Every industry has its own regulatory policy regarding data protection. Finance has the Gramm-Leach-Blilely Act, health care must follow Health Insurance Portability and Accountability Act guidelines and the Sarbanes-Oxley Act applies to any corporation with an accountant.
But what happens when you don’t follow these mandates, whether it be by accident or on purpose? Data breaches have become a costly expense on a company’s budget, and the financial consequences of non-compliance just add to the mess that’s created when personal or confidential information is leaked.
Finance institutions are no strangers to regulatory bodies watching their every move, but data protection isn’t always at the top of everyone’s minds. In retrospect, it really should be. Banks and investment firms have access to everything from Social Security numbers to bank accounts and then some. If you gave a hacker 15 minutes on a laptop at one of the larger firms, they’d come away with millions in stolen information.
The GLBA was instituted for this very reason – to protect the consumer. Failure to do so results in fines levied against the institution, as well as directors and officers. Here’s how it all breaks down:
- Senior executives: Fined $10,000 each per violation.
- Institution: $100,000 per violation.
- Sentence: Five to 12 years in prison.
- Individual: $1,000,000 civil fine.
- Institution: Civil fine totaling 1 percent of assets.
- FDIC insurance is terminated.
- Operations given a cease and desist order.
As is clear, non-compliance within the GLBA can carry some hefty consequences. A simple data breach doesn’t have to be malicious in nature – not every attack is the result of a successful phishing attempt or ransomware. Sometimes it’s as simple as an employee tossing a company computer in the garbage without wiping the hard drive first. In that scenario, anyone and everyone could have access to the information that is stored on there.
As health care moves into a new digital realm of patient and doctor interaction, confidentiality is put at a premium. It shouldn’t come as a surprise, then, that a data breach at a medical organization is the last thing any governing body – or patient – wants.
HIPAA has mandates in place to ensure that computers and any other type of electronic device that once stored personal information on it is recycled securely. This means completely erasing all of the data that was stored on it, or else being held accountable for these consequences:
- Institution: Fined $50,000 to $250,000 per violation.
- Sentence: One to 10 years in prison.
- Individual: $25,000 civil fine.
Most HIPAA violations have come as an accident, like NHS Surrey. The Guardian reported this organization lost 3,000 patient records after the data destruction company it hired failed to securely recycle the computers. That one oversight resulted in a £200,000 fine.
The SOX Act applies to financial management and accounting firms. Its measures require not only complete safety of all personal information pertaining to clients, but also regular audits and checks in process to ensure employees are doing their due diligence in protecting the information, according to Vormetric.
While GLBA is often the most notable data protection reference when it comes to finance, SOX carries some of the heaviest fines for any instance of non-compliance:
- Senior executives: Fined $1,000,000 per violation.
- Institution: $5,000,000 per violation.
- Sentence: 20 years in prison.
Data protection is no laughing matter, and SOX makes sure of it by coming down hard on any organization that, by accident or on purpose, loses confidential information to the public.
How to stay compliant
It’s likely that every IT expert has heard of it but without any buy-in from executives, it’s difficult to implement it for compliance purposes. Degaussing is the only data erasure method approved by the National Security Agency and Department of Defense.
“Degaussers help a company stay compliant.”
Degaussers demagnetize hard disk drives and tapes, rendering them completely unreadable. This method is what an effective data destruction company will use, but will also charge a premium for doing so. Fortunately, degaussers are now commonplace and any size organization can invest in one. After degaussing, the best practice is to crush the electronic device to ensure that absolutely no fragments can be read by a hacker.
Cyberattacks often make the news for how malicious they are in nature, but leaving an old company computer in the trash and having it breached is a less common story. This is why so many organizations are unaware their standard methods of electronic disposal are non-compliant. The penalties that can be levied, though, could essentially shut down a business that doesn’t have much room in the budget for mistakes.
Stay compliant with some of the world’s most important data protection laws by degaussing any old computers or hard disk drives that need to be thrown away. This will ensure your company and its consumers’ information will be safe.