The information on this page is not meant to provide legal advice, but rather create general awareness of compliance issues that may apply to data destruction.
Virtually every organization has a requirement to properly dispose of electronic data and many organizations do not even realize that they fall under one or more international, national, or state laws. For example, the US Fair Credit Reporting Act (“FCRA”), despite its name, applies to employment background checks as well. Another example is a website privacy statement -- failure to properly dispose of personal information collected from the website may constitute deceptive acts or practices, in or affecting commerce, in violation of Section 5(a) of the Federal Trade Commission Act.
The regulatory landscape is complex regarding data security and privacy requirements. Some Federal laws preempt state laws, while others do not; some Federal laws carve out exceptions if an entity is covered by another statute, while others do not. Most regulations are not explicit as to the specific data destruction requirements, but rather imply them due to the requirement to prevent unauthorized access to protected information.
However, the common thread for data destruction requirements in the United States, as well as many other countries, is one of “reasonableness.” The generally accepted approach to data destruction is to use reasonable efforts to render media practicably unreadable or unreconstructible. “Reasonable” may depend on many factors, but the general trend by regulatory agencies is to raise the reasonableness threshold for data security and the due diligence requirements for organizations to evaluate their service providers.
For example, the Federal Trade Commission's Disposal Rule (“Disposal Rule”) requires proper disposal of information in consumer reports and records to protect against “unauthorized access to or use of the information.” The rule applies to consumer reports or information derived from consumer reports. The Disposal Rule requires disposal practices that are “reasonable and appropriate to prevent the unauthorized access to – or use of – information in a consumer report.”
The FTC provides guidance as to the reasonable measures for the destruction of electronic consumer report information that include establishing and complying with specific policies to:
- destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed;
-
conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include:
- reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule;
- obtaining information about the disposal company from several references;
- requiring that the disposal company be certified by a recognized trade association;
- reviewing and evaluating the disposal company’s information security policies or procedures.
Note that no method of data destruction is specified. The National Institute of Standards and Technology (NIST) published NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization (NIST SP 800-88 R1) to provide guidance as to data destruction methods and media sanitization, certainly one of the key elements in assuring unauthorized access to data.
However, as explained by NIST:
“In order for organizations to have appropriate controls of the information they are responsible for safeguarding, they must properly secure used media. SP 800-88 Revision 1 recommends processes to guide media sanitization decision making regardless of the type of media in use. To effectively use this guide, organizations and individuals should focus on the information that may have been stored on the media, rather than focusing on the media itself. The document also includes guidelines and recommendations on methods for sanitizing different types of media...”
The method of data destruction is one key element required for compliance with applicable regulations, but it is the processes related to risk assessment, planning, security, control, chain of custody, and reporting that an organization and its service provider follow that achieve compliance to applicable regulations. Most data security and privacy frameworks go beyond being just compliance tools and take a risk-based approach. The European Union General Data Privacy Regulation (GDPR) even imposes a duty to carry out a data privacy impact assessment (DPIA) in the case that data processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. Accordingly, any service provider that relies solely on the data destruction method to claim compliance with major regulations is in error.
For example, IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities, outlines the requirements and guidelines for external agencies and other authorized recipients of Federal Tax Information (FTI) material to establish procedures to ensure the adequate protection of the FTI data they receive. Additionally, the IRS follows the guidance set forth in NIST SP 800-88 R1 for media sanitization and destruction.
However, when a service provider is used for compliance with the IRS for protection of FTI, the emphasis is on the security and controls, including auditing of the service provider. The IRS has accepted the National Association for Information Destruction (NAID) certification as demonstrating the necessary processes and procedures with respect to data disposal of FTI:
“If the agency has legal authority to disclose FTI to a disposal contractor and chooses one that is National Association for Information Destruction (NAID) certified, the agency will not be required to complete an internal inspection every 18 months of that facility. However, it must maintain a copy of, and periodically validate the NAID certification.”
National Regulations
Although the United States has no comprehensive data privacy and information protection law, there are numerous intertwined and overlapping specialized requirements for data security and protection of privacy and sensitive information. Some of these are by Federal statutes, while others are by Non-Governmental Organizations (NGOs) such as the PCI Security Standards Council. Additionally, many NGOs, trade groups, and quasi-government agencies that are in the 16 critical infrastructure sectors identified by the Department of Homeland Security have express cybersecurity and data disposition requirements such as the North American Electric Reliability Council’s CIP-011-2- Cyber Security- Information Protection standard.
A sample of significant regulations that have data destruction requirements, either express or implied, are found in the following table.
| Regulation | Covered Data |
|---|---|
| Family Educational Rights and Privacy Act (FERPA) | Student Education Records |
| IRS Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies | Federal Tax Information (FTI) |
| Federal Information Security Management Act (FISMA) | Federal Agency Information |
| Fair and Accurate Credit Transactions Act (FACTA) | Personally Identifiable Information (PII) |
| Gramm-Leach Bliley Act (GLBA) | Non-Public Personal Financial Information |
| Health Insurance Portability and Accountability Act (HIPAA) & Health Information Technology for Economic and Clinical Health Act (HITECH) | Electronic Personal Health Information (ePHI) |
| Payment Card Industry Data Security Standard (PCI DSS) | Personally Identifiable Information (PII) |
Many of these regulations intersect and sometimes overlap. Consider a university that receives Federal research grants, maintains a student loan program, has a student health clinic that staff can use as well, and the other typical operations of an educational institution – that university may be subject to FISMA, FERPA, HIPAA, GLBA, PCI DSS, and FACTA.
Also, the FTC states that financial institutions that are subject to both the Disposal Rule and the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule should incorporate practices dealing with the proper disposal of consumer information into the information security program that the Safeguards Rule requires.
State Data Destruction Laws
At least 31 states and Puerto Rico have enacted laws that require entities to destroy, dispose, or otherwise make personal information in electronic form unreadable or undecipherable.
Typically, state laws require a covered organization to take reasonable measures to safeguard against unauthorized access to personal information in connection with or after its disposal.
For example, North Carolina provides a description of required reasonable measures applicable to electronic media destruction:
- Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed
- Describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity
The North Carolina law allows businesses to subcontract with record destruction businesses after due diligence that requires an independent audit of the business’ operations, reviewing references and requiring independent certification of the business and/or personally evaluating “the competency and integrity of the disposal business.”
Most states with data disposal laws follow a similar model to that of North Carolina. However, California has a stricter standard, requiring the data destruction process “to make it unreadable or undecipherable through any means.”
As compiled by the National Council of State Legislatures, the following states and Puerto Rico have some form of electronic data disposal requirements:
Global Perspective
There has been a great deal of focus and discussion on the European Union General Data Privacy Regulation (GDPR) which sets guidelines for the collection and processing of personal data of individuals within the European Union. This sweeping legislation imposes legal responsibility on companies, including those based in the United States, to comply with the comprehensive EU privacy requirements of the GDPR.
Fines for violations of GDPR are based on a company’s worldwide revenues, making sanctions significant enough to attract the attention of any company doing business in the EU, especially since its applicability includes companies with assets and employees in the EU, those who sell to individuals in the EU, and those data that have data stored within the EU.
Although the focus has been on the GDPR, over 100 countries have enacted privacy laws that apply to companies doing business within their borders and with their citizens.
Conclusion
While the compliance landscape is complex, ultimately NAID certification and strict adherence to its requirements ensure compliance with the data destruction requirements and the required processes, procedures, and controls needed for information protection under all current applicable laws and regulations.
ERI is the first and only company in the world currently with NAID, R2, and e-Stewards certifications. ERI has the largest dedicated compliance team in our industry to ensure clients are in compliance for data destruction, now and in the future constantly evolving regulatory landscape.