Information assets possess large volumes of confidential data and protecting this data is imperative.
Tough regulations, the high cost of data breaches and the risk of data leaks mean that proper steps must be taken
to ensure the complete and secure disposal of sensitive information.
A host of strict industry standards and government regulations have forced organizations to take adequate steps to mitigate the risk of
unauthorized exposure of confidential corporate data. Organisations must have a gapless audit trail as evidence of the steps taken to
prevent data leaks. Failure to comply could result in financial loss, irreparable damage to a company’s reputation, as well as civil and
criminal liability. A data breach of any kind could be devastating to a company.
Possible penalties for non-compliance
||Gramm Leach Bliley
||Health Insurance Portability and Accountability Act
||Fair and Accurate Credit Transaction Act
||Financial Service Modernization Act
||Public Company Accounting Reform and Investor Protection Act
|Directors and officers
Penalty per violation
||Up to $10 000
||Up to $1 000 000
Penalty per violation
|Up to $250 000
||Up to $100 000
||Up to $5 000 000
|Years in prison
||Up to 10 years
||Up to 5 years
||Up to 20 years
Data protection Legislation Around the World
||Data Protection Legislation
||Penalties for Data Breach
||UK Data Protection Act 1998
||Information Commissioner’s Office
||Up to £500 000 for a data breach
||On April 6, 2010 the fine for a data breach was increased from £5000 to up to £500 000
||Federal Data Protection Act 2001
||Federal Data Protection Commissioner
||Up to $50000 for formalities and up to $300 000 for more serious violations
||In September 2009, fines increased from $25000 to $50000 for formalities and from $250000 to $300000 for more serious violations
||Personal Data Act 1998
||Data Inspection Board
||The Personal Data Act 1998 enables the commission to levy a fine on any controller who breaches the law. In more serious cases, imprisonment is a possibility (imprisonment of at most six months or, if the offence is grave, to imprisonment of at most two years).
||Data Protection Law 1978
||Commission Nationale de l' Informatique et des Libertes (CNIL)
||Fines, imprisonment, publishing the information of the case in newspapers or other publications (for which the sanctioned person must pay), ceasing processing operations and removing the controller's authorisation to process.
||Ammended in August 2004 relating to the Protection of Data Subjects regarding the Processing of Personal Data.
||The Personal Information Protection Act (JPIPA)
||300,000 yen maximum + a few thousand yen compensation for each personal record OR maximum 6 months jail time.
||In 2009, the guideline stated the necessity of ONSITE data erasure for all magnetic media. It is now STRONGLY RECOMMENDED for major companies to wipe hard drive onsite with Professional Software or hardware with at least 1 time or multiple passes.
||Privacy Act 1988
||Federal Privacy Commissioner
||The main punishment is fines. In some circumstances, imprisonment can be used e.g.,failure to attend a hearing before the commissioner or failure to make an affirmation when required to do so, giving false information, failure to give information
||Amended in 2000 to cover the private sector (previously it only applied to Australian Government and Australian Capital Territory agencies or private sector organisations contracted to these governments).
||Personal Information Protection and Electronic Documents Act (PIPEDA)
||Privacy Commissioner of Canada
||Commissioner may audit the personal information management practices of the organization; and and make recommendations to the Federal Court in respect of damages. In addition, a person is liable under PIPEDA to a fine of up to $10,000 (per incident) on a summary
||In 2004, any organization that collects personal information in the course of commercial activity was covered by PIPEDA, except in provinces that have "substantially similar" privacy laws.
Identity theft is the fastest growing crime and the awareness of the risks associated with data leaks is slowly growing.
A carelessly discarded hard drive or USB stick could contain confidential data such as credit card details, social security numbers,
bank details or employee information. The unauthorized exposure of this data could easily result in identity theft.
Millions of people were victims of identity theft worldwide in 2006 alone. In order to protect your identity, it is imperative that data is
disposed of in a safe and secure manner.
- According to the FTC (Federal Trade Commission) in the USA, identity theft was the top consumer complaint in 2006 for the seventh year running
- Identity theft accounted for 36% of the 674 354 complaints filed with the agency in 2006.
- According to the Home Office Identity Fraud Steering Committee, it is estimated that more than 100 000 people are affected by identity theft in the UK each year.
- The latest estimate is that identity fraud costs the British economy over £1,7 billion.
Rapid technological change and the short lifespan of IT assets, has articulated the need to permanently destroy data on retired equipment.
The popularity of removable media such as USB drives has grown exponentially resulting in the alarming rise in data leaks through these
devices, further heightening the need to properly dispose of electronic data.
- A study conducted by British Telecommunications (BT), the University of Glamorgan in Wales and Edith Cowen University in Australia revealed
in August 2006 that a significant number of disks purchased at computer auctions, computer fairs or online from the UK, Australia, North America and Germany still contained commercial and individual data. The information recovered included payroll information, employee names and photos, business emails and sensitive personal information.
- The BBC’s Real Story documentary revealed in 2006 that bank account details of potentially thousands of Britons were being sold in West Africa for less than £20. Sensitive information was contained on the hard drives of PCs exported to Nigeria. This was due to the lack of steps taken to ensure that the hard drives were completely free of all data before being resold.
Did you know
- Identity theft is the top consumer complaint in the USA according to the Federal Trade Commission.
- US consumers reported fraud loss totalling more than $1.1 billion in 2006.
- Credit card fraud (25%) was the most common form of reported identity theft in the US in 2006.
- More than 100 000 people are affected by identity theft each year in the UK
- According to Privacy Rights Clearinghouse, more than 350 data loss incidents involving more than 140 million records have occurred since February 2005
- Organisations are obliged by law to take take adequate steps to ensure the proper disposal of data
- A research conducted by Ponemon Institute in 2006 showed that data breaches cost companies an average of $182 per compromised record, a 31% increase over 2005
- Unauthorized exposure of corporate data could result in negative publicity, loss in consumer confidence, hefty fines or expensive lawsuits
- The second-hand PC market is a haven for information thieves who seek to retrieve and exploit data from improperly cleaned hard drives
- The Environmental Agency has stated that about 23 000 tons of electronic waste, the equivalent of about 750 000 computers is flooding out of the UK and into the developing world every year