Under the Disposal Rule, the FTC is enforcing data destruction and disposal standards. The Rule requires proper disposal of personally identifiable information (PII) on hard drives and other digital media. In this strategic approach, companies are held accountable for consumer information, which could help to reduce the risk of data breaches and identity theft. From procurement to disposal, every source of risk should characterized and addressed.
Another standard is the Fair Credit Reporting Act (FCRA), which requires credit-reporting companies not to furnish consumer data to unauthorized third parties. If there is a breach, the FTC could levy fines up to $1000 for every affected individual. An FCRA lawsuit does not require proof of identity theft or out-of-pocket losses. Since data security practices could become liabilities for companies, it is critical to manage data security within the organizational system, and follow the recommended procedures when disposing of hard drives, SSD, and other digital media.
How to be Compliant when Disposing Data?
Previous approaches such as recouping residual value and disposing of confidential data with cheap and easy techniques are no longer adequate. Since breaches and leaks have become daily occurrences, the public is demanding robust mechanisms for data or information security, and the information security laws are designed to address the risks. Businesses are required to plan for data destruction as part of their information security management program. This includes procedures for the destruction of information residing on digital media and hardware.
- Destruction Method
Of all the techniques, including degaussing, erasing, and wiping, physical shredding is the most secure. Erasing is not only time consuming, but it is also prone to errors and may allow recouping of some residual data. Similarly, degaussing and wiping have limitations.
- On-Site Destruction
For onsite data destruction, all materials must be fully destroyed on location. It is the responsibility of your compliance officer or management to provide necessary due diligence on potential service providers and their capabilities. NAID AAA certified vendors are pre-vetted and are certified for various lines of product and media destruction, making due dilligence much easier. “An Ounce of Prevention is Better than a Pound of Cure” – Ben Franklin. By doing your homework in advance, choosing a NAID AAA certified provider, and ensuring your IT disposal and compliance program is up to date you give yourself the best opportunity to avoid any unwanted fees, fines, or lawsuits stemming from non-compliance or even negligence.
The data destruction vendor is required to perform data destruction activities on site. The management is responsible for conducting the due diligence on service providers. Certified vendors could provide services without any hiccups. Service providers could be certified by the National Association of Information Destruction (NAID) or equivalent. As the saying goes, Prevention is Better than Cure, and the best strategy to avoid an FTC audit or lawsuit is not only to review and upgrade the information security program but also to engage the services of an accredited disposal partner.