Almost every corporate organization has to comply in some way with regulatory standards. The requirements vary by industry, but regulatory compliance is one of the major areas at which companies must look when creating risk management policy. For those planning for risk through their company’s IT processes, a major regulatory concern is data security. Generally, regulatory standards place a high value on data security and come down hard on organizations that let sensitive data leak.

Regulatory standards data security policy makers should consider in their ITAD policies include:

• HIPPA/HITECH: The Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act are federal healthcare industry regulations that, among other things, govern the security and privacy of healthcare data.
• PCI: To protect against identify theft and credit card fraud, the Payment Card Industry Data Security Standard requires information security compliance from organizations that process credit cards, debit cards, and other types of payment cards.
• SOX: The Sarbanes-Oxley Act of 2012 is a federal law that sets standards for public companies, their boards, and their management teams.
• FACTA: The Fair and Accurate Credit Transactions Act includes provisions meant to protect consumers from identify theft. Among them are requirements for the proper disposal of consumer information.
• GLB: The Gramm–Leach–Bliley Act established consumer privacy rules for financial institutions like banks and insurance companies.

Even without a data breach, if your organization is noncompliant with any of the regulations listed above, it could be at risk for a negative audit (and possible fine). To avoid that risk, it must have an airtight data destruction procedure backed up by auditable records.

IT asset disposition (ITAD) and regulatory compliance

The method your company uses to dispose of its retired IT equipment – which can include recycling, remarketing, or a combination of the two – can be a hidden source of risk. Is your IT asset disposition (ITAD) program allowing sensitive data into the outside world? If it is, or you’re not sure, it might mean your company is not fully compliant with industry regulations.

The four steps to regulatory compliance in IT asset disposition are:

1. Understand the implications of each industry regulation (five major ones are listed above) for asset disposition.
2. Develop ITAD data security processes that are compliant with the regulations and document them.
3. Make sure everyone who literally touches the IT asset disposition process understands the process and requirements.
4. Be prepared to prove you have followed the compliant process if challenged in an audit.

Documentation is necessary. All the effort your team puts into compliance will be wasted if you can’t show you’ve done the work. For IT asset disposition, that means being able to document the disposition and data erasure/destruction status of each piece of equipment, generally by serial number, with all the details required by your industry’s regulations.

How do you stack up?

Does your disposition process meet industry best practices and regulatory standards? Download this free ITAD Self-Assessment guide to help identify and correct any gaps in your ITAD process.