Different laws and regulations require organizations to protect trade secrets, sensitive data, and other important information, depending on the industry. Certifications and standards help organizations follow rules by providing guidelines and methods for data sanitization. Below, we discuss several notable laws, regulations, and standards.
- GDPR: European Union’s GDPR, a leading figure in data privacy rules, has enabled customers to have more authority over their data. EU customers can delete their data from business databases under Article 17, which needs data sanitization and erasure reports for audits.
- CCPA: In the US, CCPA gave Californians more control over their data, like GDPR. It also requires deleting customer data permanently when asked.
- Japan APPI: This law protects data even if it is outside Japan, as long as the entity offers goods or services to Japan. APPI safeguards sensitive data, such as personal information and special categories like race, religion, and medical records. Violations can result in penalties of up to JPY 100 million or imprisonment.
- SOX: The Sarbanes-Oxley Act, or SOX, serves as the protector of businesses, shareholders, buyers, and sellers in the securities market. Trading companies store huge amounts of financial, personally identifiable information about their customers. Safeguarding this data through the data lifecycle and ensuring sanitization once it reaches end-of-purpose or the device reaches end-of-life should be a part of data security policies.
- GLBA: The Gramm-Leach-Bliley Act in the US regulates the handling of nonpublic personal information (NPI) by financial institutions. This act specifically focuses on how these institutions handle private customer information. GLBA requires institutions to protect the personal information of their customers. This includes names, addresses, phone numbers, bank statements, social security numbers, and credit histories. GLBA violations are subject to harsh penalties, including imprisonment.
- HIPAA: The main goal of the Health Insurance Portability and Accountability Act is to give people more control over their health information. It also requires safeguarding the PHI during the data lifecycle and sanitizing it once no longer required.
- PCI DSS: PCI DSS protects against payment fraud and keeps cardholders’ private information safe. Once it is no longer required, you must permanently erase all financial information.
- New York Senate Privacy Act: The NY Senate Privacy Act aims to protect the privacy of New Yorkers. It does this by requiring businesses to ask for permission before using their customers’ data. Businesses must delete unnecessary personal data annually or when the consent period ends.
- NIST 800-88: NIST Guidelines are frequently regarded as the gold standard for sectors dealing with confidential information. Contractors must adhere to regulations and implement policies in compliance with the NIST SP 800-88 instructions for media sanitization. You can read our articles to know more about NIST Clear & NIST Purge
- ISO 27040: ISO 27040 recommends data sanitization as the best way to securely delete data stored on different storage devices.
- ISO 27701: ISO 27701 is a standard for data privacy. It has sections for deleting data to protect it or fulfill removal requests.
- R2V3: It is a sustainability standard for the safe management of used electronic equipment covering the full lifecycle of electronics. Vendors dealing with the recycling and reuse of the electronic device industry require this. Core R2V3 requirements under Appendix B provide clear guidelines for data sanitization based primarily on NIST 800-88 standard.
- CMMC: CMMC is a must-have certification for DoD contractors and others. All media devices with Federal Contract Information (FCI) must be sanitized before getting rid of or reusing storage.
Public authorities and commercial enterprises ought to develop and implement protocols for data cleansing. This will help to avoid data loss and leakage, lessen the effects of data breaches, decrease opportunities for harmful entities to attack, and alleviate security incidents.