Blancco Ensures Regulatory Compliance
It is a common compliance requirement that organizations erase data from all IT assets before they are remarketed, reassigned or recycled. Data security mandates such as ISO 27001, ISO 15408, PCI DSS, HIPAA, SOX and European Union Directives require secure data removal. Blancco ensures regulatory compliance in private and public sectors with extensive data destruction, reporting and auditing capabilities.
Organizations are obliged by law to ensure the safe disposal of sensitive information or face the penalties of non-compliance. Failure to erase data could result in:
- Identity theft
- Time in prison
- Federal and/or civil liability
- Exorbitant fines or lawsuits
- Irreparable damage to an organization’s reputation
- Loss in consumer confidence
- Decline in revenue due to a tarnished reputation and loss of clients.
Possible penalties for non-compliance in the USA
| HIPAA | FACTA | Gramm Leach Bliley | Sarbanes Oxley | |
| Health Insurance Portability and Accountability Act | Fair and Accurate Credit Transaction Act | Financial Service Modernization Act | Public Company Accounting Reform and Investor Protection Act | |
| Directors and officers Penalty per violation | Up to $10 000 | Up to $1 000 000 | ||
| Institution Penalty per violation | Up to $250 000 | Up to $100 000 | Up to $5 000 000 | |
| Years in prison | Up to 10 years | Up to 5 years | Up to 20 years | |
| Individual Civil fines | $25 000 | Civil action |
Data protection legislation in other countries
| Country | Data Protection Legislation | Supervisory Authority | Penalties for Data Breach | Amendments |
| UK | UK Data Protection Act 1998 | Information Commissioner’s Office | Up to £500 000 for a data breach | On April 6, 2010 the fine for a data breach was increased from £5000 to up to £500 000. |
| Germany | Federal Data Protection Act 2001 | Federal Data Protection Commissioner | Up to $50000 for formalities and up to $300 000 for more serious violations | In September 2009, fines increased from $25000 to $50000 for formalities and from $250000 to $300000 for more serious violations. |
| Sweden | Personal Data Act 1998 | Data Inspection Board | The Personal Data Act 1998 enables the commission to levy a fine on any controller who breaches the law. In more serious cases, imprisonment is a possibility (imprisonment of at most six months or, if the offence is grave, to imprisonment of at most two years). | |
| France | Data Protection Law 1978 | Commission Nationale de l' Informatique et des Libertes (CNIL) | Fines, imprisonment, publishing the information of the case in newspapers or other publications (for which the sanctioned person must pay), ceasing processing operations and removing the controller's authorisation to process. | Ammended in August 2004 relating to the Protection of Data Subjects regarding the Processing of Personal Data. |
| Japan | The Personal Information Protection Act (JPIPA) | 300,000 yen maximum + a few thousand yen compensation for each personal record OR maximum 6 months jail time. | In 2009, the guideline stated the necessity of ONSITE data erasure for all magnetic media. It is now STRONGLY RECOMMENDED for major companies to wipe hard drive onsite with Professional Software or hardware with at least 1 time or multiple passes. | |
| Australia | Privacy Act 1988 | Federal Privacy Commissioner | The main punishment is fines. In some circumstances, imprisonment can be used e.g. failure to attend a hearing before the commissioner or failure to make an affirmation when required to do so, giving false information, failure to give information. | Amended in 2000 to cover the private sector (previously it only applied to Australian Government and Australian Capital Territory agencies or private sector organizations contracted to these governments). |
| Canada | Personal Information Protection and Electronic Documents Act (PIPEDA) | Privacy Commissioner of Canada | Commissioner may audit the personal information management practices of the organization; and make recommendations to the Federal Court in respect of damages. In addition, a person is liable under PIPEDA to a fine of up to $10,000 (per incident) on a summary | In 2004, any organization that collects personal information in the course of commercial activity was covered by PIPEDA, except in provinces that have "substantially similar" privacy laws. |
