Data Sanitization under GLBA and FACTA: How NIST 800-88 Can Help You Meet Destruction Obligations 

In today’s data-driven world, organizations are more accountable than ever for safeguarding personal and financial information. Many regulations have been put in place to ensure that businesses handle sensitive data with care, and one critical aspect of data protection is the secure destruction of data that is no longer needed. Two such regulations that impose specific data destruction requirements are the Gramm-Leach-Bliley Act (GLBA) and the Fair and Accurate Credit Transactions Act (FACTA).

Both of these regulations require financial institutions and businesses dealing with sensitive consumer information to implement safeguards, including data sanitization practices to prevent unauthorized access to or misuse of sensitive data. In this blog post, we will explore the data sanitization requirements under GLBA and FACTA and how NIST 800-88 guidelines can help organizations meet their obligations for securely destroying data.

Understanding GLBA and FACTA: What Are the Data Destruction Requirements?

Both the Gramm-Leach-Bliley Act (GLBA) and Fair and Accurate Credit Transactions Act (FACTA) are designed to protect consumers' financial information. Each regulation has specific provisions that require businesses to implement strong data security and destruction practices, particularly when it comes to personally identifiable information (PII) and non-public personal information (NPI).

GLBA and Data Destruction

The Gramm-Leach-Bliley Act (GLBA), which applies primarily to financial institutions, mandates that companies protect consumer financial information and limit the disclosure of that information. The act includes requirements for securing the disposal of consumer data to prevent unauthorized access.

The GLBA Privacy Rule and Safeguards Rule specifically address the disposal of consumer information by requiring businesses to implement appropriate measures to ensure that sensitive data is properly destroyed when it is no longer needed. This could involve the destruction of paper documents containing PII or the sanitization of electronic records on digital storage devices.

GLBA Data Destruction Requirements:

• Physical destruction of paper records or hard drives.

• Logical destruction or sanitization of digital data that is no longer needed, ensuring that data cannot be reconstructed or retrieved.

• Institutions are required to implement written data retention and disposal policies that comply with these requirements.

FACTA and Data Destruction

The Fair and Accurate Credit Transactions Act (FACTA), a key piece of legislation aimed at protecting consumers from identity theft, places specific obligations on businesses to properly dispose of consumer data. FACTA’s Section 216, often referred to as the "Disposal Rule," mandates that businesses take reasonable steps to destroy or erase consumer information when it is no longer needed, including both paper and electronic formats.

FACTA Data Destruction Requirements:

• Implement safeguards to prevent unauthorized access to sensitive data during disposal.

• Proper destruction of paper records (e.g., shredding) and digital data (e.g., using secure erasure methods for hard drives, SSDs, and other media).

• Businesses must have a policy in place that specifies how to securely destroy consumer information when it is no longer required for business purposes.

How NIST 800-88 Guidelines Help Achieve Data Destruction Obligations

NIST Special Publication 800-88 (commonly known as NIST 800-88) is a widely recognized guideline that provides best practices for data sanitization, focusing on secure data deletion methods for various types of storage devices. This document is essential for organizations seeking to meet the data destruction requirements under GLBA and FACTA.

NIST 800-88 outlines three main approaches to data sanitization, each of which is applicable to the requirements for securely destroying sensitive information under both GLBA and FACTA:

1. Clear – This method involves making data recoverable but not easily accessible by overwriting storage locations. It is suitable for situations where the device will continue to be used but must not contain sensitive data.

   • Example: Using software to overwrite hard drives with random data before reusing or reselling the device.

2. Purge – Media specific advanced techniques that renders data irretrievable. It is important to note that these commands to NOT use the standard read-write commands and that they apply media type specific commands.

   • Example: Block Erase command of a SSD or using cryptographic key management to ensure the data cannot be reconstructed.

3. Destroy – This involves physically destroying the storage medium so that data cannot be recovered by any means. This method is necessary when the device is no longer in use and will not be reused.

   • Example: Shredding hard drives, disintegrating solid-state drives (SSDs), or incinerating paper records.

By using NIST 800-88 guidelines to implement these techniques, organizations can ensure they meet their data destruction obligations under GLBA and FACTA.

Applying NIST 800-88 for GLBA and FACTA Compliance

Here’s how organizations can apply NIST 800-88 guidelines to fulfill the data destruction requirements of both GLBA and FACTA:

1. Establish Clear Data Disposal Policies

Both GLBA and FACTA require organizations to have clear and documented policies for the retention and disposal of sensitive information. Implementing a data disposal policy aligned with NIST 800-88 is an excellent starting point. This policy should:

• Define the methods for data sanitization (clear, purge, destroy). Be sure to review Appendix A of NIST 800-88 for the media type definitions of clear, purge, and destroy.

• Specify the frequency of data disposal based on the business needs and the type of data.

• Assign responsibilities for securely destroying data, including who can access and destroy sensitive records.

2. Use Certified Data Sanitization Tools

Organizations can implement software tools that meet the NIST 800-88 criteria for clearing and purging data from digital devices. When using these tools make sure you understand if the software is using NIST Clear or NIST purge defined commands. 

3. Ensure Physical Destruction of Storage Devices

For devices that are no longer in use, such as hard drives, tapes, and other physical storage media, physical destruction is often the best method of ensuring that data cannot be recovered. NIST 800-88 provides detailed guidance on how to destroy physical devices securely—whether through shredding, crushing, or other means of destruction. A common industry shred size is 10mm for many types of media; but there are other techniques such as degaussing which can be employed. 

4. Documentation and Auditing

Both GLBA and FACTA require that organizations maintain a record of their data destruction activities. This includes documentation of when and how sensitive data was destroyed, who performed the destruction, and what method was used. Maintaining these records is critical in case of audits or investigations. NIST 800-88 also provides guidelines on what documentation should be gathered during data destruction and disposition activities. 

5. Train Employees and Contractors

Employees who handle sensitive data should be trained on the data sanitization processes and the importance of following the data destruction policy. When evaluating external contractors who handle data sanitization be sure to understand their business model. The IT Asset Disposition industry has many different players, some prioritize reselling hardware online; others prioritize security and on-site physical destruction. Make sure you understand exactly how an external vendor is going to achieve NIST 800-88 clear, purge, or destroy guidance. 

Conclusion

Data sanitization is a critical component of complying with both the Gramm-Leach-Bliley Act (GLBA) and the Fair and Accurate Credit Transactions Act (FACTA), as both regulations require secure disposal of sensitive consumer data. Following NIST 800-88 guidelines ensures that organizations are using the correct techniques—whether it’s clearing, purging, or destroying data—to meet these legal requirements.

By applying the guidance in NIST 800-88, organizations can take proactive steps to protect consumers' personally identifiable information (PII), prevent identity theft, and avoid costly regulatory fines. Implementing a robust, compliant data destruction program is not just a legal obligation—it’s also a critical measure to maintain consumer trust and safeguard your organization’s reputation.

Written by Christopher McDevitt with assistance from AI.