New data protection laws in California and New York are part of a national trend that will fundamentally change the way businesses handle personal information, according to a NAID leader.
“The sea change is that however these things end up, they are putting the data subject – or the data owner, the individual – in charge of their information,” Bob Johnson, CEO of the National Association for Information Destruction (NAID), said in an interview. “At its core, that’s a difference for businesses and for service providers and it’s going to mean big changes over time.”
New York Gov. Andrew Cuomo on July 25 signed into law Senate Bill S5575B, called the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. Both the SHIELD Act and an earlier California bill require businesses to put added scrutiny on their recycling vendors. The new legal requirements could also help compliant e-scrap recycling vendors land more clients.
“Change and opportunity always go together,” Johnson said.
New York’s new law
The SHIELD Act requires businesses to have and maintain reasonable safeguards to protect the security, confidentiality and integrity of private information, “including, but not limited to, disposal of data.” It requires businesses to implement reasonable administrative, technical and physical safeguards on data, including taking steps to ensure data is secure when it’s being transported to and handled by data destruction vendors. If the business is a type already covered by specific other data protection laws, such as Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999, it’s considered in compliance with the SHIELD Act requirements.Importantly, the SHIELD Act applies to all companies that hold the private information of a New York State resident, not just organizations that do business in the state. The National Law Review provides more information on the law, which takes effect March 21, 2020.
Nationwide processor ERI issued a press release on the SHIELD Act on Aug. 27 pointing to a nationwide trend and emphasizing the importance of data protection during recycling.
“Corporations are being scrutinized more than ever before for their management of digital data,” John Shegerian, ERI’s co-founder and executive chairman, stated in the release. “With the increases in liability, there is a huge storm of problems on the horizon for corporations if data is not sufficiently protected from hackers and cybercriminals as well. We can and should anticipate similar regulatory trends to become established nationwide in the very near future.”
Learn more in person
Bob Johnson, CEO of the National Association for Information Destruction (NAID), will take the stage twice at this year’s E-Scrap Conference and Trade Show, held Sept. 23-25 in Orlando, Fla. He will speak during a Tuesday session titled “The Latest on e-Stewards” and will moderate a Wednesday session titled “ITAD Deep Dive: Data Security.” Go to the conference website to learn more and register.
‘New era in privacy and data security’
New York’s law came one year after Jerry Brown, who was governor of California at the time, signed into law Assembly Bill 375, the California Consumer Privacy Act (CCPA). Both laws are the U.S. dominos falling after the European Union’s General Data Protection Regulation (GDPR) went into effect in 2018, Johnson said. New Jersey and a number of other states are now considering similar legislation. NAID on Wednesday, Sept. 11, published a blog post recapping Johnson’s impressions from a recent meeting in New Jersey.
Johnson wrote about GDPR and similar U.S. laws in a spring 2019 article in E-Scrap News magazine.
In California, CCPA gives consumers new rights with respect to the collection and use of their personal information. Johnson said CCPA applies to ITAD companies, as well as their enterprise clients. CCPA currently allows any individual to request from the covered business – a bank, for instance – the name, as well as the written policies and procedures and qualifications of their data destruction vendors.
CCPA requires those businesses and their service providers to protect consumer’s personal information from unauthorized access, theft or disclosure. Johnson said “unauthorized access” includes loss of data-bearing devices. For example, if an ITAD company driver signs a manifest stating he or she will pick up 100 used hard drives from a customer, but only 99 hard drives arrive at the recycling facility, then that would be considered a data breach incident. Under the current iteration of CCPA, each affected individual could then go to court to seek compensation from the company of up to $750 per incident.
Johnson cautioned that a number of amendments to CCPA are already being considered, so it’s unclear exactly what the law will look like when it goes into effect on Jan. 1, 2020.
“No matter what does result, it will certainly represent kind of a new era in privacy and data security,” he said.
That new era will provide business opportunities for compliant e-scrap processors and challenges for those that aren’t, he said.
“If they’re ready to embrace this emerging world and do these things, it’s going to be really good for them. They’re going to do great if they can speak the language intelligently and they got the right contracts, they have the right policies and procedures,” Johnson said. “The other side of the coin is, if they don’t, they’re still going to find the customer out there that doesn’t know any better or that’s not paying attention, but it will be increasingly more difficult for them to operate.”
