Is Your ITAD Strategy Breaking These Laws?

Businesses must comply with many different regulations in order to avoid penalties. The government regulates how businesses report income, treat employees, and of course, how they ensure their customers’ data is secure. It’s imperative that you comply with regulatory standards that govern data security in order to protect your customers, preserve your business’s reputation, and avoid financial penalties. Here are some of laws that you may need to comply with:

Health Insurance Portability and Accountability Act (HIPAA)

All businesses in the healthcare industry, including health providers, health insurance companies, and clearinghouses, must comply with the Health Insurance Portability and Accountability Act (HIPAA). HIPAA regulates how confidential data is destroyed, among many other things. Information that must be protected includes patients’ medical conditions, treatments, payment information, and contact information, which is typically stored on hard drives, servers, imaging equipment, and other devices.

To comply with HIPAA, healthcare companies must establish a number of administrative, physical, and technical safeguards to protect sensitive data. For example, healthcare companies need to carefully select which employees should have access to confidential information and prevent all other employees from illegally gaining access to it. Once it’s time to dispose of an asset with sensitive data, the data must be destroyed so it can no longer be read or recovered.  

Fair and Accurate Credit Transactions Act (FACTA)

Any business that stores credit card information, background checks, employee history reports, or credit reports must comply with the Fair and Accurate Credit Transactions Act (FACTA). Part of this legislation requires these businesses to go to great lengths to protect consumer information in order to reduce the number of identity theft incidents. 

Similar to HIPAA, FACTA requires businesses to destroy data so it can no longer be read or reconstructed. This can be done by overwriting the data multiple times and then exposing the media to a magnetic field, which is known as degaussing. Most businesses do not have the resources to handle this type of destruction on their own, which is why they turn to third party vendors. If you choose to work with a third party vendor, you must do due diligence to ensure the vendor properly destroys data in order to remain compliant with FACTA.

Payment Card Industry Data Security Standard (PCI-DSS)

The PCI-DSS, which was passed in response to the increasing number of credit card fraud cases, governs how businesses handle consumers’ credit card information. This piece of legislation has made a major impact on the credit card industry. In fact, the PCI-DSS is the reason why microchips were added to credit cards to replace the need to physically swipe the card. Industry experts believe the chips offer consumers more protection, which is why they are slowly being added to all credit cards.

To comply with the PCI-DSS, companies must store consumers’ credit card information on a secure network and encrypt the transmission of this data. Hackers are becoming more sophisticated, which is why the PCI-DSS requires businesses to continually monitor and test their networks to prevent unauthorized users from gaining access to sensitive data.

The PCI-DSS also governs the destruction of this data. To remain compliant, businesses must destroy data so it can no longer be read or reconstructed. In addition, they must also request some sort of proof that the data has been destroyed. ERI provides proof in the form of a certificate of destruction and a live video feed of the data being destroyed.

Federal Trade Act

The Federal Trade Act was established in 1914, back when cybersecurity and electronic data protection was not an issue. However, the law was designed to protect consumers and was written in fairly broad language. As a result, the Federal Trade Commission (FTC) uses its power under this law to protect consumer data from deceptive companies. For example, let’s say a consumer trusts a company with her personal information because the company says that it has policies in place to protect this data. But, the company does not have any policies in place to do. This is considered a deceptive practice that is prohibited under the Federal Trade Act.

To comply with the Federal Trade Act, businesses must make sure that they are being honest with consumers regarding their data. Do not promise to protect consumers’ data if you do not have the resources to do so, or you may face consequences for violating this law.

Gramm-Leach-Bliley Act (GBA)

Companies within the financial industry, including non-bank mortgage lenders, real estate appraisers, loan brokers, banks, debt collectors, and tax return preparers must all comply with the Gramm-Leach-Bliley Act (GBA). The GBA requires that these financial companies protect their customers’ data at all times, including while the data is being destroyed.

All electronic data should be destroyed so it can no longer be read or reconstructed. Financial institutions do not have to notify their customers when their data is being destroyed. This is because the bank is destroying data in order to prevent unauthorized access to the information, so the GBA does not ask that banks inform customers first.

Financial companies have the right to work with a third party vendor to destroy data, as long as they conduct due diligence first. Due diligence should include inquiring about the company’s various certifications, asking to review the company’s policies and procedures, taking a tour of the facility, and speaking with references.

To ensure you comply with regulations, work with a reputable e-waste recycler that has experience working with clients in your industry. ERI currently works with clients in the government, healthcare, banking, finance, telecommunications, technology, and other industries. For more information on recycling electronics, or to request a quote from ERI, contact us today.