Who is impacted? U.S. Federal agencies and their vendors, subcontractors, states and companies receiving federal funding.  Many states have also mandated National Institute of Standards and Technology (NIST) compliance. Key takeaways:
NIST Special Publications 800-53 and 800-88 specifically outline proper data control and proper media sanitization:

  • Organizations must use a written media destruction process to Track, Contain, Dispose, Document, and Verify all data bearing media (NIST MP-6(1) Media Sanitization Requirements)
  • Risk compliance officers must adopt processes that emphasize risk mitigation (NIST 800-30)
  • Data cannot leave the customer’s 4 walls (NIST 800-53 & 888 Security Controls)
    • If data leaves customer’s 4 walls, contractor must accept 100% liability for data security in legally binding contract
    • OEM’s specifically do not accept such liability in their contracts
    • Effectively data must be destroyed within the 4 walls
  • Media destruction cannot occur unless 2 technically qualified individuals conduct the task
    • (NIST MP-6(7) Media Sanitization- Dual Authorization)
  • A written cyber security framework and only working with certified vendors
    • NIST and ISO require vendors to be vetted and certified
Penalties: Failure to comply with NIST will result in loss of government funding and contracts.  Additionally, organizations are exposed to criminal liability, civil penalties, and contractual liability (Breach of contract, False Claims Act, Liquidated Damages, Termination for Default, Termination for Convenience).

Who is impacted? Any organization or business that processes the personal data of people in Brazil, regardless of where that business or organization itself might be located, is subject to the Brazilian General Data Protection Law or LGPD.  Key Takeaways: LGPD modeled itself after GDPR and implemented many of the same requirements: organizations must always maintain and protect data and quickly report breaches. Additional LGPD mandates:

  • Organizations of any size must appoint a Data Protection Officer responsible for implementing best practices
  • Organizations must implement technical and administrative procedures to protect data from breach
  • Data must be destroyed within the four walls of an organization as LGPD explicitly requires organizations always maintain control of their data
  • Individuals have the right to request their data is properly deleted (LGPD Article 7)
  • Organizations, businesses, and controllers of data must communicate and report a data breach in a reasonable time period (LGPD Article 48). 
Penalties: LGPD fines are 2% of global revenue or $13.5 million USD per infraction

Who is impacted? The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020 and applies to any organization collecting personal data of California consumers.  Key Takeaways: Similar to GDPR, the CCPA privacy law requires organizations maintain control of data and to implement security procedures. A compliant, recognized Cyber Security Framework and data destruction process must be in place and organizations must track all data under its control.  Penalties: Fines are issued by the California Attorney General and can be massive ($7,500/per breached record).  For example, under CCPA if an organization experiences a breach or violation and 10,000 consumers are affected, the fine would be $75,000,000! CCPA goes a step further when it comes to legal liability: individuals have legal standing and the right to bring civil action against organizations that do not comply with CCPA requirements.

Who is impacted? Any company that stores or processes personal information of or about a Citizen of the European Union must comply with GDPR.  This applies to companies whether they have a presence in the EU or not.  Key takeaways: GDPR places a heavy emphasis on maintaining control of data and the ability to track and digitally account for data within 72 hours of a breach.  Additional GDPR mandates:

  • Organizations to institute risk averse processes and a Cyber Security Framework that addresses secure data destruction
  • Appoint a Data Protection Officer (DPO, for companies handling data on a ‘large scale) responsible for implementing secure processes
  • Data must be destroyed within the four walls of an organization as GDPR explicitly requires organizations always maintain control of their data
Penalties: Violations can result in fines of up to $20 million U.S. Dollars or 4% of an organization’s global annual revenue (whichever is greater).  

Understanding the New Regulatory Landscape

Considered the mother of all global privacy regulations, the General Data Protection Regulation (GDPR) was introduced by the European Union in 2018 and with it came sweeping reform, new requirements and accountability for organizations and any data they process or acquire.  GDPR applies to any organization that handles even one European Union Citizen’s data and regulates all aspects of data collection including the data destruction process. Unlike previous regulations, GDPR has teeth: Noncompliance, breach and media destruction violations result in hefty fines. 

GDPR was a seminal regulation and carried the highest profile of several similar data protection laws and regulations including:

  • NIST: National Institute of Standards and Technology (Cyber Security Framework requirements mandated via Presidential Executive Order 13800 May 11, 2017)
  • LGPD: Brazilian General Data Protection Law (effective July 8, 2019)
  • CCPA: California Consumer Privacy Act (effective January 1, 2020)
  • State laws: 35 U.S. States have enacted data privacy laws and/or require NIST CSF standards.  Nearly every state has data privacy at the forefront of its legislative process.
  • U.S based law: Already a topic of heavy discussion and congressional committee work, it’s logical to assume a national data privacy law will be enacted in the near future
As outlined below, each of these laws and regulations impact an organization’s data destruction process, responsibilities, and liability.