Careless disposal of PII is subject to harsh legal penalties in many countries. Similarly, companies who do not have regimented processes for the retirement of technology and the resident data are also at risk of a loss of reputation, trust, and revenue.
In the United States, there are several major laws that businesses need to remain aware of:
Privacy Act of 1974
The Privacy Act of 1974 holds certain stipulations for the rights and restrictions on data when it is held by government agencies. It governs the collection, maintenance, use, and dissemination. Essentially, US federal workers must not wilfully disclose information to anyone not entitled to receive it.
The Fair and Accurate Credit Transactions Act (FACTA)
This law was passed in 2003 and its purpose is to enhance customer protections, mainly those that protect against identity theft. While it meant that the amount of PII required from customers increased, it also gave more protection to that PII when gathered.
Penalties for violations of FACTA vary, but wilful violations could amount to penalties within the billions.
Gramm-Leach-Bliley Act (GLBA)
Also known as the Financial Modernization Act, this law was passed in 1999. It requires US companies to explain how they share and protect personal information and protects financial non-public personal information (NPI). Amongst other specifics, it means that businesses apply special protections to private data in accordance with an information security plan.
Punishments for GLBA non-compliance, once proven, are severe. Individuals found in violation face fines of $10,000 for each violation discovered. Organizations face $100,000 for each violation.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA came into force in 1966 and covers information regarding health status, care, or payment, setting standards for covered parties and business associates. It only applies to protected health information (PHI).
Any organization that houses this kind of data must protect it - during use or disposal. Jail terms are likely and restitution may also need to be paid to affected individuals. However, the penalties brought forth depend on whether the breach was carried out with intent or not and the degree of negligence involved.
California Consumer Privacy Act (CCPA)
At least 35 states implement their own laws regarding data protection and the CCPA is a well-known one. It has actually influenced other states to create similar laws, which have been implemented in areas such as Maryland, Rhode Island, and Massachusetts among others.
Passed in early 2020, the CCPA actually incorporates the foundational principles of GDPR, mirroring its focus on data protection and privacy requirements. Penalties for violations of the CCPA vary, with fines of $2,500 for individual breaches and $7,500 for wilful individual breaches.
Similarly, both the Federal Trade Commission (FTC) and the Health Insurance Portability and Accountability Act (HIPAA) also require the proper disposition of information.