Everyone worries about the safety of information. The technology industry is robust with firewalls, encryption systems, and network security hardware. Corporations hire chief security officers, facility security officers, install cameras and metal detectors and have their facilities and the employees “cleared.”
But often times the security breaks down at a place so simple it is often overlooked: the end of the life cycle for computer and electronic equipment.
After spending countless hours and dollars protecting information while the electronic equipment is in use, old computers are often unplugged, put in a storage room, sent to a warehouse, donated or even given away or sold with the data still intact. The equipment enters a twilight zone where no one is really sure what its status is, what information may be on it, who has had access to it and how it should be dealt with.
The paper shredding industry gained a foothold years ago and most companies now have on-site shredder trucks that make weekly visits to their facility. But one cannot forget that the paper being shredded was generated by the PC that may be sitting in the hallway totally unattended and unsecured.
PCs and laptops are not the only devices where data lies unprotected. Telecom equipment, servers, PDAs, cell phones, fax machines, copiers, scanners, tape drives, back up drives, flash drives, thumb drives, even ribbon from dot matrix printers and typewriters — all these devices are capable of storing and releasing data.
Equipment disposal often is not a high priority within a corporate structure. No one wants to be the responsible party and no one wants to add another line item to their yearly budget. Depending on the company, the person responsible may be the IT manager, the facility manager, property manager, procurement, security officer or any combination of those areas.
It is estimated that the cost of ownership of a PC is three to four times the purchase price of the unit. This includes all of the support for installing, maintaining, securing and licensing the piece of equipment. The end-of-life costs also must be considered.
There are currently no less than four regulations mandating protection of private information. While some of these regulations are geared toward specific businesses or industries, some deal with information that organizations of all shapes and sizes will collect and maintain. In a world of constantly heightened security, government contractors need to be particularly vigilant in the management of their computers and data.
Approximately 70 percent to 80 percent of used electronic equipment is shipped overseas for “recycling.” The recipients include Thailand, Nigeria, Indonesia, China, India and Pakistan.
In October 2006 the environmental watchdog organization Basel Action Network (BAN) traveled to Nigeria to investigate how imported e-waste is managed in that country. In addition to an environmental catastrophe, there was clear evidence of U.S. electronics in large quantities being dumped on this poor nation. Equipment was found with asset tags from mortgage companies, hospitals, state and local governments, federal agencies and financial institutions. BAN recovered several dozen hard drives and found data on many of them.
Many U.S. electronics recyclers are actually brokers or exporters, who collect truckloads of electronic equipment, transfer them into shipping containers and send them around the world for a tidy profit. Developing countries are interested in the electronic material primarily for the metal commodities they contain — steel, aluminum, copper and the bits of precious metals found in circuit boards.
But data often goes along for the ride, as well as a myriad of toxic chemicals including lead, mercury, cadmium, and others. Exporters are paid well for collecting container loads of equipment and shipping them to the receiving countries, with little or no environmental or security scrutiny. As a result, water, air and soil in the villages where this “recycling” takes place has become a health and environmental nightmare.
Recent studies indicate that these items manufactured in China may contain high levels of lead linked to the large amounts of electronics dumped in China.
It is illegal in the United States to throw computer equipment in the regular waste stream. The Resource Conservation and Recovery Act (RCRA) stipulates that businesses generating substantial amounts of electronics equipment must have a documented and compliant program in place or risk being fined for RCRA violations. The firm that creates the waste must also perform due diligence in selecting a service provider. If the recycler is not managing the equipment in a responsible manner, the company that hired him can still be on the hook for damages.
Fines can be substantial. For violation of privacy regulations, penalties can run from $1,000, up to $100,000. In addition, officers and directors can be held personally liable for civil penalties of up to $10,000. Environmental violations can results in Superfund liability, which results in large dollar figures and often plenty of bad press.
When equipment leaves a facility, it is important to know exactly where that material goes and what the process is to de-manufacture it. It is not enough to simply select an electronics recycler based on its website and a couple of phone calls. An on-site audit should be performed and the “commodity crumb trail” fully investigated.
Electronic equipment is generally made up of various metals, plastic and glass. A true electronics recycler will de-manufacture the equipment in-house, break the equipment down into commodity values such as steel, aluminum, copper, plastic, glass, circuit boards and batteries, for further processing.
Many IT professionals are convinced that they have the problem under control because they take care of the data at company-owned facilities. But even the best IT professionals are susceptible to errors in managing data.
Several years ago, a large, secure government complex was performing an IT cleanout and hired a reputable electronics recycler who was already under contract with the federal government. The government IT security staff in charge of the project was confident that the hard drives had all been removed on-site before the equipment was picked up in a commercial tractor-trailer and transported to a recycling facility two hours away.
Their recycler was aware of the need to closely scrutinize the equipment. Once the recycler began work on the material, it was clear that something had gone terrible wrong in the system. Hundreds of hard drives were found intact in the computers. Phone calls were made and a federal investigation was launched.
For any facility manufacturing products for the Defense Department, the stakes are even higher. Not only will computer equipment contain loads of design, research and materials information. Prototypes and other manufacturing material generated at the facility must also be protected and properly destroyed. Think satellite equipment, communications equipment, weapons systems. Certainly the United States cannot risk these items being shipped around the world for “recycling”.
Another regulation that not always is fully understood by defense contractors is ITAR, the International Traffic in Arms Regulations Act. Export-controlled data or material cannot be released to foreign nationals or representatives of a foreign entity without first obtaining approval or license from the Department of State or the Department of Commerce, for items controlled by the Export Administration Regulations (EAR). One objective of the ITAR and EAR is to prevent foreign citizens, industry, governments, or their representatives, from obtaining information that is contrary to the national security interests of the United States.
The penalty for unlawful export of items or information controlled under the ITAR is up to two years imprisonment, or a fine of $100,000, or both. The penalty for unlawful export of items or information controlled under the EAR is a fine of up to $1 million or five times the value of the exports, whichever is greater; or for an individual, imprisonment of up to 10 years or a fine of up to $250,000 or both.
Physical destruction of devices is another consideration. Drilling a hole in a hard drive, smashing it with a hammer or cutting it in half does not eliminate the data. The data is stored on the plates within the hard drive. As long as there are large pieces of plate left whole, there is data that can be recovered by determined sleuths.
Shredding the equipment to small fragments is the best way to ensure complete, unrecoverable data elimination. A good shredding system will also be able to go well beyond shredding hard drives and can also destroy all types of electronic equipment and manufactured equipment as well.
Other methods for data destruction exist, such as overwriting hard drives or degaussing hard drives. However, these methods only provide a solution for a partial list of data containing devices, and they are not necessarily the most stringent when compared to total physical destruction.
The Defense Department requires the equipment being removed from military bases be physically destroyed and ultimately shredded into small fragments — a process dubbed “demilitarization.” Contracting officers’ technical representatives are employed to verify the complete destruction of military equipment.
The United States has instituted extraordinary security regulations since 9/11. All entities handling Defense Department information, or any high risk information have to carefully review their equipment disposal practices to reveal any weakness in the system.
Regulations to consider when disposing of electronic assets include the following:
Fair and Accurate Credit Transactions Act
The Fair and Accurate Credit Transaction Act (FACTA) was designed to reduce the risk of consumer fraud and identity theft, and affects virtually every person and business in the United States. One provision is devoted solely to the proper disposal of consumer information. Irresponsible information disposal has been cited in numerous fraud cases. Identity thieves frequently collect a wealth of personal data by rooting through the trash — an activity commonly referred to as “dumpster diving.”
Specifically, this law requires protection against “unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.”
Health Insurance Portability and Accountability Act
As of April 14, 2003, the Health Insurance Portability and Accountability Act requires that entities handling personal healthcare information must protect such data in all of its forms. This includes not only paper files, but electronic media as well (hard drives, back up tapes).
Resource Conservation and Recovery Act
The law covers electronic equipment that contains hazardous substances such as lead, mercury, chromium, cadmium and beryllium. Because of the toxic characteristics, many computer components are considered hazardous waste. Each full size cathode ray tube monitor contains about six pounds of lead in the glass. The new flat screens do not contain lead, but they do contain a little mercury.
Under the Resource Conservation and Recovery Act, it is the responsibility of the person who creates the waste to characterize the waste (determine if it is hazardous) and to manage it appropriately. The generator may be subject to civil and criminal penalties if computers are sent to the landfill in regular trash.
SOX relates to the computer recycling industry in that it requires businesses, and specifically their top level officers, to be held accountable for corporate assets and controls. This applies not only to physical assets and property, but electronic data and record keeping as well. Accurate equipment inventories and data control for auditing purposes are key pieces of this legislation. http://www.sec.gov/spotlight/sarbanes-oxley.htm
Family Educational Rights and Privacy Act
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the Department of Education.
Lisa Collins is regional sales manager at Global Investment Recovery of Tampa, Fla. The company recycles electronics, extracts metals from circuit boards and demilitarizes equipment for the Defense Department.
Please email your comments to SErwin@ndia.org