Citing the New York state SHIELD Act that was recently signed into law, John Shegerian, Co-Founder and Executive Chairman of ERI, the nation’s leading fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company, has warned of a rapidly shifting legal landscape for all businesses that manage customer data.
The new legislation follows the GDPR trend of increasing who is covered under data protection regulations. For example, SHIELD covers all businesses with private information (as opposed to laws like HIPAA and GLB that cover specific business types). Also, businesses don’t have to be located in New York State to be susceptible to fines. Any business that has information on any New Yorker is covered by the SHIELD Act.
“This powerful new legislation in New York is the latest of what has been a growing national trend, with approximately 20 other states passing similar laws and more to come,” said Shegerian. “We’ve already seen large corporations such as Google, Facebook and British Airways suffer massive fines under European GDPR regulations, and now with legislation such as New York’s new SHIELD Act, US legislation is clearly following suit. Corporations are being scrutinized more than ever before for their management of digital data. With the increases in liability, there is a huge storm of problems on the horizon for corporations if data is not sufficiently protected from hackers and cybercriminals as well. We can and should anticipate similar regulatory trends to become established nationwide in the very near future.”
The SHIELD Act has particular data security requirements, specifically mentioning disposal of devices that contain data. Under the new legislation, companies are responsible to make sure their devices have technical and physical safeguards in place and that their disposal service providers have those safeguards in place as well.
Reports of cybercrime are at an all-time high and Shegerian explained that an area that is too often overlooked is the hacking of physical hardware and devices. To fully combat the threat of a breach, he argues, it has become urgently important to account for data on discarded hardware as well.
“When a device is responsibly recycled, part of that process should always include complete, physical data destruction,” said Shegerian. “Guaranteed data destruction is key. Some companies believe their data is being wiped when they drop devices off for recycling and that is not always the case. Also, unethical and illegal shipping of e-waste to other countries has become an additional layer to the hardware security issue because it leads to the wholesale liquidation of the privacy of corporations and individuals.”