The IBM Security Cost Of A Data Breach Report 2020 states that the global average cost of a data breach is $3.68 million. For the US, this average is $8.64 million. These are significant costs - but the damage to reputation and consumer trust that comes with data breaches is far greater.
It’s incredibly important to sanitize devices and disposition them appropriately. In fact, data disposal is subject to many stringent and punitive laws around the world. In this blog, we’ll cover the US and UK data protection and disposal laws, as well as the potential consequences of any breaches.
US Data Protection Laws
Hard drives can store multiple types of data including personal, sensitive or otherwise proprietary information. In many cases, they’ll store what is defined as Personally Identifiable Information (PII) - a regulated data type consisting of information such as mailing or email addresses, phone numbers, IP addresses, geolocation, biometric data and even social security numbers.
Careless disposal of PII is subject to harsh legal penalties in many countries. Similarly, companies who do not have regimented processes for the retirement of technology and the resident data are also at risk of a loss of reputation, trust and revenue.
In the United States, there are several major laws that businesses need to remain aware of:
Privacy Act of 1974
The Privacy Act of 1974 holds certain stipulations for the rights and restrictions on data when it is held by government agencies. It governs collection, maintenance, use and dissemination. Essentially, US federal workers must not wilfully disclose information to anyone not entitled to receive it.
The Fair and Accurate Credit Transactions Act (FACTA)
This law was passed in 2003 and its purpose is to enhance customer protections, mainly those that protect against identity theft. While it meant that the amount of PII required from customers increased, it also gave more protection to that PII when gathered.
Penalties for violations of FACTA vary, but wilful violations could amount to penalties within the billions.
Gramm-Leach-Bliley Act (GLBA)
Also known as the Financial Modernization Act, this law was passed in 1999. It requires US companies to explain how they share and protect personal information and protects financial non-public personal information (NPI). Amongst other specifics, it means that businesses apply special protections to private data in accordance with an information security plan.
Punishments for GLBA non-compliance, once proven, are severe. Individuals found in violation face fines of $10,000 for each violation discovered. Organizations face $100,000 for each violation.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA came into force in 1966 and covers information regarding health status, care or payment, setting standards for covered parties and business associates. It only applies to protected health information (PHI).
Any organisations that house this kind of data must protect it - during use or disposal. Jail terms are likely and restitution may also need to be paid to affected individuals. However, the penalties brought forth depend on whether the breach was carried out with intent or not and the degree of negligence involved.
California Consumer Privacy Act (CCPA)
At least 35 states implement their own laws regarding data protection and the CCPA is a well-known one. It has actually influenced other states to create similar laws, which have been implemented in areas such as Maryland, Rhode Island and Massachusetts among others.
Passed in early 2020, the CCPA actually incorporates the foundational principles of GDPR, mirroring its focus on data protection and privacy requirements. Penalties for violations of the CCPA vary, with fines of $2,500 for individual breaches and $7,500 for wilful individual breaches.
Similarly, both the Federal Trade Commission (FTC) and the Health Insurance Portability and Accountability Act (HIPAA) also requires the proper disposition of information.
There is currently no federal-level general consumer data privacy law. As each state operates with its own laws, businesses need to research the specific regulations that apply to them.
For example, in New York, the jurisdiction operates with the ‘New York Consolidated Laws, General Business Law - GBS § 399-h. Disposal of records containing personal identifying information’ regulations. These state all parties should take action in either destroying data or modifying it to make it unreadable. Variations of this regulation exist across much of the US.
For more information on specific laws, you can visit the Blancco brief that details each state’s approach to data disposal laws.
UK Data Protection Laws and GDPR Disposal of Data
In the UK and Europe, GDPR laws apply to the handling of personal and sensitive data. Organizations are required to comply with all GDPR stipulations.
GDPR or General Data Protection Regulations, gives citizens and consumers a number of rights relating to their personal data. For example, GDPR provides the right to access and delete data, alongside being able to opt-out of data processing at any time. It’s a wide-reaching set of regulations and applies to anyone in the world that processes data that originates or is related to people in the EU. To gain a more in-depth understanding on GDPR, read our white paper here.
Large fines can be levied against organisations who fail to adequately protect protected data and fall foul of their GDPR obligations. These fines can be up to 20 million euros or 4% of the total annual revenue of the preceding financial year, whichever is greater. Specific protection for children is provided.
The UK, in particular, will still be subject to GDPR after the Brexit transition period. However, it will have “the independence to keep the framework under review.” However, businesses in the UK also have to work in compliance with the following:
Privacy and Electronic Communications Regulations (PECR)
Derived from European law, these regulations provide specific privacy rights in relation to electronic communications such as hacking personal data on PCs or mobile telephony.
PECR complements GDPR in its more specific focus, recognising that widespread public connectivity, supplied by things like the internet and mobile networks opens up both new possibilities and new risks to end-users.
Violating PECR can bring a variety of punishments. In non-severe cases, it can simply be warnings. However, the maximum fine for breaching PECR is £500,000.
The key thing to remember, however, is that due to their proximity, violating PECR also means you may have violated GDPR. This kind of action can carry fines of up to £20 million or two percent of annual turnover - whichever is higher.
Data Protection Act
The Data Protection Act is the UK’s direct implementation of GDPR. It stipulates that data is not to be used by unauthorized persons and must be eradicated before any data bearing devices leave the EU, alongside other requirements about data use, mainly that data is:
- Used for explicit purposes
- Used fairly
- “handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage”
As the Data Protection Act is part of GDPR enforcement, organisations who breach regulations can be fined up to £20 million or two percent of annual turnover.
Computer Misuse Act
Originally introduced in 1990, the Computer Misuse Act secures computer material against unauthorized access or modification. It also includes regulations that make it an offense to adapt or supply any article which is "likely to be used to commit, or to assist in the commission of, [a hacking or unauthorized modification] offense". Breaches can result in fines of no set limit and up to 14 years imprisonment.
Regulation of Investigatory Powers Act (RIPA)
Introduced in 2000, RIPA makes it an offense to intercept any communication “intentionally and without lawful authority”.
While many businesses focus on remaining compliant with GDPR, they can miss out on what to do with the management of end-of-life data, particularly how it applies to the destruction of data, which is also covered under the scope of GDPR.
Data destruction or sanitation in the UK has to comply with the 2018 Data Protection Act. It recognizes data destruction isn't as straightforward as with physical records because data can potentially still exist in some other digital location.
The Information Commissioner’s Office (ICO - the UK’s independent regulatory body that deals with GDPR and the Data Protection Act) believes in some cases it is impractical to fully destroy data. This may be because its destruction poses risks to other data. In other cases, deletion may have been carried out, but the data may still be present in another part of a system that is inaccessible to most.
Therefore, the ICO is satisfied if the information is ‘put beyond use’, meaning the party who holds the data:
- Can't use the personal data after deletion in any way that may affect the individual the data is related to.
- Doesn’t provide other parties with access to the data.
- Secures the data behind the appropriate digital security.
- Fully and permanently deletes the data if and when that avenue becomes available.
You can find more information from the ICO on deleting personal data here.
Consequences of Improper Disposal
The consequences of improper disposition could be severe.
For those in the US, any improper data disposal means you could violate the HIPAA requirements, FACTA or the Sarbanes-Oxley Act, which will result in penalties. For example, the maximum fine for an act of HIPAA non-compliance is $1.5 million per year.
On top of fines, any breach may also result in civil lawsuits from those affected whose data may have been lost. The expenses caused by these lawsuits are impossible to accurately predict other than the obvious fact any instance would likely be multi-million dollar litigation.
For organizations in breach of GDPR, there’s the potential for fines up to €20,000,000 or 4% of global turnover, whichever is larger. Administrative fines can also be levied against companies in breach as non-compliance penalties.
Reputational and Financial Risk
A permanent consequence of improper data disposition could be losing consumer trust or a real hit to stock prices, alongside any potential fines an organisation might face. For example, according the IBM’s 2020 Cost of a Data Breach report, the average business cost for breaches was $3.86million. The most commonly exposed data type was PII, representing 80% of cases.
In the case of data disposal, improper disposition means your business is more likely to suffer from the kind of breach that could end up hitting you with severe fines and stock plunges - simply because of negligence.
Data Destruction, Sanitization and Asset Disposition
If you’re curious about data protection and the proper destruction, sanitization and your IT asset disposition in order to remain compliant with data protection laws you may be subject to, get in touch with TES today.
TES has broad expertise in the data regulatory arena around the world and we can advise on the best practices when it comes to making sure your data is safe - even at the end of its life.
About the author
Gary Griffiths MBA, TES Global Director Quality Environment Safety & Security
Gary maintains compliant best practice standards throughout the growing TES group and has advised the UK Government, EC, UN and others on e-waste disposal, reuse and recycling. With three decades IT reuse and recycling experience, Gary admits to talking rubbish for a living.