1. JUST RELEASED: Safe Harbor: Simplifying Privacy Law and
Data Sanitization Compliance
Although there is no shortage of federal and state privacy legislation, data security programs and end of life cycle data disposal are generally dealt with in a consistent (but vague) manner. Following the best practices guidelines as described in NIST Special Publication 800-88 and verifying those procedures provides a high level of assurance you are in compliance with relevant regulations. Rather than wading through this forty one page document however, this white paper condenses the key content into seven pages of straightforward language and charts.
In addition, we have provided summaries of existing federal laws affecting privacy and data breaches, as well as those making their way through Congress.
Thumbnails of Federal Privacy Legislation focusing on data disposal issues
Working Summary of NIST Special Publication 800-88 (Condenses the 41 pages to 7)
2. Original Research Document: Summary and Highlights: NIST Special Publication 800-88: Guidelines for Media Sanitization
Special Publication 800-88 is an excellent resource for organizations and
system owners in the process of developing overall privacy protection programs, as mandated in most recent privacy legislation. It has become the de facto reference for privacy professionals undertaking to comply with federal and state regulations regarding the disposal of end-of-life (non-classified) electronic data.
This DestructData summary of the NIST publication report provides a "thumbnail" version of the essential information found in the original 41 page document. Appendix A, Media Sanitization Decision Matrix, encapsulates the core concepts of the original NIST publication and is reproduced in part at the end of this document. The matrix provides a useful greater context for the practical product and policy
choices a complete program will require.
3. Simplifying Data Sanitization Compliance An Analysis of the Regulatory
Matrix Points the Way to Safe Harbor
A safe harbor is a provision of a statute or regulation that minimizes liability on the condition that the party performed its actions in good faith. Due to the presmumption of safe harbor in most recent privacy legislation, there is a compelling argument that “real world” compliance in the somewhat narrow area of electronic data disposal and destruction is simpler than it appears. In this opinion piece, the interpretation of regulatory data destruction requirements is brought down to a level at which practical strategy decisions can be made with some confidence.
4. NEW FEDERAL LEGISLATION MOVING AHEAD
Many types of information are already protected by Federal laws such as HIPPA, FACTA, Sarbannes-Oxley, and the Grahmm-Leach-Bliley Act. Since the beginning of 2009 however, the new administration in Washington has re-focused on private data security. More on specific legislation below.
UPDATE:
DECEMBER 2009: Federal Data Accountability & Trust Act Passes U.S. House
NOVEMBER 2009: Personal Data Privacy and Security Act of 2009 Clears Committee
NOVEMBER 2009: Justice Department Moves on Data Breach Notification Act
New HITECH Act Increases Fines for HIPAA violations
