HDD, enterprise IT, compliance, risk management

HIPAA, SARBOX, PCI and the Alphabet Soup of Doom

Depending on the business you’re in, the indiscriminate disposal of old HDDs and other storage media can quickly rise from really bad idea to violation of the law.

Rare is the business today that isn’t subject to the rigors of regulatory compliance in some fashion. In addition to all of the other pressures of the working world — global economic uncertainty, rising costs, competition, disruption — most companies are under the gun to meet strict legal requirements that govern their particular industry.

Whether it’s the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) in healthcare, Sarbanes-Oxley (SARBOX) and Gramm-Leach-Bliley Act (GLBA) in finance, the Federal Information Security Management Act (FISMA) for government agencies or the Payment Card Industry Data Security Standard (PCI DSS) for retailers, a broad swath of businesses both large and small are now answerable and accountable to a higher authority.

Since most industry regulations involve security, consumer protection and fair trade practices, the common mistake is to assume they are only a concern for core IT services like networking, data centers administration, IT change management and the like. But woven within the reams of legal language that make up the most prevalent business regulations are myriad and specific references to the proper handling, archiving and destruction of digital records.

That makes compliance a key issue for managers charged with the decommissioning and disposal of IT infrastructure equipment, particularly those that include storage media assets like hard disk drives containing sensitive and regulated information.

Take HIPAA, which has strict security standards and calls for very specific administrative, physical and technical safeguards for digitized patient medical records. The rules cover every layer of health care from clerks, nurses and doctors in clinics to insurers to third-party billing firms. The requirements have profound consequences for any healthcare CIO or IT services partner dealing with IT asset lifecycles. Are all devices being physically protected as they move in and out of service? Is stored data being encrypted in transit and at rest? Are audit logs of storage assets being maintained? Are all hard drives properly handled and wiped clean when a device is taken out of service?

Answer no to any of these questions, and the organization is out of compliance with a federal law that carries harsh financial penalties for even the smallest transgression.

Similarly, SARBOX, GLBA and FISMA include provisions for document security that cover the storage of electronic financial records and the personal information of customers and investors. CIOs for banks, investment firms and insurance carriers must maintain strong data storage policies and produce detailed audit trails of documents and storage media when IT assets are removed from service and targeted for disposition.

If all of this sound like arcana limited to a few vertical industries, consider the ubiquitous PCI DSS rules, which govern credit card transactions. Every company doing business in the U.S. that accepts credit cards as payment — along with all of the supply-chain and operational partners that process and store transaction data — must safeguard that information and ensure it never falls into the wrong hands. According to the U.S. Department of Commerce, that’s more than 715,000 organizations in just over 1 million locations all under the gun to stay compliant.

And for that legion of businesses, compliance includes diligent tracking of IT storage media lifecycles in servers, PCs, laptops, mobile devices and a host of retail-specific peripherals like point-of-sales (POS) devices and specialized printers.

It’s clear that enterprise IT leaders who ignore the regulatory compliance ramifications of the printing and imaging devices under their control do so at their peril, leaving their organizations at risk for sanction, heavy fines or worse.

Steering clear of the legal liability associated with improper handling of critical stored data requires due diligence in every phase of the disposition process. When considering the real value of a trusted ITAD partner, the significance of staying on the right side of the law is hard to overstate.