that financial institutions and any other companies that offer financial products to consumers such as loans, financial or investment advice and insurance must have safeguards to protect their customers’ sensitive data. Moreover, they must also disclose their information-sharing practices and data security policies to their customers in full.
Check-cashing businesses, payday lenders, real estate appraisers, professional tax preparers, courier services, mortgage brokers and nonbank lenders are examples of businesses that don’t necessarily fall under the “financial institution” category yet are included in the GLBA. The reason is that these organizations are significantly involved in providing financial products and services. Therefore, they have access to personally identifiable information (PII) and sensitive data like social security numbers, phone numbers, addresses, bank and credit card numbers and income and credit histories.
GLBA Compliance: Applicable to More than Just GLBA-Covered Businesses
In accordance with the GLBA, organizations covered under this rule must develop a written information security plan that details the policies put in place at the organization to protect customer information. The security measures must be appropriate to the size of the business and the complexity of the data collected. Moreover, each company must designate an employee or a personnel group to coordinate and enforce its security measures. Lastly, the organization must continually evaluate the effectiveness of its developed security measures, identifying and assessing risks to improve upon the policy and measures taken as needed.
At this point, you may be asking yourself, “How does this affect my business as a data center?”
The data safeguard rules also apply to any third-party affiliates and service providers employed by the companies covered under the GLBA. As such, it is the responsibility of the GLBA-covered company to ensure the same steps are taken by the affiliate third-party to protect the data they interact with or store on behalf of the company. This means companies under the GLBA are going to select third-party service providers like yours based on those companies that are also set up operationally with the same steps and policies in place to safeguard sensitive data. Furthermore, organizations under the GLBA have the authority to manage how their service provider handles their customer information to ensure compliance with the GLBA.
"...organizations under the GLBA have the authority to manage how their service provider handles their customer information to ensure compliance with GLBA"
Therefore, Cloud-based data centers, must comply with the GLBA rules for security policies and enforcement or risk losing business from those organizations and other potential clients covered under the GLBA. As the data center operator, you could go about this in one of three ways: 1) Create separate GLBA-compliant policies for each client organization based on their needs, 2) Allow each client organization to delineate the GLBA-compliant policies they’d like your business to follow and adopt those accordingly or 3) Establish one set of GLBA-compliant policies that cover all aspects of data protection and privacy that can work for all client organizations and potential new business.
GLBA and Data Destruction
Just as there are plans and personnel in place to oversee the safeguarding of data while it’s in use, under the GLBA there must be a plan and personnel in place to oversee data destruction when the data has reached its end-of-life. These policies and plans for the proper disposal of secured data should be incorporated into the organization’s information security plan and should be regularly evaluated for risk as well. While this is a straightforward task for the GLBA-covered company, developing and enforcing GLBA-compliant data destruction policies for a third-party affiliate or service provider like a data center is a different story entirely.
Not only do you need to create a set of protocols around data and drive destruction for your data center, you need to be able to prove to your client organization that you can properly dispose of the drives the data is housed on and the data itself. This is because both data and drive disposal must be achieved so that neither the data nor the drive can be recovered or otherwise reconstructed after destruction. Since your data center already provides remote access to the information you store, it’s recommended that you purchase and maintain data destruction machinery at your center. This way, you also control where that sensitive information is handled during the data destruction event.
One of the simplest ways to ensure compliance during data destruction events is to work with the GLBA-covered organization to assign certain personnel to that task within your data center. For instance, assigned personnel within your company as well as the client company’s GLBA task force would be required to be on-site during data destruction events. Both parties would be responsible for enforcing data destruction at the data center, including the documentation of every data destruction event, to ensure compliance and alleviate liability in the event of a breach.