OceanTech Logo

REQUEST A QUOTE

REQUEST A QUOTE

Why ITAD. The legal case

Sep 13, 2021

leader-shadow

We've already answered the question: "What is IT Asset Disposition (ITAD)?" Today we want to move beyond the 'what' and get into the 'why'. No two companies are exactly alike, so no two companies will have the same motivations to work with an ITAD provider. However, most companies fall into three primary categories: Legal, Ethical/Social, and Economics.

Today we will cover the legal reasons for ITAD; the laws that govern privacy and the penalties that follow if you don't follow them. Most of them will cover data privacy, but there are also environmental laws you should consider.

pci-compliant-vector-logo

PCI DSS (Payment Card Industry Data Security Standard)

PCI isn't technically legislation, but compliance with this 2004 standard is so common that it might as well be. In fact, it's a wonderful example of industry self-regulation. The PCI standard is recognized across the credit card processing industry, and if you fail to meet its requirements you may receive fines or lose the privilege to process a credit card.

Above all, the regulation requires you to protect stored cardholder data. Secure data sanitization processes will help you maintain this requirement when you decide to decommission unwanted hardware.

sec-logo-vector

SOX (Sarbanes-Oxley Act)

Passed in 2002, SOX was primarily written to govern proper standards for public companies. It requires company information to be certified by the CEO and CFO and gives more power to auditors while evaluating that information.

Section 802 outlines the criminal penalties (up to 20 years in prison) for altering documents as well as the requirements for appropriate destruction of records.

  • You must not modify, destroy, or falsify records.

  • You must maintain documents for 7 years from the conclusion of the financial audit

  • You must maintain all business records and communications including electronic communications for the duration.

SOX's requirements don't directly apply to secure data destruction, but the information that must be kept is highly sensitive. After the retention period, you should take care to properly destroy the sensitive information. 

hipa-complaint

HIPAA (Health Insurance Portability and Accountability Act)

Passed in 1996, HIPAA regulates the protection, use, and disclosure of health data. Penalties for violations can be up to $1.5M per year if data is improperly disclosed. While the Privacy Rule applies only to health plans, health care providers, and health care clearinghouses, any companies that interact with or support these companies may also fall under compliance if they transmit health information in electronic form.

  • You must protect individually identifiable health information - Past, Present, and Future.

  • You must maintain written privacy policies and procedures.

  • You must implement reasonable safeguards including sharing information only with a minimal number of people.

Accidental disclosure of identifiable information can incur fines of $100-$50,000 per violation up to the yearly $1.5M cap as long as it's not due to willful neglect. 

facta-logo-vector

FACTA (Fair and Accurate Credit Transactions Act)

The FTC passed this rule in 2003 which details the management and destruction of consumer report data.

  • You must document what was destroyed and when.

  • You must have written policies in place for data destruction.

  • You should have strict schedules for timely data destruction.

  • You are required to train your employees.

When it comes to electronic data, FACTA requires you to: "destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed".

facta-logo-vector

GLB Act (Gramm-Leach-Bliley Act)

Passed in 1999, the GLB Act requires financial institutions to protect the security and confidentiality of customer information; including protecting it from anticipated threats or hazards. It also requires institutions to protect against unauthorized access and use of the information. Like HIPAA, this act only applies to personally identifiable information, but in this case, instead of health data, it's financial.

  • You must provide a clear and accurate statement of your company's privacy policy.

  • You must provide customers the ability to opt-out of sharing their information with third parties.

  • You must protect all nonpublic personal information (e.g. lists of credit card, payday lending, or also loan customers).

  • You are responsible for the actions of yourself and your affiliates.

Environmental laws and other state regulations

The laws above are merely the Federal laws surrounding data privacy and protection. Many states also have their own standards that you must follow. Also, 25 out of 50 states have environmental legislation in place that regulates the proper disposal of electronic equipment. (a.k.a. e-waste). The legal side of ITAD can be complex and overwhelming. The documents that we just summarized include hundreds of pages released over decades, not to mention revisions and updates.

Next time we will continue with the why conversation as we delve more into the ethical/social and economic reasons for implementing a strong ITAD practice. Stay tuned!

We made the 2021 Inc. 5000 List

We made the 2021 Inc. 5000 List

OceanTech embodies America’s entrepreneurial spirit and the power of perseverance and has reached the pinnacle of success during a time of unprecedented uncertainty.

How ITAD Reduces Costs

How ITAD Reduces Costs

Large technology companies operate data centers at a scale that’s difficult to imagine, even for those in the industry. New IT assets are what keep these organizations running. On top of the constant need for the latest, cutting-edge hardware, IT leaders in these organizations are keenly aware of the sensitive personal data that will be stored on those assets.

Stay informed about latest industry news

Pin It on Pinterest