FDIC Requires Banks to Adopt Policies on Disposal of Information Stored on Office Equipment
On September 15th, the Federal Deposit Insurance Corporation (FDIC) issued guidance (Financial Institution Letter FIL-56-2010, "FDIC Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers") urging banks under its supervision to ensure that they have written policies for the erasure or destruction of sensitive or confidential customer information stored in photocopiers, fax machines, or printers. Such storage may occur when the device's hard drive or flash memory stores digital images of documents that were photocopied, faxed, or printed using the device.
This is a particular concern for banks that lease office equipment - which may be used to process a significant amount of confidential information relating to financial transactions - and then return the equipment or sell it to another party. If the memory of such devices is left intact, it is possible that such a third party could access data constituting "nonpublic personal information" under the Gramm-Leach-Bliley Act, such as information in consumers' loan applications or account statements, or other confidential information.
FDIC-supervised banks must, therefore, implement written policies and procedures to ensure that a hard drive or flash memory in office equipment containing sensitive data is erased, encrypted or destroyed prior to the device being returned to a leasing company, sold, or otherwise disposed of. If the bank chooses to erase or encrypt the hard drive rather than destroy it, the bank should ensure that the method used will render the information on the disk unrecoverable.
While FIL-56-2010 applies only to banks supervised by the FDIC, all financial institutions are required to ensure the proper safeguarding and disposal of customer information. Therefore, even non-FDIC-supervised financial institutions would be well advised to consider and implement the guidance contained in FIL-56-2010.
