Regulatory standards exist to protect consumers and to ensure a level playing field for business. As such, most regulatory standards place a heavy emphasis on process—not just doing the right thing, but planning a process and putting it in place to ensure the right thing gets done every time, with the documentation to prove it. This approach should apply to all of company’s compliance initiatives, but it is especially critical for the IT asset disposal process. Before it can reach final disposition, any given piece of IT equipment may undergo a journey that involves multiple people, procedures, and locations, from identification and collection, to storage, to data destruction, to packing and shipping, to remarketing, or recycling. Trying to enforce compliance throughout such a complicated process with a piecemeal approach is difficult, at best.

We recommend a four-step approach to regulatory compliance:

1. Understand the implications of each industry regulation for IT asset disposal. We’ll discuss some of the most common regulations below.
2. Develop IT asset disposal data security processes that are compliant with the regulations and document them.
3. Make sure everyone who contributes to the IT asset disposal process understands the process and requirements.
4. Be prepared to prove you have followed the compliant process if challenged in an audit.

Regulatory Standards and Data Destruction

Some of the most common data security related regulatory standards to which American businesses must comply include:

• HIPPA/HITECH: The Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act are federal healthcare industry regulations that, among other things, govern the security and privacy of healthcare data.
• PCI-DSS: The Payment Card Industry Data Security Standard requires information security compliance from organizations that process credit cards, debit cards, and other types of payment cards.
• SOX: The Sarbanes-Oxley Act of 2012 is a federal law that sets standards for public companies, their boards, and their management teams.
• FACTA: The Fair and Accurate Credit Transactions Act was passed to protect consumers from identify theft. Its requirements include the the proper disposal of consumer information.
• GLB: The Gramm-Leach-Bliley Act applies to financial institutions like banks and insurance companies and includes provisions for protecting consumer privacy.

From a compliance standpoint, protecting sensitive data from falling into the wrong hands is the highest priority of the IT asset disposal process. This sensitive data could include customer financial information like credit card numbers, employee social security numbers, health records, company trade secrets, and anything else that could infringe upon someone’s right to privacy or be used maliciously if the wrong people got a hold of it. When IT equipment reaches the end of its lifecycle with a company, the process must ensure that sensitive information is destroyed.

Compliant Data Destruction Processes

There are three different ways to destroy the data stored on retired IT equipment—physical destruction, degaussing, or sanitization (wiping).  But achieving a compliant data destruction process involves more than choosing one of those methods. Procedures should be in place to ensure assets don’t inadvertently pass through the IT asset disposal process without their data being destroyed. This could happen if, for example, when your team is in charge of the data destruction and a laptop gets placed in the wrong pile or a tech gets called away to another task before completing data destruction on a set of equipment. Documentation is very important, too, so that compliance can be demonstrated during an audit.

IT asset disposal providers that have been certified by leading industry organizations like the National Association for Information Destruction (NAID) have strict controls in place for handling equipment, destroying data with up-to-date methods, and documenting the process. These are usually the most reliable data destruction vendors with which to partner when compliance is an objective.

How do you stack up?

Does your disposition process meet industry best practices and regulatory standards? Download this free ITAD Self-Assessment guide to help identify and correct any gaps in your ITAD process.