Gramm Leach Bliley Act and its impact on business records retention

Business records retention also involves information security at every level of the company

GLBA (Gramm-Leach-Bliley Act) applies to all financial institutions. The Safeguards Rule of the GLBA is basically a set of elements that all entities covered by the GLBA are expected to comply with in regards to business records retention and security of those records.

The Federal Trade Commission, which regulates all US interstate commerce, has taken the view point that these are actually best practices for all companies. FTC imposes these requirements on companies that are not directly covered by the GLBA.

The Safeguards rule and how it impacts your business records retention

The first element of the Safeguards Rule involves a risk assessment. Taking a look at what the internal and external risks to your data are. That is sometimes best performed by an outside consultant. But it often starts with just your HR department working with your IT bureau, getting to the other brainstorming, what are the risks to our data?

Based on that risk assessment, the next step is to develop a written information security program. Now, that sounds kind of like a large and intimidating project. But the program really depends on the size of the company and also the type of data being handled.

So, if you’re a smaller company that doesn’t handle credit card information or other highly protected information, you may have a very simple program.

You’ll usually have two types of programs in your business records retention scheme. You’ll have more of a simple policy for employees to follow that technology use. And possibly a separate policy more technical document for your IT personnel.

These are developed over time. The core idea is to have a formal policy and procedure in writing that employees can refer to so as to know what your practices are.

The FTC also expects there’s going to be somebody who’s responsible for overseeing the data security program for making sure it’s updated and employees are trained. That is certainly a best practice as well

Edited remarks from the Rapid Learning Institute webinar: “Identity Theft: What HR Can Do To Protect Sensitive Employee Data” by Christine E. Lyon, Esq.