Welcome » IT Booklets » Operations » Risk Mitigation and Control Implementation » Disposal of Media
Proper disposal of media is essential protect against reputational exposure and to ensure compliance with the Gramm-Leach-Bliley Act (GLBA) regarding the safeguarding of customer information. Management should have procedures for the destruction and disposal of media containing sensitive information.See also section 216 of the Fair and Accurate Credit Transactions Act of 2003, 15 U.S.C.1681w, which requires the Federal banking agencies, the NCUA, and the FTC to issue regulations requiring any person that maintains or otherwise possess consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose to properly dispose of such information or compilation. These procedures should be risk-based relative to the sensitivity of the information and the type of media used to store the information. For example, prior to disposing of electronic media containing sensitive customer information, they should be degaussed as a matter of standard procedure; obsolete optical media, such as "write once, read many times" (WORM), should be destroyed or defaced so that the data is unrecoverable; and printed material containing sensitive data should be destroyed in a safe and systematic manner, such as shredding or burning. Furthermore, disposal procedures should recognize that records stored on electronic media, including tapes, and disk drives present unique disposal problems in that residual data can remain on the media after erasure. Since that data can be recovered, additional disposal techniques should be applied to remove sensitive information.