Regulations last checked for updates: Nov 22, 2024

Title 17 - Commodity and Securities Exchanges last revised: Nov 19, 2024
§ 162.21 - Proper disposal of consumer information.

(a) In general. Any covered affiliate must adopt must adopt reasonable, written policies and procedures that address administrative, technical, and physical safeguards for the protection of consumer information. These written policies and procedures must be reasonably designed to:

(1) Ensure the security and confidentiality of consumer information;

(2) Protect against any anticipated threats or hazards to the security or integrity of consumer information; and

(3) Protect against unauthorized access to or use of consumer information that could result in substantial harm or inconvenience to any consumer.

(b) Standard. Any covered affiliate under this part who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.

(c) Examples. The following examples are “reasonable” disposal measures for the purposes of this subpart—

(1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed;

(2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practically be read or reconstructed; and

(3) After due diligence, entering into and monitoring compliance with a written contract with another party engaged in the business of record destruction to dispose of consumer information in a manner that is consistent with this rule.

(d) Relation to other laws. Nothing in this section shall be construed:

(1) To require a person to maintain or destroy any record pertaining to a consumer that is imposed under Sec. 1.31 or any other provision of law; or

(2) To alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record.

[66 FR 21252, Apr. 27, 2001, as amended at 89 FR 71820, Sept. 4, 2024]
authority: Sec. 1088, Pub. L. 111-203; 124 Stat. 1376 (2010)
source: 76 FR 43884, July 22, 2011, unless otherwise noted.
cite as: 17 CFR 162.21