Under the Disposal Rule, the FTC is enforcing data destruction and disposal standards. The Rule requires proper disposal of personally identifiable information (PII) on hard drives and other digital media. In this strategic approach, companies are held accountable for consumer information, which could reduce the risk of data breaches and identity theft. Right from procurement to disposal, every source of risk should be characterized and addressed.
Another standard is the Fair Credit Reporting Act (FCRA), which requires credit-reporting companies not to furnish consumer data to unauthorized third parties. If there is a breach, the FTC could levy fines up to $1000 for every affected individual. An FCRA lawsuit does not require proof of identity theft or out-of-pocket losses. Since data security practices could become liabilities for companies, it is critical to manage data security within the organizational system, and follow the recommended procedures when disposing of hard drives, SSD, and other digital media.
How to be Compliant when Disposing Data?
Previous approaches such as recouping residual value and disposing confidential data with cheap and easy techniques are no longer adequate. Since breaches and leaks have become daily occurrences, the public is demanding robust mechanisms for data or information security, and the information security laws are designed to address the risks. Businesses are required to plan for data destruction as part of the information security management program. This includes procedures for the destruction of information residing on digital media spaces and hardware.
- Destruction Method
Of all the techniques, including degaussing, erasing, and wiping, physical shredding is the most secure. Erasing is not only time consuming, but it is also prone to errors and may allow recouping of some residual data. Similarly, degaussing and wiping have limitations.
- On-Site Destruction
The data destruction vendor is required to perform data destruction activities on site. The management is responsible for conducting the due diligence on service providers. Certified vendors could provide services without any hiccups. Service providers could be certified by the National Association of Information Destruction (NAID) or equivalent. As the saying goes, Prevention is Better than Cure, and the best strategy to avoid an FTC audit or lawsuit is not only to review and upgrade the information security program but also to engage the services of an accredited disposal partner.