Why Data Security is a Big Part of the e-Recycling Process
Are there any electronics that do not store, access, process or backup data in today’s digital world?
Regardless of its function, most electronics manage data in some way whether on a hard drive, USB flash drive, memory card or other. While this is not a new concept to consider when managing equipment in its live environment, it is often overlooked when it comes to responsible IT asset disposal. In fact, a report from Deloitte found 33 percent of IT executives reported having little or no formal IT governance policies in place.
If you were not already considering data security in your electronics recycling plan, it would be best to prioritize it. Reports have shown the global average cost of a data breach to be $3.86 million, up 6.4 percent from the year prior with no signs of slowing down. Why would you not want to take every precaution to try and prevent a data breach from happening?
While data breaches occur often by bypassing network security remotely, physical attempts to steal local files are common as well. Physical data theft attempts can occur whether devices are in use or are collected for recycling. There are a few areas throughout the e-recycling process where without adequate security protocols in place, items can be at risk for data threats.
Electronics are one of the most-stolen product types
When it comes to cargo-theft specifically, electronics are among the top six commodities stolen globally. 66 percent of these thefts happen while cargo is in transit, with 11 percent occurring while in the warehouse. Electronics recyclers today have to consider how they will help transport equipment back to their facility securely; and then how to maintain security of the equipment once it arrives and is prepared for further processing.
Reuse is the first step of recycling
Many businesses choose to enable reuse of their replaced or retired IT equipment as an option that delivers back the most returned value. A qualified and experienced IT asset disposal (ITAD) vendor can present this to you as an opportunity for a new revenue stream and the process alone helps minimize your overall environmental impact.
It is encouraged to make sure you use an appropriate partner when considering reuse of equipment. If the recycling vendor is also managing the reuse of equipment, look into the data wiping and erasure services they provide to ensure they are performed sufficiently. For example, the National Association of Information Destruction (NAID) conducted a study regarding devices resold in “regular commerce channels” and found that 40 percent still contained personally identifiable information (PII).
Here is some information to reference when vetting your IT asset disposition (ITAD) provider’s reuse process.
Irresponsible recycling can increase physical data threats
The process of e-Recycling involves the collection, testing/tracking, remarketing and final disposition and recycling of materials. Depending on what condition the IT assets are in upon collection, data may remain on storage devices.
When working with a legitimate recycler, there will be some sort of mechanical operation and infrastructure in place to dismantle devices, separate their components (including removal of any hazardous waste), and shred these materials into different sorts.
Once shredded the material is separated again, and commodities of value are sent to downstream recyclers and refineries for reuse. These refined commodities are then sold to manufacturers to be made into new products.
There have been some circumstances however, where these steps were not taken and devices have ended up dumped in developing countries. When this happens, it not only becomes an environmental disaster in addition to a PR nightmare, but this can also leave you at risk of data exposure as well.
In some cases, data can be retrieved from hard drives shredded for recycling
Believe it or not, if somebody really wanted to try and retrieve data from a shredded hard drive, there are ways they could attempt to rebuild the data from the shredded pieces. While this is very unlikely, it can be made possible with the right set of motives.
It is for this reason, that taking some extra efforts when considering data destruction services may go a long way and protect you in the end. Considerations for ensuring data destruction might include:
- Erasing data (via degaussing or wiping) prior to shredding,
- Witnessing data removal and destruction processes, and/or
- Reviewing security standards implemented and maintained by your recycler or data destruction vendor.
A few of the top security standards that recyclers or data destruction vendors may hold around the world might include:
- National Association for Information Destruction (NAID) AAA Certification – Global – Secure data destruction industry’s standards setting and oversight body.
- Transported asset protection association (TAPA) – North America – Freight security requirements standard.
- Information Security Management System (ISO 27001) – Global – Relates to the recycling of waste electrical and electronic equipment, asset management involving secure data eradication and the repair and reuse of electrical and electronic equipment.
- Assured Service (Sanitisation) scheme (CAS-S) – United Kingdom – Scheme offered by NCSC for companies wishing to provide sanitization services to owners of highly classified Government data.
Electronics recycling is often viewed from an environmental perspective as preserving resources and minimizing waste, but as you can see, these services can provide much more value than that. It is recommended to take your IT asset disposal and electronics recycling program seriously and consider all security aspects of the process as well to ensure your company data, brand and liability is protected.
For guidance during the IT asset disposal (ITAD) vendor selection process, check out these sample RFP questions.