The data privacy regulatory tsunami has arrived.
Data Destruction on End-point Devices in the Age of Data Privacy
In the current digital and cloud-based world, the value of data has skyrocketed.
Organizations, companies, and governments collect and use vast amounts of personal data and analytics as primary guides for making important decisions.
Unfortunately, personal data and critical proprietary data have become a sort of currency on the open market, black market, and specifically the dark web.
As cyber-attacks and data breaches have increased, governments and regulatory bodies have responded. In recent years data privacy laws and regulations have proliferated on the local, national, and global levels in response to these threats.
Understanding the new regulatory landscape
Considered the mother of all global privacy regulations, the General Data Protection Regulation (GDPR) was introduced by the European Union in 2018 and with it came sweeping reform, new requirements and accountability for organizations and any data they process or acquire. GDPR applies to any organization that handles even one European Union Citizen’s data and regulates all aspects of data collection including the data destruction process. Unlike previous regulations, GDPR has teeth: Noncompliance, breach and media destruction violations result in hefty fines.
As outlined in the following list, each of these protection laws and regulations impact an organization’s data destruction process, responsibilities, and liability.
GDPR
General Data Protection Regulation was a seminal regulation and carried the highest profile of the following similar data protection laws and regulations.
LGPD
Brazilian General Data Protection Law (effective July 8, 2019)
State Laws
35 U.S. States have enacted data privacy laws and/or require NIST CSF standards. Nearly every state has data privacy at the forefront of its legislative process.
NIST
National Institute of Standards and Technology (Cyber Security Framework requirements mandated via Presidential Executive Order 13800 May 11, 2017)
CCPA
California Consumer Privacy Act (effective January 1, 2020)
U.S Based Law
Already a topic of heavy discussion and congressional committee work, it’s logical to assume a national data privacy law will be enacted in the near future.
Exposure to large monetary fines
The regulatory tsunami has made it clear that compliant data destruction processes are not a choice and failure to comply creates exposure to large monetary fines.
Fines and legal liability are no longer hypothetical. GDPR and CCPA have wasted no time in exercising legal and regulatory authority to punish organizations that fall out of compliance.
GDPR violations
These can result in fines of up to $20 million U.S. Dollars or 4% of an organization’s global annual revenue (whichever is greater).
CCPA fines
These fines are issued by the California Attorney General can be massive ($7,500/per breached record). For example, under CCPA if an organization experiences a breach or violation and 10,000 consumers are affected, the fine could be $75,000,000.
GDPR violations have resulted in hefty fines being levied against some of the world’s largest organizations including:
Marriott: $130 million (July 2019)
British Airways: $230 million (July 2019)
Google: $62 million (January 2019)
Austrian Post: $20 million (January 2019)
Duetsche Wohnen SE: $15 million (October 2019)
In addition to monetary fines, CCPA violators face additional liability.
CCPA provides individuals the standing and right to bring civil action against an organization if that organization does not maintain ‘reasonable security’ procedures. Barely a month after CCPA went into effect, the first lawsuit citing CCPA in its judgement sought was filed. On February 3, 2020, a class action lawsuit was filed in the U.S. District Court for the Northern District of California naming Hanna Andersson and Salesforce as defendants (Barnes v. Hanna Andersson, LLC). If successful, the Plaintiffs will be entitled to a devastating amount of money.
Data destruction in the new world
There is no one body of law that governs all aspects of data privacy and data destruction. Organizations must look to the various laws and regulations that impact this process and ensure they have a compliant process in place.
Like pieces of a puzzle, organizations must navigate the various bodies of laws and regulations to understand their obligations in this new environment.
When analyzing the various laws and regulations that make up the regulatory tsunami, the foundation of compliant data destruction processes comes to light.
Requirements and their regulatory sources
Click to expand
Always maintain control of data
Institute risk averse processes and Cyber Security Framework
EO 13800, NIST, CCPA, LGPD
Ensure 3rd party certification
EO 13800, NIST, CCPA
Track, Contain, Dispose, Document, Verify
EO 13800, NIST, CCPA
Media Sanitization Dual Authorization (sanitizer & verifier)
EO 13800, NIST
Destroy within 4 walls
GDPR, EO 13800, NIST, CCPA, LGPD
Consequences: Fines, bad press and even job loss
In addition to large fines, organizations that are breached or found to be in violation of data privacy regulations inevitably suffer bad press and end up trending on social media for the wrong reasons. Making international headlines for data breach is a public relations nightmare that no organization wants to endure. Many breaches are preventable as they are the result of non-compliant data destruction and security processes.
To the right are two recent examples that illustrate this point:
The regulatory tsunami has made it clear: Compliant data destruction processes are not a choice and failure to comply brings enormous consequences.
These laws are in place to protect critical data from the many threats facing it today. Every organization must bring its processes up to date by prioritizing data protection and security over recouping the ever-declining value of retired data bearing devices and IT assets. The potential for fines and damage to brand reputation outweighs the inherent risk involved with remarketing IT assets without secure data destruction.
Data breaches often result in additional negative consequences: Job loss. According to a recent study (Kapersky labs, 2018) 32% of all data breaches result in the termination of C-level executive, president, or CEO.
#1) Washington State University
In April ’19, Washington State University learned a costly lesson after a hard drive containing the personal information of more than a million people was stolen from a self-storage locker. WSU agreed to pay up to $4.7 million in cash reimbursements, attorneys fees, victim credit monitoring and administrative expenses.
Source: Seattle Times, April 2019
#2) Facebook
In November of 2019, the personal banking information for thousands of Facebook employees was stolen. The data breach reportedly occurred when someone stole multiple unencrypted physical hard drives from a Facebook payroll staffer’s car.
Source: Bloomberg, Nov. 2019
Future-Proof.
The Tear-A-Byte® data destruction process provides comprehensive protection including:
It uses a multi-layered defense to counter collusion and satisfies the data destruction component of the required Cybersecurity framework
Employs smart RFID technology for full and perpetual tracking of assets via a cloud based secure customer portal provides on-demand reports (full audit trail, certificates of destruction and environmental reports)
Operates entirely onsite within the ‘four walls’ of a facility and the data never leave the organization’s control
Two System Engineers sanitize the data and verify it has been destroyed
Employs a secure cloud-based Customer Inventory Management Portal as a robust global inventory and asset tracking system
The e-waste from destroyed data bearing devices is recycled at only ISO 14001 recycling facilities and follows a strict Zero Landfill Policy
The process is supported by a foundation of 5 ISOs (27001, 31000, 9001, 14001, 45001)
Meeting new requirements
To meet the requirements of the regulatory tsunami and to eliminate the risk of breaches resulting from stolen or mismanaged data bearing devices, organizations must work with the right partner and employ the best solution. That partner is TechR2 and the solution is its patented Tear-A-Byte process. The ground breaking Tear-A-Byte process for data destruction is both a product and service that Tracks, Contains, Destroys and Verifies data on data bearing devices when they fail or are decommissioned protecting organizations from breach, the aforementioned backbreaking fines, civil and criminal liability as well as damage to your brand.
Why risk it alone?
Get started today.
We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.
Your benefits:
- Client-oriented
- Independent
- Competent
- Results-driven
- Problem-solving
- Transparent
What happens next?
Schedule a call at your convenience
We do a discovery and consulting meeting
We prepare a proposal