Compliance Obligation & Penalties SOX,HIPAA, GLBA, JP/PA, EU-DPA, IS027001, IT-Act, PCi-DSS, /SAE3402-3416.
Whether an organization is disposing storage assets by donating to a charity or through a responsible recycler or while returning of leased IT Assets; it has an obligation to ensure that no incident of data breach occurs. The obligations are under various international laws and company policies to demonstrate strict compliance. In an event of data compromise the organization and its officers have to face severe financial penalties and risk imprisonment.
An organization should also exercise care when the IT assets are REASSIGNED INTERNALLY on account of a transfer, resignation, end of project etc. This becomes particularly more important when the same level of confidentiality is NOT maintained in various departments.
It is a standard compliance requirement for organizations to completely erase data beyond the scope of data recovery from all IT assets before recycling or reassignment. In United States for public companies SOX and other regulatory directives exist which require complete and secure data erasure.
Under Section 43A of the Indian Information Technology Act, 2000, a body corporate who is possessing, dealing or handling any sensitive personal data or information, and is negligent in implementing & maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected.
Additional implications include high costs of lawsuit, loss of reputation & customer trust that may cause permanent or long-term impact on sustainability of an organization