Data Destruction Standards & Compliance Co-Presented by: Adam Ball, CSDS Operations Manager Stevens & Stevens Business Records Management, Inc. & Chris Parker, V.P. Operations

International Data Protection Laws Australia – The Federal Privacy Act of 1988 Canada – Personal Information Protection and Electronic Documents Act (PIPEDA) European Union – The General Data Protection Regulation of 2016 Hong Kong – The Personal Data Ordinance and the Personal Data Bill Japan – The Act on the Protection of Personal Information (APPI) of 2003 Mexico – The Federal Law on the Protection of Personal Data New Zealand – The Privacy Act (1993) Singapore – The Personal Data Protection Act (2012) South Africa – The Protection of Personal Information Act (2013)

Data Protection Regulations Currently, the United States has no overarching regulation protecting non-public personal information. Instead, there are numerous regulations aimed at various business sectors that require sector-specific requirements to protect personal information. (Healthcare, financial, legal, consumer credit)

Basis of Data Protection 1. Privacy Hippocratic Oath Fourth Amendment of the US Constitution 2. Intellectual Property The protection of proprietary trade information The defense of regional economic security 3. National Security

U.S. Data Protection Timeline - The Social Security Act of 1934 - The Privacy Act of 1974 HIPAA – The Health Insurance Portability and Accountability Act Enacted August 21, 1996 Rules: - Privacy Rule - Transactions and Code Sets Rule - Security Rule - Unique Identifiers Rule - Enforcement Rule

U.S. Data Protection Timeline The Financial Services Modernization Act of 1999 - Enacted November 12, 1999 - Applies to ALL Financial Institutions - Widely known as Gramm-Leach-Bliley ACT (GLBA) - Federal Agencies – GLB Rulemaking & Enforcement - The Safeguards Rule The Fair and Accurate Credit Transactions Act (FACTA) 2003 - The Red Flag Rules (RFR) - FACTA Final Disposal Rule (FDR) The Economic Espionage Act of 1996 (EEA)

U.S. Data Protection Timeline HITECH – The Health Information Technology for Economic and Clinical Health Act Passed into law on February 17, 2009 Non-Compliance Penalties increased from $25,000 per year to $1.5 million per year Three categories of violations were introduced 1. Unknowing 2. Reasonable Diligence 3. Willful Neglect

HIPAA Provisions Provisions on the Prevention of Unauthorized Access to PHI Written Policies and Procedures* Designation of Organizational Compliance Accountability* Employee Training* Business Associate Selection Due Diligence** Execution of Business Associate Agreements** PHI Data Security Breach Notification Compliance** Periodic Risk Assessments* * Apply equally to Covered Entities and Business Associates ** Vary slightly in application to Covered Entities and Business Associates.

Costly Settlements Due to Improper PHI Disposal CVS – January 2009 - $2.25 million Massachusetts’ South Shore Hospital – May 2012 - $750k Affinity Health Plan – August 2013 - $1.2 million US Supreme Court Ruling – Greenwood v California 1988

Identity Theft Every Year the IRS prepares a list of tax scams Identity Fraud Occurs Every Two Seconds Identity Theft is the #1 Consumer Complaint Medical Sector has more Identity Theft than any other industry Children’s Identities can be stolen before they have credit

Identity Theft Thieves use Social Media to find personal information Your smartphone is vulnerable Javelin Strategy & Research Study 2016 More Identity Fraud Victims – Less Stolen EMV drives doubling of new account fraud Consumer choices negatively impacting fraud detection US consumer data being used for fraud internationally

Types of Media Paper & Microforms Networking devices (Routers & Switches) Mobile Devices Office Equipment (Faxes, Copiers, Printers, MFP’s) Legacy Magnetic Media (Floppy’s, Disks, Reels, ATA Hard Drives, SCSI Drives) External Drives Optical Media (CD, DVD) Flash Memory (USB) RAM & ROM Based Storage Devices

Early Methods of Destruction

Destruction Today

Sanitization Standards DoD 5220.22-M is a software based data sanitization method used in various file shredder and data destruction programs to overwrite existing information on a hard drive or other storage device. DoD requires a combination of wiping, degaussing and/or physical destruction. NIST 800-88 Over the past several years, the National Institute for Standards and Technology's (NIST) Special Publication 800-88: Guidelines for Media Sanitization has become the real world reference for data erasure compliance.

NIST 800-88 Sanitization Standards The intent of the NIST document is to provide meaningful guidelines for sanitizing electronic media. The document does not provide requirements, standards or specifications. Sanitization Methods: Clear Purge Destroy

NAID – National Association for Information Destruction The International Trade Association for Companies Providing Information Destruction Services around the Globe NAID's mission is to promote the information destruction industry and the standards and ethics of its member companies NAID AAA Certification CSDS Accreditation

NAID AAA Certification Criteria Employee Requirements Operational Security Company Assurances Endorsements & the Destruction Process

Endorsements & the Destruction Process Paper or Printed Media Continuous Shred - 5/8” maximum Cross Cut or Pierce & Tear - ¾” wide x 2.5” long Pulverizer/Hammermill - 2” diameter holes Micro Media Particle size of 1/8” or less Hard Drives Company has a written and verifiable process for the physical destruction Serial # Tracking

QUESTIONS? Contact Info: Adam Ball, CSDS aball@ssbrm.com (727) 573-3900 Chris Parker cparker@ssbrm.com