It doesn’t matter if you are a sole practitioner
or a major healthcare provider, now more
than ever you need to be extremely careful
in managing patient information. This means
healthcare offices must not only protect
patient information in its paper form, but
perhaps even more significantly you are
responsible for the
electronic media that stores that information.
Medical service organizations must maintain
strict control over the vast amount of data
stored on their computers, even after their
systems are no longer in use. Simple
lack of proper handling of information has
caused many medical professionals to receive
bad press.
Although HIPAA is the best known regulation
in the healthcare industry, there are others.
Most information is now contained on electronic
media; hard drives, magnetic tapes, etc.
You must have systems in place to destroy
this media after it no longer is in service.
In addition, nearly all equipment in a medical
facility contains electronics. These
electronics, from a small desktop PC to
a large mainframe computer or specialized
lab equipment, contain material classified
as hazardous material and precautions must
be taken to safe guard disposal. The Resource
Conservation and Recovery Act, (RCRA) requires
certain material to be disposed of in a
specific manner.
Although computer data is assumed to be
well protected while in use at the offices,
who is responsible for ensuring
that data is completely removed and/or destroyed
when the computer system is upgraded and
the old systems are removed from the work
environment? Prevent legal repercussions,
be forewarned and forearmed.
Back to Top
FINANCIAL
Hardly a day goes by when
there isn’t an article pertaining to the
“accidental” disclosure of personal financial
information. With the increase in identity
and data theft, federal regulations have
placed the burden on businesses holding
private information to ensure that it
is handled safely. Federal regulations
such as the Gramm-Leach Bliley Act (GLB),
Sarbanes-Oxley Act (SOX), FACTA, and others,
specifically relate to having management
systems in place to protect such confidential
information. Penalties
for violating these regulations can be
severe. Safeguarding data includes
the sanitation or destruction of “data
containing” media after it is taken out
of service. i.e.: hard drives, magnetic
tapes, etc. Media destruction and/or sanitation
must be handled in a specific and documented
manner.
In addition to safeguarding
the data, the equipment within your company,
ranging from computers, copy machines,
faxes, computers, (PC’s to mainframes
and all ancillary equipment) phone systems,
printers, etc, are considered hazardous
material and must be disposed of properly
per the Resource Conservation and Recovery
Act. Penalties and fines for GLB non-compliance
are substantial. Fines levied for violations
can be up to $100,000 per violation at
the national level and can also expose
the covered institutions, especially those
in the insurance sector, to state-level
sanctions. In addition, the officers and
directors of these companies can
be held personally liable for civil penalties
up to $10,000.
Prevent legal repercussions,
be forewarned and forearmed. See our e-EndUSA
Financial Chart HERE
to get the most up to date information
that may impact your financial organization.
Don't forget to get a copy of our Documents
in Danger checklist HERE
also.
Back to Top
RISK
MANAGEMENT
Risk Managers have the responsibility
to make sure that the organization they
represent stays out of trouble. Whether
you support a bank, a manufacturing company,
a university, energy organization, an
association or non-profit, many of the
same issues still apply when discussing
IT technology and safeguarding private
information.
Risk Managers set the tone
for compliance within an organization
and understand that there are consequences
for not following the rules. And the rules
are growing. There
are now at least seven federal regulations
that may apply to your IT disposal program.
The actual number will vary in accordance
with your business segment, but chances
are, you will need to comply with at least
two different rules. And of course each
regulation has its own set of fines and
penalties, some of which actually hold
upper management personally liable!
See our e-EndUSA
Risk Management Chart HERE
to get the most up to date information
that may impact your type of organization.
Don't forget to get a copy of our Documents
in Danger checklist HERE
also.
Back to Top
INFORMATION
TECHNOLOGY
Depending on which business
segment you support, you may need to comply
with one or more of 5 privacy/accountability
acts. Most of these regulations address
data security/privacy concerns and one,
Sarbanes-Oxely, is designed to enforce
corporate accountability. As
the gatekeeper of electronically stored
data, it is critically important
that the IT Manager be aware of the regulations
that apply and incorporate data protection
procedures within the IT plan and budget.
Just having a tech wipe a hard drive with
a software program does not constitute
a judicious “end of life” electronics
security system. Leaving
large amounts of unused electronics stockpiled
is tempting. However, most breaches are
caused by employees and carelessness.
Wise IT managers see the need
to have third-party destruction companies
verify proper elimination which
frees up staff to service in-house clients.
See our e-EndUSA
Information Technology Chart HERE
to get the most up to date information
that may impact your type of organization.
Don't forget to get a copy of our Documents
in Danger checklist HERE
also.
Back to
Top
GOVERNMENT
AGENCIES & DEFENSE CONTRACTORS
According to GovExec.com,
the federal government purchases more
than $60 billion
worth of electronic equipment and services
annually. For every
new product that is purchased, an obsolete
piece of equipment must be discarded.
This staggering figure carries with it
the burden not only to responsibly protect
the environment but the need to guard
highly sensitive data when disposing of
obsolete electronics. Additionally businesses
providing services to the U.S. Department
of Defense need to be particularly careful
in regard to asset disposition. There
are many Federal Acquisition Regulations
(FARs) that need to be followed and a
hierarchy of obstacles that must be overcome
before actually disposing of equipment.
In addition to domestic
regulations, defense contractor IT and
Property Managers need to be aware of
the restrictions
regarding the export of government information
and property. In the interest of
national security, the exporting of material
is controlled by the International Traffic
in Arms Regulations (ITAR).
Keep in mind that statistics
show that approximately 75% of all U.S.
computer equipment is exported for “recycling”.
What countries are receiving this material?
China, Thailand, Pakistan, Africa, the
Philippines and many others. Can you risk
your equipment, and data,
being sent half way around the world?
See our e-EndUSA
Government Agencies & Defense Contractors
Chart HERE
to get the most up to date information
that may impact your type of organization.
Don't forget to get a copy of our Documents
in Danger checklist HERE
also.
Back to Top
LAW
FIRMS
Law Firms and any other
establishments that possesses privileged,
confidential and otherwise personal information
are required to safeguard data. Federal
Regulations such as FACTA, Sarbanes Oxley
Act (SOX) and others have specific requirements
which relate to protecting confidential
data. Safeguarding not only means maintaining
the information confidential during its
active use, you
must guarantee it remains confidential
at all times. This includes the
sanitation or destruction of “data containing”
media after it is taken out of service.
i.e.: hard drives, magnetic tapes, etc.
In addition to securing
and sanitizing your data, the equipment
within your company, ranging from copy
machines, faxes, computers (PC’s to mainframes
and all ancillary equipment), phone systems,
printers, etc, are
considered hazardous material and
must be disposed of properly per the Resource
Conservation and Recovery Act.
See our e-EndUSA
Law Firm Chart
HERE to get the most up to
date information that may impact your
firm's electronics handling. Also, our
e-EndUSA Compliance
Chart may help make your clients aware
of potential liabilities. Don't forget
to get a copy of our Documents in Danger
checklist HERE
as well.
Back to
Top
COMMERCIAL/RETAIL/MANUFACTURING
Everyone operating a commercial
operation is required to abide by federal
privacy regulations. If you operate a
manufacturing plant, a lawn service, a
day care, a major retail chain, an auto
dealership or an international hotel network,
you have consumer or reseller information
that could be compromised. This includes
customer data, employees, vendors, and
any other information that ANYONE may
deem personal or confidential. These same
regulations and others apply to manufacturing
entities that produce electronic related
equipment, components or devices. The
waste from the process (containing electronic
components) must be treated as hazardous
waste and these must be disposed of in
accordance with the RCRA.
Among the varied regulations
affecting commercial companies, FACTA
may be the most directly associated to
your operation. FACTA requires "any
person who maintains or otherwise possesses
consumer information for a business purpose
to properly dispose of such information
by taking reasonable measures to protect
against unauthorized access to or use
of the information in connection with
its disposal." The law's reach is
also quite broad, affecting anyone "who
maintains or otherwise possesses consumer
information for a business purpose."
This means you must protect your data.
That includes the sanitation or destruction
of “data containing” media after it is
taken out of service. In addition to safeguarding
the data, the equipment within your company,
ranging from copy machines, faxes, computers
(PC’s to mainframes and all ancillary
equipment), phone systems, printers, etc,
are considered hazardous material and
precautions must be taken to safe guard
disposal per the Resource Conservation
and Recovery Act.
See our e-EndUSA
Commerical/Retail/Manufacturing Chart
here to get the most up to
date information that may impact your
company. Don't forget to get a copy of
our Documents in Danger checklist here
also.
Back to
Top
EDUCATION
Educational institutions
at all levels have a very specific responsibility
to maintain the confidentiality of student
records and other personal information
and must take precautionary
measures to protect electronic data on
obsolete, or stockpiled equipment.
Of the various federal regulations, the
Family Educational Rights and Privacy
Act (FERPA) is the most relative. (FERPA)
(20 U.S.C. § 1232g; 34 CFR Part 99)
is a Federal law that protects the privacy
of student education records. The law
applies to all schools that receive funds
under an applicable program of the U.S.
Department of Education. Even if you do
not receive federal funds, other regulations
require the safeguarding of all personal
and confidential information, such as
the little known COPPA regulation which
governs registration of under age students
via the web. Specifically, safeguarding
this data includes the sanitation or destruction
of data containing media after it is taken
out of service. i.e: hard drives, magnetic
tapes, etc. Obsolete electronics that
are simply stored
can enable unwarranted access and malicious
data breaches.
Educational institutions
generally possess a wide variety of electronic
equipment to serve their campuses. This
may include large amounts of personal
computers (PC’s) mainframe computers,
office equipment of all types, lab equipment,
phone systems, etc. When this equipment
is taken out of service by replacement,
it must be dealt with as hazardous waste.
Specifically the Resource Conservation
Recovery Act (RCRA) requires the careful
and properly disposal of all the above
equipment.
See our e-EndUSA
Educational Chart here
to get the most up to date information
that may impact your institution. Don't
forget to get a copy of our Documents
in Danger checklist here
also.
Back to
Top
