Policies that govern how long client data is kept and how it is securely destroyed when it is no longer needed.
Retention and disposal policies define how long a firm keeps client data and how it is securely destroyed when retention periods expire. The FTC Safeguards Rule requires secure disposal of customer information (16 CFR 314.4(c)(6)) and applies the broader Disposal Rule under 16 CFR Part 682. Retention periods vary by record type: federal tax records often three to seven years, state records may be longer, IRS requirements may impose specific minimums. Disposal must render data unreadable: shredding for paper, cryptographic erasure or physical destruction for digital media.
Keeping data longer than necessary inflates breach exposure and may violate state privacy laws. Disposing of data incorrectly (recycle bin, throwing out an old laptop without wiping it) is a notifiable breach. A documented retention schedule and disposal procedure protects the firm in both directions. The FTC has fined firms specifically for improper disposal.
The 58-Control Register module handles this for your firm, personalized to your software, team size, and state requirements.
See plans and pricingA comprehensive record of all systems, applications, and locations where your firm stores, processes, or transmits client data.
A system for labeling data by sensitivity (e.g., public, internal, confidential, restricted) so that appropriate controls can be applied.
A federal regulation requiring financial institutions, including tax preparers, to develop and maintain a comprehensive information security program.
Buy the WISP yourself if you need the document.
Talk to us if you want the platform.
We use cookies to measure site performance and improve your experience. No data is sold to third parties. Privacy Policy