17 CFR § 248.30 - Procedures to safeguard customer records and information; disposal of consumer report information.
(a) Every broker, dealer, and investment company, and every investment adviser registered with the Commission must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to:
(1) Insure the security and confidentiality of customer records and information;
(2) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
(b) Disposal of consumer report information and records -
(ii) Consumer report information means any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report. Consumer report information also means a compilation of such records. Consumer report information does not include information that does not identify individuals, such as aggregate information or blind data.
(iii) Disposal means:
(A) The discarding or abandonment of consumer report information; or
(B) The sale, donation, or transfer of any medium, including computer equipment, on which consumer report information is stored.
(2) Proper disposal requirements -
(i) Standard. Every broker and dealer other than notice-registered broker-dealers, every investment company, and every investment adviser and transfer agent registered with the Commission, that maintains or otherwise possesses consumer report information for a business purpose must properly dispose of the information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.
(ii) Relation to other laws. Nothing in this section shall be construed:
(A) To require any broker, dealer, or investment company, or any investment adviser or transfer agent registered with the Commission to maintain or destroy any record pertaining to an individual that is not imposed under other law; or
(B) To alter or affect any requirement imposed under any other provision of law to maintain or destroy any of those records.