Data Security Regulations

Sims Recycling Solutions' experts can advise you on your exposure and can provide the necessary certificates of destruction to ensure you have proof of data destruction. When it comes to electronic data security, no other recycler in North America has the depth of experience and range of equipment of Sims Recycling Solutions.

Below are some of the key regulations to be aware of:

This Act governs health-related entities. One provision of the regulations is the security rule, requiring “covered entities” to:

• Ensure the confidentiality, integrity and availability of all electronic protected health information (EPHI)…the covered entity creates, receives, maintains, or transmits.
• Protects against any reasonably anticipated threats or hazards to the security or integrity of such information.
• “Covered entities” = health care clearing houses, employer sponsored health plans, health insurers, medical services providers.

The Disposal Rule, effective June 1, 2005 is a federal law designed to minimize the risk of identity theft and consumer fraud by enforcing the proper destruction of consumer information. The Rule states for “covered accounts”:

• “Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.”
• Covered account is any account that there may be a foreseeable risk of identity theft – credit cards, monthly billed accounts like utility bills or cell phone bills, social security numbers, drivers’ license numbers etc.
• Act covers a broad list of businesses including financial institutions, and “creditors” such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, telecoms companies, landlords, general employers and so on (anyone who operates “covered accounts).
  The Rule cites specific examples of accepted methods of destruction, including:
• Burning, pulverizing, or shredding of physical documents
• Erasure or destruction of electronic media
• Entering into a contract with a third party engaged in the business of information destruction

This legislation also covers identity theft and focuses on the control of key identification documents such as driver licenses and social security numbers.

The GLBA establishes requirements for protecting the privacy of individual customers' financial information. If your business is a financial institution, you are subject to the GLBA Safeguards Rule. In addition to enforcement authority "Under Section 5 of the FTC Act, the Federal Trade Commission also has responsibility for enforcing its Gramm-Leach-Bliley Safeguards Rule, which requires financial institutions under the FTC’s jurisdiction to develop and implement appropriate physical, technical, and procedural safeguards to protect customer information."

Financial institutions are:
“Companies that offer financial products or services to individuals, like loans, financial or investment advice or insurance”:

• Banks
• Non-bank mortgage lenders
• Financial or investment brokers
• Insurance companies
• Tax return preparers
• Loan brokers
• Real estate settlement service providers
• Auto dealers that lease or finance
• Debt collectors
• Retailers that issue their own credit cards

This regulation is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Educational records are directly related to the student and are either maintained by the school or by a party or organization acting on behalf of the school. Such records may include:

• Written documents (including student advising folders);
• Computer media;
• Microfilm and microfiche;
• Video or audio tapes or CDs;
• Film;
• Photographs.

This law requires federal agencies to develop, document and implement agency-wide information security systems. Departments include:

• EPA
• FAA
• Departments of Defense, Education, Transportation, Labor, Energy and so on.

The NIST SP 800-88 standard comes out of work undertaken by NIST to enable federal agencies to meet their FISMA obligations.

SOX has peripheral involvement in data security to the extent that Section 302 requires the CEO and CFO to certify that the financial reports are true and accurate, and that there are in existence adequate controls over financial reporting and disclosure. Section 409 requires publicly traded companies to promptly report any changes in financial condition or reporting that might be material to investors.  IT security is important under SOX only to the extent that it enhances the reliability and integrity of that reporting.

PIPEDA governs how private-sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic documents:

• The law requires an organization to protect individuals personal information by taking appropriate security measures

The implementation of PIPEDA occurred in three stages. Starting in 2001, the law applied to federally regulated industries (such as airlines, banking and broadcasting). In 2002 the law was expanded to include the health sector. Finally in 2004, any organization that collects personal information in the course of commercial activity was covered by PIPEDA, except in provinces that have "substantially similar" privacy laws. Four provincial privacy laws have been declared by the federal Governor in Council to be substantially similar to PIPEDA:

• An Act Respecting the Protection of Personal Information in the Private Sector (Quebec)
• The Personal Information Protection Act (British Columbia)
• The Personal Information Protection Act (Alberta)
• The Personal Health Information Protection Act (Ontario).