On-Site Shredding vs. Off-Site Shredding: Which Is Right for Your New York Business?

on-site shredding vs off-site shredding comparison for New York businesses
/ Uncategorized / By

For banks, credit unions, mortgage lenders, investment advisors, insurance companies, and other financial institutions serving New York City and across the state, the Gramm-Leach-Bliley Act (GLBA) — also known as the Financial Services Modernization Act of 1999 — establishes comprehensive requirements for protecting the privacy and security of customer financial information. Among those requirements is an often-overlooked but critically important obligation: the proper disposal of nonpublic personal information when it is no longer needed.

The GLB Act compliance document shredding requirements for financial institutions affect not just how customer records are stored but how they are ultimately destroyed. This guide explains what the GLBA requires, which financial institutions it covers, how it interacts with New York’s own financial privacy laws, and how certified document shredding helps New York financial institutions meet their obligations.

on-site shredding vs off-site shredding comparison for New York businesses

What Is the Gramm-Leach-Bliley Act?

The GLBA has three principal components relevant to document security:

  1. The Financial Privacy Rule — Requires financial institutions to provide privacy notices to customers explaining how their information is collected and shared, and gives customers the right to opt out of certain information sharing
  2. The Safeguards Rule — Requires financial institutions to implement comprehensive written information security programs containing administrative, technical, and physical safeguards for customer information — including secure disposal
  3. The Pretexting Provisions — Prohibit the fraudulent acquisition of customer financial information

The FTC’s Safeguards Rule was significantly updated and strengthened in 2023, imposing more detailed and specific requirements on covered financial institutions. New York State also has its own Department of Financial Services (DFS) cybersecurity regulations that overlap with and in some cases exceed GLBA requirements for New York-chartered financial institutions. See our compliance resources for more on financial industry document security.

Which Financial Institutions Does the GLBA Cover?

The GLBA applies broadly to “financial institutions” — a term defined more expansively than most people expect. Covered entities include:

  • Banks and credit unions
  • Mortgage lenders, brokers, and servicers
  • Investment advisors and broker-dealers
  • Insurance companies and agents
  • Check cashing businesses
  • Payday lenders
  • Automobile dealers that offer financing
  • Debt collectors
  • Tax preparation firms
  • Real estate appraisers and settlement service providers
  • Accountants who provide financial advisory services

If your New York business provides any type of financial product or service to consumers, the GLBA likely applies to you. Many small businesses in New York City and Long Island are surprised to discover they fall within the law’s scope.

GLBA Safeguards Rule: Document Disposal Requirements

Under the updated FTC Safeguards Rule, covered financial institutions must implement specific safeguards for customer information at every stage of its lifecycle, including disposal. The rule requires that customer information be disposed of properly when it is no longer needed for business purposes.

Proper disposal under the GLBA Safeguards Rule means:

  • Paper records — Must be shredded, incinerated, or otherwise rendered unreadable; simply throwing records in the trash does not comply
  • Electronic media — Must be erased using secure methods or physically destroyed so data cannot be recovered
  • Documented destruction — Best practice (and increasingly required under state regulations) is to maintain Certificates of Destruction for all customer information disposed of

The rule also requires that your information security program include criteria for evaluating and selecting service providers — meaning you must ensure that any shredding company you hire itself has appropriate security safeguards. This is why NAID AAA-certified shredding companies like New York Shredding are the appropriate choice for GLBA-covered institutions. View our services page for details on our certified destruction processes.

New York DFS Cybersecurity Regulation and Document Disposal

For financial institutions regulated by the New York Department of Financial Services (DFS) — including New York-chartered banks, insurance companies, and licensed financial services companies — the NY DFS Cybersecurity Regulation (23 NYCRR 500) adds additional layers of requirement that overlap with GLBA disposal obligations.

Key DFS requirements relevant to document disposal include:

  • Implementing policies and procedures for secure disposal of nonpublic information no longer needed for business operations or required by law
  • Maintaining a documented data retention and disposal schedule
  • Ensuring that third-party service providers handling nonpublic information have appropriate cybersecurity and disposal practices

New York DFS has been active in enforcement, including against financial institutions for cybersecurity failures. Document disposal is increasingly being scrutinized as part of overall information security program assessments.

Bank Customer Data Shredding: Building a Compliant Program

For New York financial institutions seeking to achieve bank customer data shredding compliance under the GLBA and NY DFS regulations, here is a practical framework:

  1. Data mapping — Identify all locations where customer financial information (both paper and electronic) is maintained
  2. Retention schedule — Establish a documented retention schedule specifying how long each category of customer information must be retained; key periods for most banks range from 5 to 7 years
  3. Secure disposal procedures — Implement locked shredding consoles in all areas where customer information is handled; establish regular pickup schedules
  4. Vendor due diligence — Ensure your shredding vendor is NAID-certified and provides Certificates of Destruction
  5. Hard drive and media destruction — Extend your program to electronic media containing customer financial data
  6. Documentation and audit trail — Maintain complete records of all destruction activities, including Certificates of Destruction, for regulatory examination purposes

Contact New York Shredding to discuss a document destruction program tailored to your financial institution’s GLBA and NY DFS compliance needs. We serve banks, investment firms, insurance companies, and other financial services providers throughout New York City, Long Island, Westchester, and the Hudson Valley.

Why New York Businesses Choose New York Shredding

For over a decade, New York Shredding Document Destruction, Inc. has helped businesses across New York City, Long Island, Westchester, and the Hudson Valley protect their sensitive information through certified, HIPAA-compliant shredding services. Our industrial-grade shredding equipment, locked on-site consoles, and Certificate of Destruction give your business the proof it needs for any compliance audit.

Whether you need scheduled shredding, a one-time purge, or hard drive destruction, we serve all five boroughs and surrounding areas with fast, reliable service. Request a free quote today and get your office on a shredding schedule that keeps you protected year-round.

Ready to get started? Contact New York Shredding for a free quote, or explore our full range of shredding services.

Scroll to Top