Cascade has assembled links and general information related to U.S. based regulations and legislation that impact how electronics are disposed and personally identifiable information is destroyed. This list is not comprehensive and may or may not pertain to your line of work. Consult with your corporate counsel or risk management personnel for more infomation.
- Health Insurance Portabiity and Accountability Act (“HIPAA”): HIPAA, first enacted in April of 2003, impacts the health care industry and other companies that handle certain patient health data. It requires the development of security standards to protect the confidentiality of “individually identifiable health information.” The HIPAA Omnibus Rule (Jan., 2013) strengthened regulatory protections for Protected Health Information (“PHI”), increased penalties for HIPAA breaches, and expanded the concept of a HIPAA Business Associate.
- Payment Card Industry Data Security Standard (“PCI - DSS”): PCI-DDS are rules in place for merchants that handle consumer data from credit cards. The rules come from the PCI Security Standards Council, which was founded by the five leading global payment plans to unify data security standards.
- Fair and Accurate Credit Transactions Act (“FACTA”): FACTA, enacted in June or 2005, impacts anyone who handles the storage and disposal of certain “consumer information.” It requires any business that maintains or otherwise possesses consumer information to properly dispose of the information.
- Sarbanes-Oxley Act (“SOX”): SOX, enacted in June or 2002, was a response to the ENRON and WorldCom scandals. It mandates reforms to enhance corporate responsibility and accountability. Typically, public firms must now document auditable processes for information data security and the transfer of corporate IT assets as a result of SOX. In addition to the Securities and Exchange Commission website, there’s a SOX 101 guide that is useful.
- Gramm-Leach-Bliley Act (“Gramm-Leach”): Gramm-Leach, enacted in November of 1999,protects consumer personal financial data, requiring financial institutions (including banks, insurance and security firms, brokers, and tax preparers) to protect consumers’ personal financial information.
- Privacy of Consumer Financial Information (“Regulation S-P”): Regulation S-P, which became effective in November of 2000, requires financial firms(brokers, dealers, and investment advisers) that maintain or posses any consumer information that identifies individual consumers to properly dispose of the information by taking reasonable steps to protect against unauthorized access or use of the information in connection with its disposal.
- Other Laws: Many other privacy laws impact data breaches, depending on the type of data compromised: Drivers Privacy Protection Act, Information Security Management Act, Americans with Disabilities Act, Telecommunications Act.
For details on how to ensure your IT Asset Disposition program complies with these regulations, look at our sample IT Asset Security Policy or contact us for more details.