Yes, east-tec DisposeSecure is compliant with relevant regulations regarding data erasure. Data erasure is a general obligation data controllers (such as companies, government departments or voluntary organizations, or even individuals such as G.P.'s, pharmacists or sole traders) have to satisfy, in compliance with international data security standards and directives, under certain conditions, for instance before they dispose of IT assets, or if personal data they store became obsolete, or is no longer needed for the purpose it was collected for. Personal data is data that identifies a person, and it may include the full name, social security number, etc.
We are going to list the most important regulations, give you a summary of their content, highlight in what way east-tec DisposeSecure can help you comply with them, and mention consequences of noncompliance in the USA, Canada, Japan, Australia and Europe. It is very important to be fully aware of the possible outcomes of noncompliance as, beyond the penalty figures we are going to share with you, negligent data handling and erasure have numerous other destructive impacts on the long run, including loss of business reputation, loss of sales revenue, identity theft, data leak, loss of investor trust and the most severe of all, serving time in prison. Let us start with a list of the most important international regulations:
- Sarbanes Oxley Act
- The Gramm-Leach-Biley Act Section 501
- Fair and Accurate Credit Transactions Act of 2003 (FACTA) Section 216
- Health Insurance Portability and Accountability Act (HIPAA)
- Fair Credit Reporting Act (Credit Reporting Industry)
- NJ Assembly Bill A-1238
- ISO 27001
- ISO 15408
- PCI DSS
- WEEE Directive
- UK Data Protection Act 1998
- Federal Data Protection Act 2001 Germany
- Personal Data Act 1998 Sweden
- Data Protection Law 1978 France
- The Personal Information Protection Act (JPIPA) Japan
- Privacy Act 1988 Australia
- Personal Information Protection and Electronic Documents Act (PIPEDA) Canada
And now the summary of the each regulations that apply to data controllers. Data controllers are those who, either alone or with others, control the contents and use of personal data. Data Controllers can be either legal entities such as companies, Government Departments or voluntary organizations, or they can be individuals such as G.P.'s, pharmacists or sole traders.
USA Regulations
- Sarbanes-Oxley Act (Corporate Auditing and Reporting Practices) requires companies to establish internal controls and procedures for financial reporting. This obviously means that the confidentiality and security of information are crucial foundations of compliance. Procedures would include managing customers, partners and employees financial, and privacy data. Data management should therefore include data destruction practice that handles issues of sensitive information stored on servers, hard drives, USB drives, when hardware is disposed of, or when data becomes obsolete, or is no longer allowed to be stored. east-tec DisposeSecure allows you to erase hard drives, or any other external device connected to your computer, removing data beyond forensic recovery. Detailed wiping reports are provided after the procedure to prove auditors that a data destruction practice is maintained. Consequences of non-compliance include: loss of exchange listing, loss of D&O (liability insurance), lack of investor trust, any CEO or CFO found guilty of submitting a wrong certification is subject to a fine up to $1 million and imprisonment for up to ten years, and in case of willful violation the fine can be increased up to $5 million and the prison term can be increased up to twenty years.
- The Gramm-Leach-Biley Act Section 501 (Financial Services Modernization Act){target="_blank"} is one of the most stringent regulation regarding the protection of customers personal financial information held by financial institutions. Its Section 501 requires financial institutions to guarantee the security and confidentiality of customer information. east-tec DisposeSecure helps you comply with this regulation by destroying customer data that are no longer needed, or became obsolete and by destroying customer data you store on hardware you intend to dispose of (computer, hard drive, media, USB drive etc). Consequences of non-compliance include: penalties of up to $10,000 per violation for officers and directors, and for the financial institution; penalties of up to $100,000 per violation; imprisonment for up to five years.
- Fair and Accurate Credit Transactions Act of 2003 (FACTA) Section 216 requires companies, financial institutions, business owners who maintain or possess consumer data for business purposes to properly dispose of the information. east-tec DisposeSecure allows you to erase hard drives, or any other external hard disk and removable devices connected to your computer, removing data beyond forensic recovery. Consequences of non-compliance: civil actions by individuals affected, to pay for possible punitive damages and to pay attorney fee.
- Health Insurance Portability and Accountability Act (HIPAA) requires organizations that store and transmit Protected Health Information (PHI) to properly dispose the data stored in electronic format on any hardware. east-tec DisposeSecure helps you comply with this regulation by irrecoverably erasing data from hard drives or from any external hard disk connected to your computer. Consequences of non-compliance include: penalty of $100 to $ 50,000 or more per violation.
- Fair Credit Reporting Act (Credit Reporting Industry). Its Disposal Rule requires businesses and individuals to properly dispose of consumer records and sensitive information obtained from consumer reports. The Rule applies to individuals and both large and small organizations that use consumer reports, including: consumer reporting companies, lenders, insurers, employers, landlords, government agencies, mortgage brokers, car dealers, attorneys, private investigators, debt collectors, individuals who pull consumer reports on prospective home employees, such as nannies or contractors; and entities that maintain information in consumer reports as part of their role as a service provider to other organizations covered by the Rule. east-tec DisposeSecure helps you comply with this regulation by permanently erasing sensitive data stored on your hard drives or any external hard disk and removable devices connected to the computer. Consequences of non-compliance: to pay a fee of $100 to $1000, to pay the attorney fee, and to pay for possible punitive damages.
- NJ Assembly Bill A-1238 requires destruction of records stored on digital copy machines and scanners before the devices change hands. east-tec DisposeSecure helps you comply with this regulation by destroying data stored on any removable devices connected to your computer beyond recovery. Consequences of non-compliance: to pay a fine of up to $2500 for the first offence and $5000 for subsequent offences.
Regulations outside of the USA
- UK Data Protection Act 1998. The Data Protection Principle Section 5 states that "Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes'. Furthermore, Section 7 states that "Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data'. These clearly express that data destruction is necessary when data is no longer needed for a particular purpose, and that data needs to be protected from falling into the wrong hands, for instance before IT assets are disposed of, or change hands, to ensure that no personal data is left on them. east-tec DisposeSecure helps you comply with this regulation by securely erasing your hard drives, and other removable devices connected to your computer. Consequences of noncompliance: fines of up to £500,000 for non-compliance.
- Federal Data Protection Act 2001 Germany. Its Section 35 states the conditions in which data must be securely erased, for instance if their storage is no longer needed for the purpose they were collected for. east-tec DisposeSecure helps you comply with this regulation by securely erasing your hard drives, or any external hard disk connected to your computer. Consequences of non-compliance include: € 300,000 for each instance of unlawful processing of personal data.
- Personal Data Act 1998 Sweden. Its Section 9/h and i state: "all reasonable measures are taken to correct, block or erase such personal data as is incorrect or incomplete having regard to the purposes of the processing' and "personal data is not kept for a longer period than that as is necessary having regard to the purpose of the processing'. These statements clearly indicate that secure data erasure practices needs to be maintained by those who process and store data. DisposeSecure helps you comply with this regulation by securely erasing your hard drives, or any device connected to your computer, that stores data no longer needed or allowed to be kept. Consequences of non-compliance include: to pay damages to a data subject, data controller can be subject to a fine or imprisonment of up to two years.
- Data Protection Law 1978 France. Its Article 6/4 states regarding data handling "appropriate steps shall be taken in order to delete and rectify data that are inaccurate and incomplete with regard to the purposes for which they are obtained and processed'. east-tec DisposeSecure helps you comply with this regulation by securely erasing your hard drives, or any device connected to your computer that stores obsolete data, or data that are not allowed to be kept. Consequences of non-compliance include: 5 years imprisonment and/or €300,000 fine.
- The Personal Information Protection Act (JPIPA). Japan Its Security Control Measure section states: "The Entity shall take necessary and appropriate measures to prevent the loss, destruction, damage, or unauthorized disclosure of the Personal Data and shall take other measures to ensure the secure management of Personal Data (Article 20). Such security control measures include organizational, personnel, physical, and technical security control measures'. According to that statement data erasure is necessary for instance before hardware that store that data (Pcs, USB media, etc) are disposed of, or change hands. DisposeSecure helps you comply with this regulation by securely erasing your hard drives, or any device connected to your computer that stores obsolete data, or data that are not allowed to be kept. Consequences of non-compliance include: persons who violate PIPA can face criminal penalties of up up to six months in prison and civil penalties of up to ¥300,000
- Privacy Act 1988 Australia. Its Information Privacy Principles/4 states that "personal information must be stored securely to prevent its loss or misuse'. It is therefore the data controller's responsibility to ensure that personal information do not fall into unauthorized hands, for instance when IT assets that store that data are disposed of, or change hands. DisposeSecure helps you comply with this regulation by securely erasing your hard drives, or any external hard disk connected to your computer, that contain the data in question. Consequences of non-compliance include: facing consequences of civil legal action, to pay damages not less than $1000 to data subject and to pay attorney fees.
- Personal Information Protection and Electronic Documents Act (PIPEDA) states: "Protect personal information against loss or theft; safeguard the information from unauthorized access, disclosure, copying, use or modification'. It is therefore the responsibility of data controller to ensure that personal information do not fall into unauthorized hands, for instance when IT assets that store the data in question, are disposed of, or when they change hands. DisposeSecure helps you comply with this regulation by securely erasing your hard drives, or any external hard disk connected to your computer. Consequences of non-compliance include: fines range up to $100,000 depending upon the severity of the breach or non-compliance.
- ISO 27001, ISO 15408, PCI DSS and European Union Directives require secure data removal. Secure data removal means unrecoverable erasure of data from hard drives, or from any media that contain personal data. east-tec DisposeSecure helps you comply with these regulation by erasing data stored on your hard drives or any hard disk connected to your computer, beyond recovery.
- WEEE Directive regulates the proper handling of electronic waste. east-tec DisposeSecure help you comply with this directive as sanitized (erased) hard drives are ready for reuse to support green recycling.