Where do electronics go when they die?
Why do we send them there?
Do all servers go to heaven?
We will answer these questions and more in this series covering the basic ideas of IT Asset Disposition (ITAD). Each post will introduce (or reintroduce) tech specialists to the afterlife of IT from ‘how to’ to ‘have to’. Know someone who needs a refresher? Send this their way and we’ll get them back on track.
Last time, we started at the beginning by answering the question, “What is IT Asset Disposition (ITAD)?” Today we want to move beyond the ‘what’ and get into the ‘why’. No two companies are exactly alike, so no two companies will have the same motivations. But, most companies fall into three primary categories: Legal, Ethical, and Social.
Today we’ll cover the legal reasons for ITAD; the laws that govern privacy and the penalties that follow if you don’t follow them. Most of them will cover data privacy, but there are also environmental laws you should consider.
PCI DSS (Payment Card Industry Data Security Standard)
PCI isn’t technically legislation, but compliance with this 2004 standard is so common that it might as well be. In fact, it’s a wonderful example of industry self-regulation. The PCI standard is recognized across the credit card processing industry, and if you fail to meet its requirements you may receive fines or lose the privilege to process a credit card.
Above all, the regulation requires you to protect stored cardholder data. Secure data sanitization processes will help you maintain this requirement when you decide to decommission unwanted hardware.
SOX (Sarbanes-Oxley Act)
Passed in 2002, SOX was primarily written to govern proper accounting standards for public companies. It requires company information to be certified by the CEO and CFO and gives more power to auditors while evaluating that information.
Section 802 (PDF) outlines the criminal penalties (up to 20 years in prison) for altering documents as well as the requirements for appropriate destruction of records.
- You must not modify, destroy, or falsify records.
- You must maintain documents for 7 years from the conclusion of the financial audit.
- You must maintain all business records and communications including electronic communications for the duration.
SOX’s requirements don’t directly apply to secure data destruction, but the information that must be kept is highly sensitive. After the retention period, you should take care to properly destroy this sensitive information.
HIPAA (Health Insurance Portability and Accountability Act)
Passed in 1996, HIPAA regulates the protection, use, and disclosure of health data. Penalties for violations can be up to $1.5M per year if data is improperly disclosed. While the Privacy Rule applies only to health plans, health care providers, and health care clearinghouses, any companies that interact with or support these companies may also fall under compliance if they transmit health information in electronic form.
- You must protect individually identifiable health information – Past, Present, and Future.
- You must maintain written privacy policies and procedures.
- You must implement reasonable safeguards including sharing information only with a minimal number of people.
Accidental disclosure of identifiable information can incur fines of $100 – $50,000 per violation up to the yearly $1.5M cap as long as it’s not due to willful neglect. (If that’s the case…good luck.)
FACTA (Fair and Accurate Credit Transactions Act)
The FTC passed this rule in 2005 which details the management and destruction of consumer report data.
- You must document what was destroyed and when.
- You must have written policies in place for data destruction.
- You should have strict schedules for timely data destruction.
- You are required to train your employees.
When it comes to electronic data, FACTA requires you to:
“destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed”.
GLB Act (Gramm-Leach-Bliley Act)
Passed in 1999, the GLB Act requires financial institutions to protect the security and confidentiality of customer information; including protecting it from anticipated threats or hazards. It also requires institutions to protect against unauthorized access and use of the information. Like HIPAA, this act only applies to personally identifiable information, but in this case, instead of health data, it’s financial.
- You must provide customers the ability to opt-out of sharing their information with third parties.
- You must protect all nonpublic personal information (e.g. lists of credit card, payday lending, or auto loan customers).
- You are responsible for the actions of yourself and your affiliates.
Environmental Laws And Other State Regulations
The laws above are merely the Federal laws surrounding data privacy and protection. Many states also have their own standards that you must follow. Also, 25 out of 50 states have environmental legislation in place that regulates the proper disposal of electronic equipment (a.k.a. e-waste). The state regulations are too much to cover here, but you can view a list of links to each of the e-waste programs here.
The legal side of ITAD can be complex and overwhelming. The documents that we just summarized include hundreds of pages released over decades, not to mention revisions and updates. Frankly, this is why your compliance officer has a job. This stuff is hard.
Next time we’ll continue with the why conversation as we delve more into the ethical and social reasons for implementing a strong ITAD practice.
Need help getting started with your own ITAD practice? Let us help!