Five questions to help you evaluate your recycling and data disposal program
Is your company’s data and private information truly secure? With Microsoft officially ending support for Windows XP on April 8, 2014, hundreds of thousands of computers are being upgraded. That means many old systems are also being recycled. That’s a frightening thought for a number of reasons.
Within just the past few years, we’ve seen businesses and organizations across all industries do some alarming things with their old computers, printers, copiers and other data-containing devices. We’ve witnessed hospitals selling their electronics to scrapers in pickup trucks. Computer repair shops often “recycle” computers from medical offices, then turn around and sell them to illegal or underground recyclers.
Many of these organizations think that they have covered all of their bases simply because they removed their hard drives. However, most fail to remove CD-ROMS, tape drives, printer paper and copier hard drives. It’s common for us to find CD-ROMs, papers containing confidential information and non-wiped hard drives.
With that in mind, your business should be very careful about the electronics recycling provider you choose to handle your sensitive data and equipment. The following are five questions you should ask related to your data destruction methods:
1. What is the best method for destroying data?
Nearly all computer recycling companies advertise that they use Department of Defense-approved data destruction. However, we’ve found that in a majority of situations, this is not the case at all. Many recycling companies lack the knowledge to understand which types of components have data and which do not.
Hard drive crushing, punching and drilling are not approved data destruction methods. The easiest way to find approved methods is by reading NIST Special Publication 800-88, Guideline for Media Sanitization, available at http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_with-errata.pdf
Not all hard-drive shredders are created equal. For optimal destruction, items must be shredded to a nominal edge dimension of 5mm. Ask your shredding company if it meets this requirement.
Degaussing not for all media. It can be an excellent form of destruction, but it only works on magnetic media. It does not work on USB drives, cell phones, solid-state drives or other items containing flash memory.
Above all, always ask for proof. Serialized reports with data destruction, videos or onsite destruction can all be excellent methods of verification.
2. What types of business and personal items contain sensitive data?
Many businesses and organizations simply don’t realize how many items contain potentially sensitive data and information. These include the following:
Digital copiers and printers. Often, a copier will hold digital files of all copies ever made.
Paper in printers. Over the years, we have found checks, payroll records, Social Security numbers and more left in printers.
Routers, firewalls and other networking equipment may contain important data related to your network security.
CD-ROMs, DVDs and tape drivers may contain media in them. We find many computers that have had their hard drives wiped, but the optical drives contain CDs with sensitive material.
Hard drives, cell phones and thumb drives all may contain sensitive data.
Although we always recommend working with a professional electronics recycling company, data destruction can be done in-house. The following are some tips:
Wipe hard drives using a free tool called DBAN or manufacturer-specific tools. This only works on fully functional hard drives.
Remove and shred all paper from your printers and copiers.
Reset all of your functional networking equipment to its original state. Refer to the manufacturer’s instructions to do so.
Functional cell phones can be reset to their original state. Simply follow the manufacturer’s guidelines.
3. Is your electronics recycler legitimate?
If you are already working with a computer recycling service, make sure you address the following issues:
Ask about certifications: The Environmental Protection Agency (EPA) has two primary standards when it comes to electronics recycling: R2 Responsible Recycling & E-Steward. If a company is not certified by either of these standards, consider another option. Also take note that some providers will claim to be R2 or E-Steward “compliant,” which is not the same as certified. Ensure that the company is listed on www.r2solutions.org or www.e-stewards.org.
Know where the material goes:Ask your recycler about what it does with materials, and if they will be resold or exported. Any R2 or E-Steward certified company should have no problem answering these questions.
Avoid drop points:Many companies have drop points at local nonprofits, computer repair shops and other locations. Take any sensitive material directly to the recycler’s facility and not to an intermediary, which will be much less secure.
Take a facility tour:You should be able to take a tour of the facility, and when you do, be sure to look at its physical security. Is the building locked down? Are there metal detectors? If you don’t have time for a tour, ask for references from existing clients.
Ensure compliance with state law:If the facility is R2 or E-Steward certified, part of the auditing process ensures legal compliance. If the facility is not certified, check with your local EPA office.
In addition, when a company comes in to replace and/or upgrade your equipment, ask about what they are doing with the old items. You should be able to get proof, including the name and address of the recycler, an asset list containing the hard drives removed from your facility and evidence that the material was delivered to the certified recycler. Better yet, you can have the certified recycler pick up the equipment directly from your location — always the best option.
4. Is your electronics recycler insured?
Another issue to consider is whether or not the company you choose to provide recycling and data destruction services has the proper insurance. This includes the following:
General liability insurance
Workers compensation insurance (required if the company is coming to your facility)
Automobile liability insurance (required if the company is coming to your facility)
Professional liability insurance, covering data breaches in the event that a recycler does not properly sanitize your media
Always ask for a certificate of recycling and certificate of destruction to ensure you have the right legal documents in the event of a data breach.
5. What is your back-end staff doing with your computers?
We recently found out that certain staff members at a hospital were removing hard drives from computers and laptops, and then selling them to a non-permitted and uncertified company. They failed to remove the tape drives, CDs, paper and other items from the computers, however. The hospital’s management had no idea that this was happening.
Similarly, we discovered a reputable local computer shop that was doing essentially the same thing. While the store advertised that it sent its material to a certified facility, in realty the computers and laptops were being sold to a non-permitted and uncertified provider.
Business owners and executives should ensure that their employees are working exclusively with certified companies. Many public companies, government entities and larger private corporations are requiring the use of a certified electronics recycler. Follow their lead and choose a certified provider to protect your business and your customers.
About Commonwealth Computer Recycling:
Commonwealth Computer Recycling (CCR) is an R2-certified and DEP-permitted facility in Greensburg, Pennsylvania. The company provides the recycling and disposal of electronic devices, including laptops, computers, cellular phones and other electronic components. It also offers secure data destruction services for hard drives and electronic storage devices to businesses, organizations and individuals across the region.