There is a lot of discussion about how best to protect network data through means such as encryption and access management. However, many have not considered what happens to data when the hard drives it resides upon leave an organization.
Several laws now require many businesses to take affirmative steps to ensure that no personal data is left on disposed hard drives. One piece of federal legislation, the Health Insurance Portability and Accountability Act (HIPAA), requires covered entities such as healthcare providers, clearinghouses and health plans to take extensive measures to protect certain protected health information and data at all stages, including disposal or resale.
The Gramm-Leach-Bliley Act (GLBA) is another industry-specific piece of legislation similar to HIPAA, but applicable to financial services firms of all sizes and non-affiliated third parties. The requirement under GLBA is that any “non-public” personal financial information must be protected under the “Safeguards Rule.”
Both HIPAA and GLBA require companies to document, test and analyze their programs for compliance while implementing appropriate and reasonable protections. Due diligence and partnership with responsible third-party providers when disposing of data is also a must.
Another significant piece of legislation went into effect on June 1, 2005. Called the Fair and Accurate Credit Transactions Act (FACTA), its disposal rule requires proper and reasonable disposal of any consumer information derived from consumer reports for a business purpose by companies so that data is destroyed or erased to a degree that it “cannot practicably be read or reconstructed.”
The repercussions of noncompliance with HIPAA, GLBA and FACTA include substantial civil monetary penalties, personal liability and possible imprisonment.
Not covered? Not so fast
Although these laws only apply to certain types of companies, and maybe not yours, they lay the groundwork for much more to come. In fact, a recent study revealed that 46% of likely voters surveyed would have serious doubts about a candidate who does not support swift action to pass laws requiring consumer notification after data security breaches — and 71% want Congress to pass such laws.
The recent data breach at the Department of Veterans Affairs, which may have compromised up to 26.5 million personal records, can only add more fuel to the data security fire.
But while Congress is debating the merits of numerous federal bills which have been proposed to address data security, the Federal Trade Commission (FTC) already has made data security a priority and declared that it should also be a priority to every business in America.
To that end, the FTC has begun actively pursuing companies for “deceptive” trade practices whenever the information security representations made to the public (for instance, on a website or in a privacy policy) does not correspond to the actual security practices.
The message is clear: If you tell consumers you are protecting their data, you better be following through.
Targets of enforcement actions have included Microsoft, Eli Lilly, Barnes & Noble, BJ’s Wholesale Club and ChoicePoint, which recently was assessed $10 million in civil penalties and an additional $5 million in consumer redress to settle FTC charges.
Moreover, the FTC has also begun enforcement actions against companies that do not provide adequate data security, even in the absence of any voluntary representations to the public, under “unfair” trade practice theories. Thus, even companies not expressly covered by HIPAA, GLBA or FACTA must have policies and procedures in place to deal with data security.
State Law Patchwork
Individual states are not standing on the sidelines either. California’s data protection law, A.B. 1950, affects any business with electronic information regarding California residents. It does not apply just to California companies, but to all companies with information concerning California residents.
In a bold move that became enforceable on Jan. 1, 2005, the State of California essentially gave a borderless mandate to corporations all across the United States with customers — or employees — residing in California. In addition, California law A.B. 1386 requires companies to promptly notify Californians if there is even a possibility that protected information has been compromised.
The California State University system experienced this first-hand when a technician innocently misplaced a single hard drive, resulting in notices being sent to more than 23,000 individuals, even though no actual instance of compromised data was established.
Other states have joined in to protect their citizens. To date, data security legislation has been introduced in at least 35 states, while 23 states have passed laws concerning data protection, notification or a combination.
By way of example, Texas requires notice of data breaches to its citizens and imposes a fine of up to $500 per record for data negligently disposed, in addition to attorney’s fees and costs.
The bottom line is that we now have a patchwork of laws that threatens to ensnare unsuspecting companies doing domestic cross-border business through a lack of awareness and varying standards, remedies and enforcement.
To make matters even more complex, more than 50 nations have personal data protection laws that apply to all businesses that handle customer information, regardless of size or physical presence.
Jeff Rousseau is a vice president and assistant general counsel for St. Louis-based CSI Leasing, an independent IT leasing company that also sanitizes, resells and recycles approximately 10,000 pieces of equipment per month.