Home 9 Blog 9 Why ITAD. The legal case

We’ve already answered the question: “What is IT Asset Disposition (ITAD)?” Today we want to move beyond the ‘what’ and get into the ‘why’. No two companies are exactly alike, so no two companies will have the same motivations to work with an ITAD provider. However, most companies fall into three primary categories: Legal, Ethical/Social, and Economics.

Today we will cover the legal reasons for ITAD; the laws that govern privacy and the penalties that follow if you don’t follow them. Most of them will cover data privacy, but there are also environmental laws you should consider.


PCI DSS (Payment Card Industry Data Security Standard)

PCI isn’t technically legislation, but compliance with this 2004 standard is so common that it might as well be. In fact, it’s a wonderful example of industry self-regulation. The PCI standard is recognized across the credit card processing industry, and if you fail to meet its requirements you may receive fines or lose the privilege to process a credit card.

Above all, the regulation requires you to protect stored cardholder data. Secure data sanitization processes will help you maintain this requirement when you decide to decommission unwanted hardware.


SOX (Sarbanes-Oxley Act)

Passed in 2002, SOX was primarily written to govern proper standards for public companies. It requires company information to be certified by the CEO and CFO and gives more power to auditors while evaluating that information.

Section 802 outlines the criminal penalties (up to 20 years in prison) for altering documents as well as the requirements for appropriate destruction of records.

  • You must not modify, destroy, or falsify records.

  • You must maintain documents for 7 years from the conclusion of the financial audit

  • You must maintain all business records and communications including electronic communications for the duration.

SOX’s requirements don’t directly apply to secure data destruction, but the information that must be kept is highly sensitive. After the retention period, you should take care to properly destroy the sensitive information. 


HIPAA (Health Insurance Portability and Accountability Act)

Passed in 1996, HIPAA regulates the protection, use, and disclosure of health data. Penalties for violations can be up to $1.5M per year if data is improperly disclosed. While the Privacy Rule applies only to health plans, health care providers, and health care clearinghouses, any companies that interact with or support these companies may also fall under compliance if they transmit health information in electronic form.

  • You must protect individually identifiable health information – Past, Present, and Future.

  • You must maintain written privacy policies and procedures.

  • You must implement reasonable safeguards including sharing information only with a minimal number of people.

Accidental disclosure of identifiable information can incur fines of $100-$50,000 per violation up to the yearly $1.5M cap as long as it’s not due to willful neglect. 


FACTA (Fair and Accurate Credit Transactions Act)

The FTC passed this rule in 2003 which details the management and destruction of consumer report data.

  • You must document what was destroyed and when.

  • You must have written policies in place for data destruction.

  • You should have strict schedules for timely data destruction.

  • You are required to train your employees.

When it comes to electronic data, FACTA requires you to: “destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed”.


GLB Act (Gramm-Leach-Bliley Act)

Passed in 1999, the GLB Act requires financial institutions to protect the security and confidentiality of customer information; including protecting it from anticipated threats or hazards. It also requires institutions to protect against unauthorized access and use of the information. Like HIPAA, this act only applies to personally identifiable information, but in this case, instead of health data, it’s financial.

  • You must provide a clear and accurate statement of your company’s privacy policy.

  • You must provide customers the ability to opt-out of sharing their information with third parties.

  • You must protect all nonpublic personal information (e.g. lists of credit card, payday lending, or also loan customers).

  • You are responsible for the actions of yourself and your affiliates.

Environmental laws and other state regulations

The laws above are merely the Federal laws surrounding data privacy and protection. Many states also have their own standards that you must follow. Also, 25 out of 50 states have environmental legislation in place that regulates the proper disposal of electronic equipment. (a.k.a. e-waste). The legal side of ITAD can be complex and overwhelming. The documents that we just summarized include hundreds of pages released over decades, not to mention revisions and updates.

Next time we will continue with the why conversation as we delve more into the ethical/social and economic reasons for implementing a strong ITAD practice. Stay tuned!

Effective ITAD strategies for Data Centers

Effective ITAD strategies for Data Centers

In the ever-evolving landscape of data management, businesses frequently encounter the need to retire their data center hardware. Such scenarios often arise when companies decide to shut down all or part of a data center operation. The process of decommissioning a data center is riddled with logistical intricacies, and among these, planning for the disposition of retired assets stands out as a crucial aspect. The dismantling of data center equipment without a well-thought-out strategy for reuse, remarketing, or secure disposal can lead to a host of problems.

Enhance Risk Management with ITAD

Enhance Risk Management with ITAD

Organizations are rapidly transitioning their communication systems, data storage infrastructure, and administrative functions to the digital realm, all in pursuit of maintaining a competitive edge. However, this shift toward a technologically advanced world exposes companies to higher risks of cybersecurity threats and data breaches. In essence, your business’s sensitive data is vulnerable at any given moment. Therefore, a well-rounded risk management strategy must include a robust ITAD plan to mitigate your company’s overall risk.

Enhancing Data Center Sustainability Through ITAD

Enhancing Data Center Sustainability Through ITAD

In the rapidly evolving landscape of data center operations, sustainability has emerged as a paramount concern. One of the linchpins of this sustainability drive within data centers is the practice of IT Asset Disposition (ITAD), a multifaceted process that plays a pivotal role in ensuring both ecological responsibility and data security.

Stay informed about latest industry news