Cascade has assembled links and general information related to U.S. based regulations and legislation that impact how electronics are disposed and personally identifiable information is destroyed. This list is not comprehensive and may or may not pertain to your line of work. Consult with your corporate counsel or risk management personnel for more infomation.
- General Data Protection Regulation ("GDPR"): The GDPR is a European regulation that takes effect on May 25, 2018. It is designed to protect the "Personal Data" of European Union citizens wherever they may be. Enforcement of the law is not limited to European companies, but can extend to any organization that holds in custody the private information of EU citizens. It covers all types of personal data, not specific industry related data (which is different than the US approach to privacy protection . . . see below). The US-EU "Privacy Shield" governs how personal data are shared between the two continents, which is why US organizations need to respect GDPR rules.
- Health Insurance Portabiity and Accountability Act (“HIPAA”): HIPAA, first enacted in April of 2003, impacts the health care industry and other companies that handle certain patient health data. It requires the development of security standards to protect the confidentiality of “individually identifiable health information.” The HIPAA Omnibus Rule (Jan., 2013) strengthened regulatory protections for Protected Health Information (“PHI”), increased penalties for HIPAA breaches, and expanded the concept of a HIPAA Business Associate.
- Payment Card Industry Data Security Standard (“PCI - DSS”): PCI-DDS are rules in place for merchants that handle consumer data from credit cards. The rules come from the PCI Security Standards Council, which was founded by the five leading global payment plans to unify data security standards.
- Fair and Accurate Credit Transactions Act (“FACTA”): FACTA, enacted in June or 2005, impacts anyone who handles the storage and disposal of certain “consumer information.” It requires any business that maintains or otherwise possesses consumer information to properly dispose of the information.
- Sarbanes-Oxley Act (“SOX”): SOX, enacted in June or 2002, was a response to the ENRON and WorldCom scandals. It mandates reforms to enhance corporate responsibility and accountability. Typically, public firms must now document auditable processes for information data security and the transfer of corporate IT assets as a result of SOX. In addition to the Securities and Exchange Commission website, there’s a SOX 101 guide that is useful.
- Gramm-Leach-Bliley Act (“Gramm-Leach”): Gramm-Leach, enacted in November of 1999,protects consumer personal financial data, requiring financial institutions (including banks, insurance and security firms, brokers, and tax preparers) to protect consumers’ personal financial information.
- Privacy of Consumer Financial Information (“Regulation S-P”): Regulation S-P, which became effective in November of 2000, requires financial firms(brokers, dealers, and investment advisers) that maintain or posses any consumer information that identifies individual consumers to properly dispose of the information by taking reasonable steps to protect against unauthorized access or use of the information in connection with its disposal.
- Other Laws: Many other privacy laws impact data breaches, depending on the type of data compromised: Drivers Privacy Protection Act, PIPEDA (Personal Information Protection and Electronic Documents Act), FERPA (Family Educational Rights and Privacy Act), Information Security Management Act, Americans with Disabilities Act, and the Telecommunications Act.
For details on how to ensure your IT Asset Disposition program complies with these regulations, consider the following best practices recommended by Cascade or contact us for more details.