As we slowly come out of the pandemic, many businesses are now working leaner, with fewer employees and even less of them coming into the office, which means a surplus of onsite electronic devices such as workstations, printers and phone systems, etc.
Here’s the challenge for New Jersey businesses:
Corporations, businesses, manufacturers, laboratories, health systems and educational facilities face a huge challenge when disposing of electronic equipment that has any type of memory. All electronic equipment, computers, fax machines, hand held devices, phones, storage devices and solid state drives, copiers, monitoring equipment, scanners, and anything else with memory or a hard drive, has data on it. Any piece of unused electronic equipment, either in your office, or in your employee’s home, could have billing information, passwords, accounting records, network information, document images, proprietary research, and client and employee information. Because the data remains intact as long as that equipment can still be taken apart and accessed, all sensitive data must be securely removed before recycling, reusing or reselling.
Recycling seems like the natural solution, as it is certainly better for the environment. According to the National Association for PET Container Resources, for every pound of recycled PET plastic flake used (in lieu of virgin petrochemical feedstock) greenhouse gas emissions are reduced by 71%. The United States Environmental Protection Agency states that on average, approximately 1.67 metric tons of Carbon Dioxide (CO2) equivalents are avoided for every ton of municipal solid waste recycled.
New Jersey consumers and small businesses with fewer than 50 full-time employees, can recycle computers, monitors, laptops, portable computers, desktop printers, desktop fax machines and televisions for free at an approved collection site. An approved recycler must ensure to the New Jersey Department of Environmental Protection (NJDEP) that electronic devices are recycled in a manner that is in compliance with all applicable federal, state and local laws, regulations and ordinances.
Manufacturers must also ensure that these devices are not exported for disposal in a manner that poses a risk to the public health or the environment.
What about the data that’s stored on all of those devices? Most recycling/resale companies claim to wipe all of the customer’s important data before it is recycled or resold.
But What If They Don’t?
According to the 2018 Cost of a Data Breach Study conducted by the Ponemon Institute and IBM Security (https://www.intlxsolutions.com/hubfs/2018_Global_Cost_of_a_Data_Breach_Report.pdf), the average cost of a data breach of up to 100,000 records is approximately $3.86 million.
News about cyber hacks is fairly common but the less publicized problem of data breaches brought on by misinformed original owners still exists. In 2010, photocopiers that were used to copy sensitive medical information were sent to be re-sold without wiping the hard drives. Three hundred pages of individual medical records, containing drug prescription and blood test results were still on the hard drive of the copiers sitting in a warehouse for resale. The U.S. Department of Health and Human Services settled with original owner of the copiers for HIPAA violations to the tune of $1,215,780.
Following this news, CBS News purchased two photocopiers from an office equipment reseller, and discovered that the copiers were still loaded with confidential documents from its original owner—a Buffalo, New York police department. In 2015, a computer at Loyola University that contained names, Social Security numbers, and financial information for 5800 students was disposed of before the hard drive was wiped.
Many recyclers try to recoup the value of electronic waste by improperly salvaging parts and selling them outside of contracted terms. Often recyclers will merely “delete” data rather than erasing or overwriting it, raising the possibility that a hacker could recover proprietary company data. In 2019, financial institution Morgan Stanley hired a vendor to scrub devices from two data centers that closed in 2016, but the vendor had left some client data on the devices. Some of those servers and hardware were then sold to recyclers and are now missing.
When disposing of IT equipment, recycling vendors need to meet two primary objectives:
The product is destroyed in such a manner that it can never be reused and the original owner can not be identified and the resulting materials from the destruction process be disposed of in an environmentally appropriate and regulatory compliant manner.
Recyclers that fully de-manufacture devices will accomplish three important destruction objectives:
The New Jersey DEP requires a “Class D” electronics processing licensed to recycle electronics in New Jersey. There are currently 10 Class D licenses. Hard drives, solid state drives, PDAs, cell phones, tablets are all considered electronics and can only be processed and recycled by a class D licensed facility.
New Jersey businesses that give their hard drives and other devices to a company that does not have a Class D license can never really know where their devices are going. A Class D recycler that is a Federal EPA licensed facility, ISO 9001,14001 and 45001 certified and R2 (Responsible Recycling) certified will provide you with detailed certificates of destruction for all devices, by serial number. Compliance documentation, including secure tracking information should be available to you 24/7/365 as well.
By performing vendor due diligence to ensure that your devices are properly demanufactured and destroyed, New Jersey businesses can eliminate the unauthorized and uncontrolled re-marketing of their electronic devices, destroy all sensitive data that may be on the circuitry, and comply with all regulatory and industry environmental standards for disposal.
To access more business news, visit NJB News Now.Related Articles: