Legislative Support
100% Auditable
SEAM ensures that every step of the ITAD process is 100% auditable. Whether your assets are resold, recycled or reused, we account for everything from the secure recovery process to asset tracking and reporting, to final disposition. Our accessible online reporting provides documented proof for all of your auditing needs.
INDUSTRIES SERVED
SEAM helps customers comply with HIPAA and meet the security safeguards set out in HITECH with certified data destruction shredding services and IT asset management from the point of collection through final disposition. We give you the option to watch the shredding process before equipment even leaves your location, and provide you with a Certificate of Destruction and Recycling showing an audit trail for every hard drive or data bearing device shredded.
- HIPAA: The Health Insurance Portability and Accountability Act (HIPAA), originally enacted in August of 1996, governs the security and privacy of healthcare data and applies to any health care provider considered a Covered Entity. Ranging from hospitals, medical centers and dentists, to insurance, billing or collection agencies, all Covered Entities, regardless of size, must “maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information.” Essentially, this act ensures that Protected Health Information (PHI) is protected and remains private. Noncompliance can be devastating, from severe fines and penalties to litigation and brand damage. Lack of sufficient controls for devices and media is one of the top 5 most common sources of breaches, according to Marylou King (former official with the U.S. Department of Health and Human Services Office of General Counsel).
- Omnibus Rule |HITECH | Security Rule: The HIPAA Omnibus Rule was issued in January 2013 and significantly strengthened the privacy and security rules to protect individual’s PHI and the integrity of electronic PHI. This rule implemented many of the changes required by the Health Information Technology for Economic and Clinical Health Act (HITECH) which was enacted as part of the American Recovery and Reinvestment Act of 2009 (Pub.L. 111–5). Covered Entities, Business Associates and subcontractors must now fully comply with the HIPAA Security Rule, which specifies guidelines for rendering PHI unusable, unreadable or undecipherable. Fines for noncompliance are expected to continue increasing along with prosecution. Choose your business partner wisely: Health care providers are likely to face liability for conduct by business partners and sub-contractors. It is estimated that business partners are responsible for more than 60% of HIPAA violations. Avoid choosing the wrong partner by working with SEAM.
With almost 130 state enacted laws governing how schools and their service providers collect, use, and protect student data, it’s vital for educational institutions and schools to ensure data security when it comes to their ITAD program. SEAM provides data destruction services to help meet compliance with these various state laws as well as FERPA. Our secure shredding services ensure student records are destroyed in a secure manner. Certificates of Destruction and Recycling and serial number reporting is provided for complete, auditable tracking and recording.
- FERPA: The Family Educational Rights and Privacy Act (FERPA) is a federal law requiring the protection of student privacy and educational records. All U.S. educational agencies and institutions that receive U.S. Department of Education program funding are required to comply. Improper disposal of electronic records on equipment ready for disposal or resale may constitute an unauthorized disclosure under FERPA. To avoid non-compliance, proper data destruction of data containing technology should be performed in accordance with the National Institute of Standards and Technology (NIST) SP 800-88. If an educational institution does not comply with FERPA, the government may withhold further program payments, issue a complaint to compel compliance through a cease-and-desist order, or terminate eligibility to receive funding.
SEAM's data destruction services adequately meet the requirements of FACTA's Disposal Rule, GLBA Privacy Rights and SARBOX. We provide on and offsite shredding services as well as certified hard drive eraser services to assist companies in implementing and maintaining "responsible measures" to ensure private information is protected. Certificates of Destruction and Recycling and other reports are provided for complete chain of custody.
- FACTA: In June of 2005 the Federal Trade Commission (FTC) published the Disposal Rule as a part of The Fair and Accurate Credit Transaction Act (FACTA). The Disposal Rule requires “any person who maintains or otherwise possesses consumer information, or any compilation of consumer information, for a business purpose” to adopt procedures for proper data disposal. The disposal standards outlined in the rule require businesses to “destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed.” Failure to abide by FACTA may result in harsh penalties and legal action, and may result in class-action suits with victims.
- GLBA: Also known as the Financial Services Modernization Act, The Gramm-Leach-Bliley Act (GLBA) became law in 1999, requiring financial institutions to protect consumer information. Businesses that collect personal financial information from consumers like banks and credit unions must comply with the privacy rights outlined in GLBA. This includes having a comprehensive, written information security program in place as well as a contracted disposition vendor. The act establishes policies for proper administrative, technical and physical safeguards to protect the privacy of individual customer's financial information. Financial institutions are responsible for safeguarding private information even when in the possession of an outsourced company. When selecting a partner for data destruction, it's important to use due diligence to make sure data is being handled appropriately.
- SARBOX: The Sarbanes-Oxley Act (SARBOX or SOX) was implemented in July of 2002, standardizing the way organizations certify their financial reports. Any organizations reporting financial results are required to comply with enhanced standards and Data Destruction requirements. This includes external audits and maintaining strong data storage policies to produce detailed audit trails of documents and electronic storage media including but not limited to computers, copiers, printers and other electronics.
- PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) applies to every company doing business in the U.S. that is involved with payment card processing. The PCI DSS standard was developed to enhance cardholder data security and create consistent data security standards. The standard requires companies to maintain secure environments for transmitting and storing cardholder data, including tracking of and data-containing technology like servers, computers, laptops, mobile devices, point-of-sale (POS) devices and other retail-specific equipment. When data storage devices are ready to be disposed of or replaced, organizations must, “render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.” PCI recommends a “secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media.” The latest “industry accepted standard” for secure data erasure and destruction for hard drives and solid state drives is the National Institute of Standards and Technology (NIST) SP 800-88 standard. Organizations must be able to prove in an audit that their processes and vendors meet these requirements. There are serious risks that can come from non-compliance including lawsuits, insurance claims, and large fines from payment card companies or the government.
Based on our ability to meet high expectations for quality and service specifically tailored to the banking industry, SEAM has been thoroughly reviewed and selected as affiliate members of both the South Dakota Bankers Association and North Dakota Bankers Association.
SEAM's data destruction services for all hard drives and solid state drives meet NIST Special Publication 800-88 standards to ensure federal agencies are in compliance with the required security controls through proper sanitization or destruction of Information Systems (IS). We provide on and offsite data shredding services, complete disk wiping and chain of custody reporting for a clear audit trail of each data-containing device.
- EO 13834: Executive Order (EO) 13834, Efficient Federal Operations, was signed on May 17, 2018 and outlines a number of measures to make the Federal Government’s agencies prioritize actions that reduce waste, cut costs, enhance the resilience of Federal infrastructure and operations, and enable more effective accomplishment of its mission. Guidelines are included in Sec. 2 (f) to "implement waste prevention and recycling measures and comply with all Federal requirements with regard to solid, hazardous, and toxic waste management and disposal" as well as Sec.2 (g) "acquire, use, and dispose of products and services, including electronics, in accordance with statutory mandates for purchasing preference, Federal Acquisition Regulation requirements, and other applicable Federal procurement policies". Agencies may refer to the 2012 GSA Bulletin FMR B-34, "Disposal of Federal Electronic Assets" for the documentation and appropriate disposal of excess and surplus Federal Electronic Assets (FEA) or when returning leased electronics. This includes recycling e-waste through certified recyclers and manufacturer take-back programs. Excess and surplus electronics should not be disposed of in landfill or incinerators. GSA recognizes only two environmentally responsible recycling standards and related third-party certification programs, the Responsible Recycling (R2) program and the e-Stewards® program.
- FISMA: In 2002, The Federal Information Security Management Act (FISMA) was passed into law, requiring federal agencies and government contractors to develop, document, and implement information security procedures to safeguard their Information Systems (IS). Organizations must protect their IS media, both paper and digital, limit IS access to authorized users, and sanitize or destroy IS media before disposal or release for reuse. Per FISMA, National Institute of Standards and Technology (NIST) standards help federal agencies meet the requirements for security controls of digital media potentially containing classified information.
- Federal Energy Regulatory Commission: In the best practices guide for Controlling Security Sensitive Material published by the Federal Energy Regulatory Commission, it states that information on computer storage media should be destroyed by overwriting the media with random data, degaussing the media with a strong magnetic field, or fully destroying the media (e.g., disintegrating, pulverizing, melting, incinerating, or shredding).
- NSES: The National Strategy for Electronics Stewardship (NSES) was developed in 2011 to provide recommendations for the federal government and businesses to improve the design of electronic products and enhance management of used or discarded electronics. This Strategy ensures the federal government leads by example, increases safe and effective management and handling of used electronics in the United States, reduces harm from U.S. exports of electronics waste, and improves handling of used electronics in developing countries.
- Publication 1075: The Tax Information Security Guidelines For Federal, State and Local Agencies provides guidance to ensure proper policies, practices, controls, and safeguards are employed by recipient agencies, agents, or contractors to adequately protect the confidentiality of Federal Tax Information (FTI) from unauthorized use, access, and disclosure. Any FTI containing personally identifiable information (PII) furnished or stored in electronic format must be sanitized or destroyed in accordance with disposal procedure requirements (Section 9.3.10.6, Media Sanitization (MP-6), and Section 9.4.7, Media Sanitization).
Click to view SEAM's Capability Statement for Government Agencies.
SEAM's computer disposal and hard drive destruction services support regulatory compliance for businesses who process credit card or debit payments, as well as businesses collecting online information. Our certified electronics disposal services provide chain of custody reports for a clear audit trail of proper information security and data destruction.
- PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) applies to every company doing business in the U.S. that is involved with payment card processing. The PCI DSS standard was developed to enhance cardholder data security and create consistent data security standards. The standard requires companies to maintain secure environments for transmitting and storing cardholder data, including tracking of and data-containing technology like servers, computers, laptops, mobile devices, point-of-sale (POS) devices and other retail-specific equipment. When data storage devices are ready to be disposed of or replaced, organizations must, “render cardholder data on electronic media unrecoverable so that cardholder data cannot be reconstructed.” PCI recommends a “secure wipe program in accordance with industry-accepted standards for secure deletion, or otherwise physically destroying the media.” The latest “industry accepted standard” for secure data erasure and destruction of hard drives and solid state drives is the National Institute of Standards and Technology (NIST) SP 800-88 standard. Organizations must be able to prove in an audit that their processes and vendors meet these requirements. There are serious risks that can come from non-compliance including lawsuits, insurance claims, and large fines from payment card companies or the government.
- COPPA: The FTC’s Children’s Online Privacy Protection Act (COPPA) applies to companies that collect personal information from children under 13 (such as social media sites or other websites/apps that are used by children). The act requires businesses to take “reasonable steps” to keep children’s information private and secure, and that “reasonable care” be taken before releasing private data to service providers or other third parties to ensure that they are capable of maintaining the privacy and security of the information. COPPA also requires that Businesses disposing of personal data take “reasonable steps: to protect against unauthorized access".
SEAM adheres to highest possible standards for environmentally sound processing and downstream tracking. We undergo rigorous annual audits to provide assurance that electronic equipment will be managed responsibly, protecting you from an environmental incident or data security breach cause from improper disposal.
- Sioux Falls City Ordinance 57.050: Effective May 4, 2004, the City of Sioux Falls ordinance 57.050 bans electronics from the Sioux Falls Regional Sanitary Landfill. Any person bringing material for deposit at the landfill, upon entry onto the landfill premises, authorizes the city to inspect the material before deposit. If excluded materials are discovered during the inspection, the city may refuse the entire load and charge the person attempting to deposit the materials the cost of the inspection.
- CERCLA: The Comprehensive Environmental Response, Compensation, and Liability Act (CERCLA) is a federal law governing the appropriate cleanup and handling of hazardous waste sites. Enacted to help clean up releases of hazardous substances into the environment, CERCLA authorizes the federal government to demand and collect cleanup costs from all companies that are deemed to have contributed to the hazardous situation. If an initial polluter is unable to pay the clean-up costs of their pollution (for instance a recycler), the government can seek clean-up costs from firms deemed to have contributed to that pollution, meaning any business disposing of retired IT assets. It's important to use due diligence when selecting an electronics recycling provider to ensure they are properly managing all equipment, not just the valuable items.
- RCRA: The Resource Conservation and Recovery Act (RCRA) calls for “cradle to grave” management of hazardous waste. RCRA makes generators of hazardous waste liable for the proper management or disposal of the hazardous material. This includes the generation, transportation, treatment, storage, and disposal of hazardous waste. Focused on waste minimization and phasing out land disposal of hazardous waste, RCRA calls for increased enforcement authority for the EPA and more stringent hazardous waste management standards. Many electronics are considered hazardous waste due to the high content of hazardous materials, including lead and mercury.
- SREA: When companies take "reasonable care" when conducting due diligence of the facility on where they are sending their material for recycling, The Superfund Recycling Equity Act (SREA) offers a measure of protection from environmental liability. The act exempts certain persons who “arranged for recycling of recyclable materials” from liability.
- LEED Certification: The Leadership in Energy & Environmental Design (LEED) standard was developed by the US Green Building Council for green energy buildings and efficient infrastructure. LEED certified buildings receive points to qualify for any of the four levels of certification based on categories including building planning, construction, maintenance and operation. Companies can earn LEED points by implementing a universal waste recycling program and taking appropriate measures for the safe collection, storage, and disposal of batteries, mercury-containing lamps, and electronic waste.
Reasonable steps, due diligence and precautions taken by any company collecting confidential data will keep you in compliance. Let us help.
- Legislative Compliance: We take corporate compliance seriously. SEAM’s certified process follows strict security protocols to ensure data is protected. Customers are provided with detailed reports and Certificates of Destruction, made readily available 24/7 via the customer portal. This information can be used for audits and compliance with various legislative regulations that require businesses to properly handle, archive and destroy electronic records. Using a partner with experience and knowledge eliminates your risks and ensures compliance.
- Crisis Prevention: By using SEAM’s services to handle off-network equipment, customers are preventing costly disasters such as data breaches or environmental catastrophes. Using SEAM as an insurance plan mitigates these risks and helps customers avoid spending huge amounts on the investigation, communication, and ultimate customer loss that result from these issues.
- Corporate Social Responsibility and Sustainability Reporting: All of SEAM’s certified processes are tracked in our operational management system and analytic reports are made available to customers through our online portal. Customers use this reporting service to communicate their CSR initiatives and meet various environmental requirements such as LEED Certification.
- Certified Data Destruction: SEAM adheres to the current recognized data destruction standard for all hard drives and solid state drives, NIST Special Publication 800-88 (Revision 1), which meets and exceeds the US Department of Defense standards. With well documented and third party verified physical destruction and sanitization procedures, we ensure all data is completely destroyed once it enters our facility. Customers can rest assured their data security policies are in compliance and all sensitive data is safely secured with SEAM.