Disposal of Computer Systems: Removal of Information

Your business is in the process of upgrading and replacing its computer assets and deciding what to do with the old servers, computers, and laptops. You might sell them, donate them to charity, or simply toss them in the garbage because they are 5 or more years old. Before you choose any disposal option, however, you should first consider what type of information may be stored on those old computer assets and then determine whether your business has a duty to protect that information as part of the disposal process.

From a privacy perspective, a patchwork of laws and regulations exists at the federal and state levels that, either directly or indirectly, imposes requirements regarding the removal of certain types of information from computer memories in connection with the disposal of such computers by the user. Each such law and regulation focuses on a particular type or types of information that may be generally classified as consumer personal information. The present laws and regulations establish general standards with respect to the removal or protection of such information. None of the present laws or regulations provides specific or definitive requirements or guidance with respect to the steps or manner in which the information must be removed. The obligation to remove the information from computer memories derives from the various information privacy and security laws and regulations that have been enacted to protect personal financial and health information and to prevent identity theft.

The laws and regulations in this area appear, for the most part, to impose their requirements only on those businesses that generate or obtain the information in their normal course of business. However, at least one regulation, the FTC Disposal Rule, may be interpreted to impose its requirements for proper disposal on service providers that are in the business of disposing of electronic media.

Federal Laws and Regulations

Health Insurance Portability and Accountability Act

Neither the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') nor the rules and regulations promulgated thereunder identify specific methods for the elimination or removal of data or personal health information from computer hard drives. There is, however, general guidance available under the related security standards issued by the Department of Health and Human Services ('HHS').

On Feb. 20, 2003, final security standards known as the 'Security Rule' were published in the Federal Register. The Security Rule adopts standards for the security of protected health information that is stored electronically. Health plans, health care clearinghouses, and certain health care providers are required to implement certain security standards. HHS solicited comments relating to the level of detail the final Security Rule should contain. Commentators indicated that the standards should not be overly specific due to the speed at which technology evolves. HHS agreed that standards should be defined in generic terms and be scalable, flexible, and generally addressable through various approaches or technologies. The final Security Rule, therefore, is a results-based approach and offers high-level guidance with little specific guidance on implementation.

For example, '164.306(a) of the Security Rule states that covered entities must ensure the confidentiality, integrity, and availability of protected health information that is stored electronically. Section 164.306(b), titled 'Flexibility of approach,' states that covered entities 'may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications' and may take into account the following factors: '[t]he size, complexity, and capabilities of the covered entity … [t]he covered entity's technical infrastructure, hardware, and software security capabilities … [t]he costs of security measures … [t]he probability and criticality of potential risks to electronic protected health information.' Because the Security Rule favors security management principles and broad management controls, as opposed to specific rules regarding technology implementation, each covered entity, on a case-by-case basis, has to ascertain the 'reasonable and appropriate' approach warranted by each particular situation.

Gramm-Leach-Bliley Act

As is the case with HIPAA, neither the Gramm-Leach-Bliley Act ('GLB Act') nor the rules and regulations promulgated thereunder identify any specific methods for the elimination of data from computer hard drives. However, as with HIPAA, federal rules have been adopted pursuant to the GLB Act that, in general terms, require the establishment of procedures that are reasonably designed to achieve the objectives of the GLB Act in connection with the disposal of protected consumer information.

For example, the Interagency Guidelines Establishing Standards for Safeguarding Customer Information ('Security Guidelines'), 12 C.F.R. Part 30, issued pursuant to the GLB Act, instruct each covered financial institution to adopt an information security program to protect against unauthorized access to nonpublic customer information in connection with, among other things, the disposal of such information. However, no detailed procedures are provided.

The Security Guidelines instruct each covered institution to 'implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the [institution] and the nature and scope of the activities.' See Security Guidelines, Section II. A. Customer information systems are defined under the Security Guidelines to mean 'any method used to access, collect, store, use, transmit, protect or dispose of customer information.' See Security Guidelines, Section I. 2.d. (emphasis added). The Security Guidelines require each covered institution to design its information security system to, among other things, 'protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.' See Security Guidelines, Section II. B. 3.

The FTC issued similar guidelines under the GLB Act (the 'FTC Security Rule') for entities that qualify as financial institutions within the meaning of the GLB Act but are not regulated by one of the five regulators (Office of the Comptroller of the Currency, Department of Treasury, Federal Deposit Insurance Corporation, Federal Reserve System, and Office of Thrift Supervisor) that jointly issued the Security Guidelines. Under the FTC Security Rule, the term 'information security program' means 'the administrative, technical, or physical safeguards [used] to access, collect, [or] … dispose of … customer information.' (emphasis added). 'Customer information' means 'any record containing nonpublic personal information as defined in 16 C.F.R. 313.2(n), about a customer of a financial institution … that is handled or maintained by or on behalf of [the financial institution or its] affiliate.' 16 C.F.R. 314.2(b). The FTC Security Rule requires each covered financial institution to have a comprehensive written information security program that is 'reasonably designed to achieve the objectives of' part 314, inclusive of the objective to 'protect against unauthorized access to or use of [customer] information that could result in substantial harm or inconvenience to any customer.'

Consequently, covered financial institutions must develop written information security programs designed to protect against unauthorized access to customer information in connection with the disposal of such information. However, neither the Security Guidelines nor the FTC Security Rule provides any detailed rules or guidelines on how the covered institutions should comply with that requirement.

In addition to the FTC Security Rule, in 2004 the FTC issued the Disposal Rule, a rule regarding the proper disposal of consumer report information and records under the Fair and Accurate Credit Transactions Act of 2003 and the Fair Credit Reporting Act. Under the Disposal Rule, the term 'disposal' is defined as 'the sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored.' 16 C.F.R. 682.1(c). The press release issued by the Federal Trade Commission on Nov. 18, 2004 describes the Disposal Rule ('the Rule') as follows:

The Rule requires that covered entities 'take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.' The standard for disposal is flexible to allow entities covered by the Rule to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and relevant changes in technology over time. The Rule's flexibility should also facilitate compliance for smaller entities. Additionally, the Rule includes specific examples of appropriate measures that would satisfy its disposal standard.

The Disposal Rule, like the Security Rule, the Security Guidelines, and the FTC Security Rule, simply sets a general standard and does not provide detailed rules on how to remove or eliminate information from computers. The Disposal Rule sets forth its general standard in the following terms: '[a]ny person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.' 16 C.F.R. 682.3(a). The Disposal Rule, however, does give some guidance on proper procedures. For example, the preamble to the Disposal Rule includes the following comment:

If a small entity has stored consumer information on electronic media (for example, computer discs or hard drives), disposal of such media could be accomplished by a small entity at almost no cost by simply smashing the material with a hammer. In some cases, appropriate disposal of electronic media might also be accomplished by overwriting or 'wiping' the data prior to disposal. Utilities to accomplish such wiping are widely available for under $25; indeed, some such tools are available for download on the Internet at no cost. Whether 'wiping,' as opposed to destruction, of electronic media is reasonable, as well as the adequacy of particular utilities to accomplish that 'wiping,' will depend upon the circumstances. (emphasis added)

The Disposal Rule also provides some examples of 'reasonable measures.' One example discusses the entity requiring the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed. Although the examples provide more detail than the other federal rules on the topic, the FTC made clear that the 'examples are intended to provide covered entities with guidance on how to comply with the rule but are not intended to be safe harbors or exclusive methods for complying with the Rule.' See FTC's Statement of Basis and Purpose, which accompanied the final Disposal Rule.

The Disposal Rule also focuses on third parties that provide services to entities that possess consumer information. In particular, the third and fourth examples under the Disposal Rule provide that:

(3) After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule. In this context, due diligence could include reviewing an independent audit of the disposal company's operations and/or its compliance with this rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company's information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company.

(4) For persons or entities who maintain or otherwise possess consumer information through their provision of services directly to a person subject to this part, implementing and monitoring compliance with policies and procedures that protect against unauthorized or unintentional disposal of consumer information, and disposing of such information in accordance with examples (1) and (2) above.

Consequently, various vendors may find themselves subject to the requirements of the Disposal Rule depending upon the acts of their customers.

'Consumer information' is defined to mean, thereby limiting the applicability of the Disposal Rule to:

Any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report. Consumer information also means a compilation of such records. Consumer information does not include information that does not identify individuals, such as aggregate information or blind data. 16 C.F.R. 682.1(b).

State Laws

In addition to the several federal laws and regulations that set general standards regarding the removal or elimination of certain personal information, there are several recently enacted state laws that address the topic. These state laws were enacted in response to the rash of security breaches that occurred in 2004 and 2005 involving personal financial information and the increase in reported cases of identity theft.

The laws enacted in California and New Jersey expressly set standards with respect to the disposal of certain personal information. New Jersey has what might be considered a softer standard, while California's standard sets forth a more stringent or absolute standard.

New Jersey

New Jersey's act requires that:

A business or public entity shall destroy, or arrange for the destruction of, a customer's records within its custody or control containing personal information, which is no longer to be retained by the business or public entity, by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable, undecipherable or nonreconstructable through generally available means. N.J.S.A. 56:8-162 (emphasis added).

The New Jersey act further provides that:

'Personal information' means an individual's first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver's license number or State identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. N.J.S.A. 56:8-161.

California

California's act provides that:

A business shall take all reasonable steps to destroy, or arrange for the destruction of a customer's records within its custody or control containing personal information which is no longer to be retained by the business by (1) shredding, (2) erasing, or (3) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means. Cal Civil Code 1798.81 (emphasis added).

'Personal information' means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information. Cal. Civil Code 1798.80.

Whereas New Jersey's law sets its standard to ensure that the electronic records are 'unreadable, undecipherable or nonreconstructable through generally available means' N.J.S.A. 56:8-162 (emphasis added), California's law requires that the electronic records be made 'unreadable or undecipherable through any means.' Cal. Civil Code 1798.81 (emphasis added). California's standard, as it becomes interpreted over time by the courts, may not be any more absolute or stringent than New Jersey's, as California's standard requires only that the party 'take all reasonable steps … ' Nevertheless, the two statutes demonstrate that the standard for disposal varies from state to state and that when it comes to protected information maintained in electronic format, the states, like the federal government, have provided mainly results-oriented general standards without a safe harbor.

Consequently, although there are requirements under both federal and state law with respect to the removal or elimination of certain personal information from computer hard drives, there are no safe harbor approaches. The safest approach, therefore, may be to follow the most stringent procedures that are generally seen as standard and acceptable either: 1) within the industry and locale of the business that collected the information, or 2) within the jurisdiction where the removal or elimination takes place.

Department of Defense Standard 5220.22-M; National Institute of Standards and Technology

In January 1995, the Department of Defense ('DOD') issued the National Industrial Security Program Operating Manual ('NISPOM 1995'). In February 2006, the DOD reissued the National Industrial Security Program Operating Manual ('NISPOM 2006'), replacing NISPOM 1995. NISPOM 2006 contains general information about clearing and sanitizing of media, but does not provide the detailed methods that were included in NISPOM 1995. Although NISPOM 1995 was replaced in 2006 and is not referenced in any of the federal or state laws or regulations discussed above, it remains a general reference point for industry. Consequently, entities that are subject to the above laws and regulations should be aware of and consider NISPOM 1995 procedures and standards when determining what is available, and what might be deemed acceptable, for the removal and elimination of information from electronic media. It should be noted that HHS, the aforementioned financial regulators, and the FTC have not in any way endorsed the notion that a covered entity may rely on its compliance with the DOD's standard to also satisfy compliance with applicable laws or regulations.

Another source of specific procedures that may be used as guidance on acceptable methods for meeting the general standards set by various federal and state laws and regulations is the publication titled Guidelines for Media Sanitization, issued as a Public Draft in February 2006 by the National Institute of Standards and Technology ('NIST'). These Guidelines use the term 'sanitization' to refer to the general process of removing data from storage media, such that there is reasonable assurance, in proportion to the confidentiality of the data, that the data may not be retrieved and reconstructed. The Guidelines also provide 'a matrix of minimum recommended sanitization techniques for clearing, purging, or destroying various media and a decision flow chart to assist in determining which technique is appropriate.' Guidelines, page 4. Again, the Guidelines for Media Sanitization, like the NISPOM, were not developed or designed to provide guidance for complying with the laws and regulations discussed above. As such, the Guidelines do not provide a sure-fire formula for compliance. Nevertheless, they do provide examples of reasonable and acceptable techniques for protecting the confidentiality of information in connection with the disposal of the electronic media on which such information is stored.

In the absence of specific procedures set forth for the disposal of computer assets that may contain consumer personal information, a business considering its options for disposal of old servers, computers, laptops, etc., can look to the aforementioned laws and industry guidelines, in consideration with its specific size and circumstances, to determine an appropriate method of disposal.

Michael J. Dunne is a partner with Pitney Hardin LLP in the Intellectual Property and Corporate practice groups. He concentrates his practice in the areas of intellectual property, computer-related law, the Internet, and general corporate matters, representing clients in many industries, including computer technology, software and Web site development, the Internet, telemedicine, financial services, and retail. Dunne currently serves as co-chair of the firm's Intellectual Property practice group. He is based in the Morristown, NJ office and can be reached at 973-966-8138 or [email protected].

Your business is in the process of upgrading and replacing its computer assets and deciding what to do with the old servers, computers, and laptops. You might sell them, donate them to charity, or simply toss them in the garbage because they are 5 or more years old. Before you choose any disposal option, however, you should first consider what type of information may be stored on those old computer assets and then determine whether your business has a duty to protect that information as part of the disposal process.

From a privacy perspective, a patchwork of laws and regulations exists at the federal and state levels that, either directly or indirectly, imposes requirements regarding the removal of certain types of information from computer memories in connection with the disposal of such computers by the user. Each such law and regulation focuses on a particular type or types of information that may be generally classified as consumer personal information. The present laws and regulations establish general standards with respect to the removal or protection of such information. None of the present laws or regulations provides specific or definitive requirements or guidance with respect to the steps or manner in which the information must be removed. The obligation to remove the information from computer memories derives from the various information privacy and security laws and regulations that have been enacted to protect personal financial and health information and to prevent identity theft.

The laws and regulations in this area appear, for the most part, to impose their requirements only on those businesses that generate or obtain the information in their normal course of business. However, at least one regulation, the FTC Disposal Rule, may be interpreted to impose its requirements for proper disposal on service providers that are in the business of disposing of electronic media.

Federal Laws and Regulations

Health Insurance Portability and Accountability Act

Neither the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') nor the rules and regulations promulgated thereunder identify specific methods for the elimination or removal of data or personal health information from computer hard drives. There is, however, general guidance available under the related security standards issued by the Department of Health and Human Services ('HHS').

On Feb. 20, 2003, final security standards known as the 'Security Rule' were published in the Federal Register. The Security Rule adopts standards for the security of protected health information that is stored electronically. Health plans, health care clearinghouses, and certain health care providers are required to implement certain security standards. HHS solicited comments relating to the level of detail the final Security Rule should contain. Commentators indicated that the standards should not be overly specific due to the speed at which technology evolves. HHS agreed that standards should be defined in generic terms and be scalable, flexible, and generally addressable through various approaches or technologies. The final Security Rule, therefore, is a results-based approach and offers high-level guidance with little specific guidance on implementation.

For example, '164.306(a) of the Security Rule states that covered entities must ensure the confidentiality, integrity, and availability of protected health information that is stored electronically. Section 164.306(b), titled 'Flexibility of approach,' states that covered entities 'may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications' and may take into account the following factors: '[t]he size, complexity, and capabilities of the covered entity … [t]he covered entity's technical infrastructure, hardware, and software security capabilities … [t]he costs of security measures … [t]he probability and criticality of potential risks to electronic protected health information.' Because the Security Rule favors security management principles and broad management controls, as opposed to specific rules regarding technology implementation, each covered entity, on a case-by-case basis, has to ascertain the 'reasonable and appropriate' approach warranted by each particular situation.

Gramm-Leach-Bliley Act

As is the case with HIPAA, neither the Gramm-Leach-Bliley Act ('GLB Act') nor the rules and regulations promulgated thereunder identify any specific methods for the elimination of data from computer hard drives. However, as with HIPAA, federal rules have been adopted pursuant to the GLB Act that, in general terms, require the establishment of procedures that are reasonably designed to achieve the objectives of the GLB Act in connection with the disposal of protected consumer information.

For example, the Interagency Guidelines Establishing Standards for Safeguarding Customer Information ('Security Guidelines'), 12 C.F.R. Part 30, issued pursuant to the GLB Act, instruct each covered financial institution to adopt an information security program to protect against unauthorized access to nonpublic customer information in connection with, among other things, the disposal of such information. However, no detailed procedures are provided.

The Security Guidelines instruct each covered institution to 'implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the [institution] and the nature and scope of the activities.' See Security Guidelines, Section II. A. Customer information systems are defined under the Security Guidelines to mean 'any method used to access, collect, store, use, transmit, protect or dispose of customer information.' See Security Guidelines, Section I. 2.d. (emphasis added). The Security Guidelines require each covered institution to design its information security system to, among other things, 'protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.' See Security Guidelines, Section II. B. 3.

The FTC issued similar guidelines under the GLB Act (the 'FTC Security Rule') for entities that qualify as financial institutions within the meaning of the GLB Act but are not regulated by one of the five regulators (Office of the Comptroller of the Currency, Department of Treasury, Federal Deposit Insurance Corporation, Federal Reserve System, and Office of Thrift Supervisor) that jointly issued the Security Guidelines. Under the FTC Security Rule, the term 'information security program' means 'the administrative, technical, or physical safeguards [used] to access, collect, [or] … dispose of … customer information.' (emphasis added). 'Customer information' means 'any record containing nonpublic personal information as defined in 16 C.F.R. 313.2(n), about a customer of a financial institution … that is handled or maintained by or on behalf of [the financial institution or its] affiliate.' 16 C.F.R. 314.2(b). The FTC Security Rule requires each covered financial institution to have a comprehensive written information security program that is 'reasonably designed to achieve the objectives of' part 314, inclusive of the objective to 'protect against unauthorized access to or use of [customer] information that could result in substantial harm or inconvenience to any customer.'

Consequently, covered financial institutions must develop written information security programs designed to protect against unauthorized access to customer information in connection with the disposal of such information. However, neither the Security Guidelines nor the FTC Security Rule provides any detailed rules or guidelines on how the covered institutions should comply with that requirement.

In addition to the FTC Security Rule, in 2004 the FTC issued the Disposal Rule, a rule regarding the proper disposal of consumer report information and records under the Fair and Accurate Credit Transactions Act of 2003 and the Fair Credit Reporting Act. Under the Disposal Rule, the term 'disposal' is defined as 'the sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored.' 16 C.F.R. 682.1(c). The press release issued by the Federal Trade Commission on Nov. 18, 2004 describes the Disposal Rule ('the Rule') as follows:

The Rule requires that covered entities 'take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.' The standard for disposal is flexible to allow entities covered by the Rule to determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods, and relevant changes in technology over time. The Rule's flexibility should also facilitate compliance for smaller entities. Additionally, the Rule includes specific examples of appropriate measures that would satisfy its disposal standard.

The Disposal Rule, like the Security Rule, the Security Guidelines, and the FTC Security Rule, simply sets a general standard and does not provide detailed rules on how to remove or eliminate information from computers. The Disposal Rule sets forth its general standard in the following terms: '[a]ny person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.' 16 C.F.R. 682.3(a). The Disposal Rule, however, does give some guidance on proper procedures. For example, the preamble to the Disposal Rule includes the following comment:

If a small entity has stored consumer information on electronic media (for example, computer discs or hard drives), disposal of such media could be accomplished by a small entity at almost no cost by simply smashing the material with a hammer. In some cases, appropriate disposal of electronic media might also be accomplished by overwriting or 'wiping' the data prior to disposal. Utilities to accomplish such wiping are widely available for under $25; indeed, some such tools are available for download on the Internet at no cost. Whether 'wiping,' as opposed to destruction, of electronic media is reasonable, as well as the adequacy of particular utilities to accomplish that 'wiping,' will depend upon the circumstances. (emphasis added)

The Disposal Rule also provides some examples of 'reasonable measures.' One example discusses the entity requiring the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed. Although the examples provide more detail than the other federal rules on the topic, the FTC made clear that the 'examples are intended to provide covered entities with guidance on how to comply with the rule but are not intended to be safe harbors or exclusive methods for complying with the Rule.' See FTC's Statement of Basis and Purpose, which accompanied the final Disposal Rule.

The Disposal Rule also focuses on third parties that provide services to entities that possess consumer information. In particular, the third and fourth examples under the Disposal Rule provide that:

(3) After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule. In this context, due diligence could include reviewing an independent audit of the disposal company's operations and/or its compliance with this rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company's information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company.

(4) For persons or entities who maintain or otherwise possess consumer information through their provision of services directly to a person subject to this part, implementing and monitoring compliance with policies and procedures that protect against unauthorized or unintentional disposal of consumer information, and disposing of such information in accordance with examples (1) and (2) above.

Consequently, various vendors may find themselves subject to the requirements of the Disposal Rule depending upon the acts of their customers.

'Consumer information' is defined to mean, thereby limiting the applicability of the Disposal Rule to:

Any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report. Consumer information also means a compilation of such records. Consumer information does not include information that does not identify individuals, such as aggregate information or blind data. 16 C.F.R. 682.1(b).

State Laws

In addition to the several federal laws and regulations that set general standards regarding the removal or elimination of certain personal information, there are several recently enacted state laws that address the topic. These state laws were enacted in response to the rash of security breaches that occurred in 2004 and 2005 involving personal financial information and the increase in reported cases of identity theft.

The laws enacted in California and New Jersey expressly set standards with respect to the disposal of certain personal information. New Jersey has what might be considered a softer standard, while California's standard sets forth a more stringent or absolute standard.

New Jersey

New Jersey's act requires that:

A business or public entity shall destroy, or arrange for the destruction of, a customer's records within its custody or control containing personal information, which is no longer to be retained by the business or public entity, by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable, undecipherable or nonreconstructable through generally available means. N.J.S.A. 56:8-162 (emphasis added).

The New Jersey act further provides that:

'Personal information' means an individual's first name or first initial and last name linked with any one or more of the following data elements: (1) Social Security number; (2) driver's license number or State identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. N.J.S.A. 56:8-161.

California

California's act provides that:

A business shall take all reasonable steps to destroy, or arrange for the destruction of a customer's records within its custody or control containing personal information which is no longer to be retained by the business by (1) shredding, (2) erasing, or (3) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means. Cal Civil Code 1798.81 (emphasis added).

'Personal information' means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information. Cal. Civil Code 1798.80.

Whereas New Jersey's law sets its standard to ensure that the electronic records are 'unreadable, undecipherable or nonreconstructable through generally available means' N.J.S.A. 56:8-162 (emphasis added), California's law requires that the electronic records be made 'unreadable or undecipherable through any means.' Cal. Civil Code 1798.81 (emphasis added). California's standard, as it becomes interpreted over time by the courts, may not be any more absolute or stringent than New Jersey's, as California's standard requires only that the party 'take all reasonable steps … ' Nevertheless, the two statutes demonstrate that the standard for disposal varies from state to state and that when it comes to protected information maintained in electronic format, the states, like the federal government, have provided mainly results-oriented general standards without a safe harbor.

Consequently, although there are requirements under both federal and state law with respect to the removal or elimination of certain personal information from computer hard drives, there are no safe harbor approaches. The safest approach, therefore, may be to follow the most stringent procedures that are generally seen as standard and acceptable either: 1) within the industry and locale of the business that collected the information, or 2) within the jurisdiction where the removal or elimination takes place.

Department of Defense Standard 5220.22-M; National Institute of Standards and Technology

In January 1995, the Department of Defense ('DOD') issued the National Industrial Security Program Operating Manual ('NISPOM 1995'). In February 2006, the DOD reissued the National Industrial Security Program Operating Manual ('NISPOM 2006'), replacing NISPOM 1995. NISPOM 2006 contains general information about clearing and sanitizing of media, but does not provide the detailed methods that were included in NISPOM 1995. Although NISPOM 1995 was replaced in 2006 and is not referenced in any of the federal or state laws or regulations discussed above, it remains a general reference point for industry. Consequently, entities that are subject to the above laws and regulations should be aware of and consider NISPOM 1995 procedures and standards when determining what is available, and what might be deemed acceptable, for the removal and elimination of information from electronic media. It should be noted that HHS, the aforementioned financial regulators, and the FTC have not in any way endorsed the notion that a covered entity may rely on its compliance with the DOD's standard to also satisfy compliance with applicable laws or regulations.

Another source of specific procedures that may be used as guidance on acceptable methods for meeting the general standards set by various federal and state laws and regulations is the publication titled Guidelines for Media Sanitization, issued as a Public Draft in February 2006 by the National Institute of Standards and Technology ('NIST'). These Guidelines use the term 'sanitization' to refer to the general process of removing data from storage media, such that there is reasonable assurance, in proportion to the confidentiality of the data, that the data may not be retrieved and reconstructed. The Guidelines also provide 'a matrix of minimum recommended sanitization techniques for clearing, purging, or destroying various media and a decision flow chart to assist in determining which technique is appropriate.' Guidelines, page 4. Again, the Guidelines for Media Sanitization, like the NISPOM, were not developed or designed to provide guidance for complying with the laws and regulations discussed above. As such, the Guidelines do not provide a sure-fire formula for compliance. Nevertheless, they do provide examples of reasonable and acceptable techniques for protecting the confidentiality of information in connection with the disposal of the electronic media on which such information is stored.

In the absence of specific procedures set forth for the disposal of computer assets that may contain consumer personal information, a business considering its options for disposal of old servers, computers, laptops, etc., can look to the aforementioned laws and industry guidelines, in consideration with its specific size and circumstances, to determine an appropriate method of disposal.

Michael J. Dunne is a partner with Pitney Hardin LLP in the Intellectual Property and Corporate practice groups. He concentrates his practice in the areas of intellectual property, computer-related law, the Internet, and general corporate matters, representing clients in many industries, including computer technology, software and Web site development, the Internet, telemedicine, financial services, and retail. Dunne currently serves as co-chair of the firm's Intellectual Property practice group. He is based in the Morristown, NJ office and can be reached at 973-966-8138 or [email protected].