Data Destruction andThe Impact on Recycling

Data Breaches

• In 2012, over 26M records from 617 data breaches were made public

• Average costs:– $194 per compromised record – $5.5 million per incident

• Damaged trust and reputation• Increased legislation to address:

– Health Insurance Portability and Accountability Act (HIPPA)– Fair and Accurate Credit Transaction Act (FACTA)– Identity Theft and Assumption Deterrence Act (ITADA)– Gramm-Leach-Bliley Act (GLBA)

• More than 46 States have passed legislation requiring owners of personal information databases to notify affected individuals of a data security breach

Where Data Lurks• Data breaches made public were due to hackers• Items for recycling fall outside of established security protocols

– Data not only on computers• Copiers, printers, and scanners

– Employee owned devices (BYOD)• What is the disposition plan for those devices?

• Affinity Health Plan, a New York based not-for-profit managed care plan learned the hard way– Information left on HDD of a previously leased copier

Electronics Recycling Industry

• Electronics recycling is a fairly young industry

• Companies entering the industry could so with few barriers to entry

– Frequently operations are in low-cost spaces with low wages

– Equipment can be as rudimentary as hand tools, pallet jack and pick-up or trailer

• Most recyclers continue to be, “mom and pop” operations with small facilities and fewer than 15 employees

• Easy to Export – US did not ratify rules set by Basel Action Network (BAN)

• Data more valuable than commodities

What to Look for - Certifications

• R2 & e-Stewards: Recycle Responsibly• ISO 14001:2004 Environmentally Responsible• OHSAS 18001: Safety• TAPA: Transported Asset Protection• Microsoft Authorized Refurbisher: able to load operating system for

refurbished resale.

Transported Asset Protection Association

• HVTT (High Value Theft Targeted) asset theft poses a major problem for many industries

• Theft of electronics and almost any other cargo of value is a daily event throughout the world

• This type of crime leads to potential liability of data breaches and compromised brand integrity

• While government programs such as C-TPAT focus on keeping dangerous items out of the supply chain, TAPA focuses mainly on the issue of theft

Not All About Certifications - Observe

• Perform a Site Visit• Security

– Are there adequate security controls in place? Prevent theft of tablet and HDDs

• Safety– If the company does not care about the safety of their people will

they care about the safety of your data?• Environment

– If the site is careless about the environment will they be careless about your data?

• Employees– Background checked? Prison labor?

• Equipment– Adequately process for secured data destruction?

Found a Recycler, Now What? Protecting data: Three main methods of erasing HD (Magnetic Media)

Clearing

• Ensure information cannot be retrieved by data, disk, or file recovery utilities

• Resistant to keystroke recovery attempts from standard input devices

• Overwriting is one method (software)• Replace written data with random data• Cannot be used for media that are damaged or not writeable• Size and type of media determine if this is possible

Why three passes?

• Some organizations are not specific on number of passes

• When specified, normally three• Why?

– US NIST Special Publication 800-88

1 1111 1 11 11111111

1 1111 1 11 11111111

1 1111 1 11 11111111

Purging

• Process that protects data from laboratory attack using non-standard means

• Degaussing – exposing media (hard drive) to strong magnetic field• Usually destroys drive as key firmware info on drive is destroyed• Ideal for large capacity drives• Eliminates Boot Sector

Destruction

• Ultimate form of sanitization• Variety of methods but

shredding is typical method of destruction

• Shred sizes may vary depending on customers requirements

Hard Drives (non SSD)

Clear• Overwrite media by validated overwriting software

Purge• Use approved degausser on entire HD unit or disassemble HD and purge

platters

Shred• Shred• Commodity separation• Material sent to proper metal smelter

Cellphones/Tablets/Flash Drives

Clear• Delete all memory (internal and external)• Perform manufacturer reset• Use of external software

Purge• Same as clear

Shred• Remove battery and shred device• Device shredded and processed at precious metal smelter

Maximizing the value of the assetwhile minimizing the carbon footprint impact

How to Minimize Impact

Managing carbon footprint with efficient logistics

And following the three R’s Reduce – Reuse – Recycle

Drivers of Recycling Costs

Mechanical destruction consumes more energy than reusing

Reusing electronics can save 5-20 times more energy than recycling (eassetsolutions)

500%Savings

Why Recycle Locally and Not Export Whole?

• Processing, shredding, and sorting– Increases security – Do you want your data sent to out of

country on an un-wiped drive?

SRS

Other ?

Beyond Data Destruction - Benefits

• Recycling 1 million laptops saves the energy equivalent to the electricity used by 3,657 US homes in a year (Dosomething)

• One metric ton of circuit boards can contain 40 to 800 times the amount of gold and 30 to 40 times the amount of copper mined from one metric ton of ore in the US. (EPA)

• Overall, the processes used to make consumer goods from recycled material instead of raw resources is much more energy and water efficient (ecocycle)• Paper 60-70% less energy than Virgin Pulp and 55% less water

• EPA tool to calculate energy savings from recycling: http://ecocycle.org/ecofacts

Certificate of Sustainability

• Certificate of Sustainability• Provides customers with a

view of four energy equivalency savings due to electronic waste recycling• Gallons of Gasoline Saved• Barrels of Oil Saved• Trees Planted• Gallons of Water Saved

• Calculations sourced from v3 of the Electronics Environmental Benefits Calculator from U.S. EPA

Q&A