Compliance with Data Privacy Laws
Every business, healthcare organization and governmental agency has certain responsibilities regarding the privacy of personal information. Securely destroying that information on digital media is critical for compliance when disposing of computer equipment.
This is a growing concern for the government, and as a result, those who violate or ignore data privacy laws are finding themselves subject to increasing levels of investigation, enforcement, and penalties. It is extremely important that businesses understand how they are expected to destroy customer and patient PHI when it comes time to dispose of computer equipment.
The HIPAA Security Rule establishes national standards to protect individuals’ EPHI that is maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of EPHI.
NIST 800-88 provides guidance to assist organizations in making practical sanitization decisions based on the confidentiality of their information. Media sanitization refers to a process, such as hard drive shredding, that renders digital media infeasible for a given level of effort.
The National Security Agency (NSA/CSS), Department of Defense and the Defense Security Service dictates specifically how contractors destroy digital media. All other data destruction organizations issue guidelines.
The Payment Card Industry Data Security Standard (PCI-DSS) intent was to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data.
GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations. Some of the key privacy and data protection requirements of the GDPR include: consent, collection and notification of consumer data.