We've already answered the question: "What is IT Asset Disposition (ITAD)?" Today we want to move beyond the 'what' and get into the 'why'. No two companies are exactly alike, so no two companies will have the same motivations to work with an ITAD provider. However, most companies fall into three primary categories: Legal, Ethical/Social, and Economics.
Today we will cover the legal reasons for ITAD; the laws that govern privacy and the penalties that follow if you don't follow them. Most of them will cover data privacy, but there are also environmental laws you should consider.
PCI DSS (Payment Card Industry Data Security Standard)
PCI isn't technically legislation, but compliance with this 2004 standard is so common that it might as well be. In fact, it's a wonderful example of industry self-regulation. The PCI standard is recognized across the credit card processing industry, and if you fail to meet its requirements you may receive fines or lose the privilege to process a credit card.
Above all, the regulation requires you to protect stored cardholder data. Secure data sanitization processes will help you maintain this requirement when you decide to decommission unwanted hardware.
SOX (Sarbanes-Oxley Act)
Passed in 2002, SOX was primarily written to govern proper standards for public companies. It requires company information to be certified by the CEO and CFO and gives more power to auditors while evaluating that information.
Section 802 outlines the criminal penalties (up to 20 years in prison) for altering documents as well as the requirements for appropriate destruction of records.
You must not modify, destroy, or falsify records.
You must maintain documents for 7 years from the conclusion of the financial audit
You must maintain all business records and communications including electronic communications for the duration.
SOX's requirements don't directly apply to secure data destruction, but the information that must be kept is highly sensitive. After the retention period, you should take care to properly destroy the sensitive information.
HIPAA (Health Insurance Portability and Accountability Act)
Passed in 1996, HIPAA regulates the protection, use, and disclosure of health data. Penalties for violations can be up to $1.5M per year if data is improperly disclosed. While the Privacy Rule applies only to health plans, health care providers, and health care clearinghouses, any companies that interact with or support these companies may also fall under compliance if they transmit health information in electronic form.
You must protect individually identifiable health information - Past, Present, and Future.
You must maintain written privacy policies and procedures.
You must implement reasonable safeguards including sharing information only with a minimal number of people.
Accidental disclosure of identifiable information can incur fines of $100-$50,000 per violation up to the yearly $1.5M cap as long as it's not due to willful neglect.
FACTA (Fair and Accurate Credit Transactions Act)
The FTC passed this rule in 2003 which details the management and destruction of consumer report data.
You must document what was destroyed and when.
You must have written policies in place for data destruction.
You should have strict schedules for timely data destruction.
You are required to train your employees.
When it comes to electronic data, FACTA requires you to: "destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed".
GLB Act (Gramm-Leach-Bliley Act)
Passed in 1999, the GLB Act requires financial institutions to protect the security and confidentiality of customer information; including protecting it from anticipated threats or hazards. It also requires institutions to protect against unauthorized access and use of the information. Like HIPAA, this act only applies to personally identifiable information, but in this case, instead of health data, it's financial.
You must provide customers the ability to opt-out of sharing their information with third parties.
You must protect all nonpublic personal information (e.g. lists of credit card, payday lending, or also loan customers).
You are responsible for the actions of yourself and your affiliates.
Environmental laws and other state regulations
The laws above are merely the Federal laws surrounding data privacy and protection. Many states also have their own standards that you must follow. Also, 25 out of 50 states have environmental legislation in place that regulates the proper disposal of electronic equipment. (a.k.a. e-waste). The legal side of ITAD can be complex and overwhelming. The documents that we just summarized include hundreds of pages released over decades, not to mention revisions and updates.
Next time we will continue with the why conversation as we delve more into the ethical/social and economic reasons for implementing a strong ITAD practice. Stay tuned!