Risk Management

Death Row for Computers?

A new privacy law requires companies to obliterate consumer data from PCs headed for the scrap heap. One solution: Smelt 'em.
Marie LeoneOctober 1, 2001

Bob Knowles’s company destroyed 130 tons of computer hardware between January and July, and it’s on track to smelt 300 additional tons by year’s end — more than tripling last year’s mark. The CEO of Denver-based Technology Recycling attributes the dramatic rise in its business volume to new privacy laws, particularly the Gramm-Leach-Bliley Act (GLB), which requires companies to obliterate consumer financial data from computers that are earmarked for the trash.

Under GLB, which went into effect in June, companies that collect nonpublic personal information (NPI) — Social Security numbers, credit information, banking data — from consumers must comply with the law’s privacy provisions, says Thomas M. Regan, an attorney with Cozen O’Connor, in Philadelphia. The provisions direct companies to protect NPI from the consumers’ cradle to the grave, and to notify them of the companies’ privacy policy.

At first glance, GLB might seem to apply only to banks and other traditional financial institutions. Yet the law’s definition of a financial institution is so broad, notes Regan, that it covers any company that gathers such personal information, including retailers that issue credit cards, as well as auto dealerships, tax-preparation professionals, real estate appraisers, search firms, and personal check-printing services. But, adds Bob Knowles, “many executives don’t know that the law affects them.”

The penalties for noncompliance are harsh, says Daniel Langin, an attorney based in Overland Park, Kansas, if only because it represents a breach of fiduciary duty. He estimates that fines for board members could reach $10,000 a day once government audits commence. At least six federal agencies help enforce GLB, including the SEC, the FTC, and the Office of the Comptroller of the Currency.

The fallout may not end there, warns Knowles, as violators could be denied access to Small Business Administration loans or see their liability insurance voided.