Legal Implications of Improper Data Destruction

In today’s electronic and digital era, where so much of our personal and company information is stored on hard drives or CDs’, information security should be a critical concern.  According to the Bureau of Justice, in 2012 16.6 million Americans were victims of identity theft, with financial losses totaling $24.7 billion.  A report by the Ponemon Institute revealed that data breaches cost businesses an average of $3.5 million, and that doesn’t include the loss of customers or reputation.  Proton Data Security is committed to our clients security through integration of the latest technology into their machines.

Proper data destruction is critical to protecting sensitive company, employee, customer and the public’s information and records. Several laws dictate standards for data destruction, and failure to follow them can lead to hefty fines or even jail time in addition to the devastation of a possible data breach. HIPAA, FACTA and FISMA  are a few of the major laws regulating data destruction. Understanding these laws and their implications is a good first step toward assuring that you and your company are in compliance with the relevant data destruction laws.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 was created in order to protect the privacy of patient’s medical records and other personal health information (PHI).  According to the HHS, entities covered under HIPAA include those handling health plans, health care clearinghouses and health care providers who handle certain transactions electronically.  A university, for example, is required to follow HIPAA since they have student medical records.  Businesses that help to administer health plans may not realize they are a covered entity under HIPAA, but they are held to the same privacy standards regarding PHI as a hospital.  HIPAA details the proper disposal of PHI on paper and electronic media.  Degaussing before physically destroying is a critical step in disposal of data on hard drives.  Only a degaussed hard drive is truly erased of sensitive data.

In 2014, data breaches at New York Presbyterian Hospital and Columbia University resulted in combined fines of $4.8 million for HIPAA violations.

In June 2015, hard drives and other physical state storage devices containing the emergency medical records of up to 100,000 people were stolen from the basement of the Lancaster County Administration Building.  The investigation is ongoing, and thousands of people’s financial and health information was compromised due to unsecured and improperly destroyed records.

FACTA

The Fair and Accurate Credit Transactions Act of 2003’s mission is to protect consumers from identity theft.  FACTA’s Disposal Rule went into effect on June 1st of 2005, and applies to disposal of consumer reports or information derived from these reports.  The Federal Trade Commissions’ press release on the Disposal Rule lists examples of the covered information:  credit reports, credit scores, reports businesses or individuals receive with information relating to employment background, check writing history, insurance claims, residential or tenant history, or medical history.  Every business in the United States must adhere to FACTA regulations.

Penalties for non-compliance with FACTA can include civil liability, class action, federal and state enforcement.  The federal government can fine $2,500 for each individual violation and the state can tack on an additional $1,000 fine for each violation.  In 2008, American United Mortgage Company was fined $50,000 for improperly disposing of consumer data.

FISMA

The Federal Information Security Management Act of 2002 was passed in order to strengthen the security of government information in order to protect the economic and national security interests of the country.  The importance of information security is highlighted by the fact that FISMA passed House and Senate unanimously.  A key aspect of this security is proper data destruction.  FISMA requires that all magnetic media be degaussed for disposal.  The National Institute of Health’s Media Sanitization Service describes why magnetic media must be degaussed:

“You may not realize it, but even erasing and reformatting a disk does not permanently remove the data stored on it. Magnetic media that cannot be erased using an approved repeated-overwrite operation must be degaussed to completely erase data prior to recycling, reusing, donating, or disposing of the storage media. For optical media, such as CDs and DVDs, destruction is the only safe bet.”

Why Degauss for Compliance?

Deguassing is the only way to truly erase magnetic media, as it erases the magnetic make-up of the hard drive.  Proton Data Security is on the cutting edge of hard drive degaussing, continually improving our technology in order to keep our customers’ data secure and in compliance with government regulations.  The NSA’s Storage Declassification Manual lists hard drive degaussing as the guidance for sanitizing magnetic tapes and magnetic disks.  The magnetic strength, or coercivity as measured in Oersteds, of hard drives has increased over the years, and the degaussing strength required to erase them has grown too.  The Proton 1100 has been tested for Perpendicular Magnetic Disk Storage Devices and can securely erase up to and including 5000 Oersteds, the current maximum capacity for solid state hard drives.

The coercivity of hard drives will only continue to increase in the coming years.  Proton Data’s T-Series degaussers are strong enough not only to effectively degauss any hard drive currently on the market, but also those for years to come.  The T-1.5 has a field strength of 15,000 Gauss while the T-4 has a strength of 20,000 Gauss in each way in a bi-directional field.  Both provide compliance under HIPAA and FACTA.


Information security and proper data destruction is not only a top priority for the government, it should be every business’ perogative.  Understanding the laws regarding security and destruction, and how they apply to your company, is an important step on the path to keeping your data, employees and customers protected.

 

Proton Data Security: