May/June 2008
With today's growing awareness—and regulation—of information privacy and data security, electronics recyclers with the right equipment and know-how see data destruction as a growth opportunity.
By Theodore Fischer
When the Basel Action Network went to Nigeria in 2005 to film an exposé on the environmental damage caused by improper dumping and burning of electronic scrap, it found another cause for alarm. Independent forensic examiners easily retrieved résumés, employee reviews, funding reports, personal correspondence, and other revealing, sensitive information from used hard disks BAN purchased in the marketplace in Lagos, a city renowned for online scams.
The hard disks came from computers the investigators could trace back to U.S. government workers; city agencies in Houston, San Antonio, and Washington, D.C.; hospitals; and private companies and individuals worldwide. "We found hard drives from the World Bank, very explicit e-mails," says Jim Puckett, BAN founder and coordinator. "We found very, very confidential data from the state of Wisconsin's child protective custody agency about how much [support] kids were getting, what their problems were, who their real parents were." The data-security and environmental concerns all went into BAN's film The Digital Dump: Exporting Re-use and Abuse to Africa. "We wanted to scare the living daylights out of consumers, corporations, and governments" that these exported electronic products were both damaging the environment and exposing them and others to serious breaches of information privacy, Puckett says.
As identity theft and information security worries—and regulatory responses to them—have become widespread, electronics recyclers have found a potential new market for their services. Steps they take to process used equipment for resale or commodity recovery have become recommended data security measures for end-of-life electronics, drawing the interest of companies that might not have been attracted to e-recycling's environmental benefits. What they're doing is still electronics processing, but what they're selling is peace of mind.
The Regulatory Environment
Though the push to keep electronics out of landfills and recycle their valuable commodities goes back more than a decade, concern about the information embedded in electronic devices—computer hard drives, personal digital assistants, floppy discs, optical discs, cell phones, and other gadgets that encode electronic data—when they are taken out of service has become prominent only in the past few years. Even so, regulators have built up an array of laws regarding the management of what the public deems especially sensitive data, such as health and financial records.
One of the first forms of U.S. data regulation, the Disposal Rule of the Federal Trade Commission's Fair and Accurate Credit Transactions Act of 2003, made individuals and businesses legally responsible for any sensitive information they collect from consumer credit, employment, insurance, and medical reports. While the rule requires proper disposal of those items to prevent "unauthorized access to or use of the information," it also promotes secure disposal of any records containing personal or financial information.
The FACTA Disposal Rule doesn't mandate specific methods for destroying or erasing electronic files, but it does describe the due diligence it requires from companies that hire third parties to destroy the data: They should review an independent audit of the destruction company's operations and compliance with the rule, obtain several references about the company, make sure the company is certified by a recognized trade association, and review the company's information security policies and procedures.
To help companies determine the best ways to destroy various forms of electronic data, in 2006 the National Institute of Standards and Technology issued its "Guidelines for Media Sanitization" (NIST Special Publication 800-88). This publication "identifies the steps that need to be taken, but because those steps may be implemented differently, it doesn't necessarily tell you how to do it," says Richard Kissel, the NIST information security specialist who served as lead author of the guidelines.
For every electronic device or storage medium, old or new, the NIST guidelines outline minimum sanitization recommendations. The options for sanitizing PDAs, for example, include clearing—"Manually delete all information, then perform a manufacturer's hard reset to reset the PDA to factory state"—and physical destruction by shredding, pulverizing, or burning in a licensed incinerator.
The Business of Destruction
Firms are entering the data destruction field from several different directions—from secure document destruction, from corporate information security, and, of course, from electronics recycling. Some of the same downstream due diligence recyclers perform to ensure used electronics are properly refurbished, resold, or recycled from an environmental perspective now helps them assure clients they have properly destroyed any data the equipment contained.
"Fundamentally, we help companies do the right thing—and prove that they've done it," says Rike Sandlin, director of marketing for Intechra (Jackson, Miss.), a 20-year-old information technology asset disposition company. "They're looking for assurances like ISO certifications and the discipline to audit the downstream—where the materials go. They're looking for a company that provides a level of detailed reporting, certification, and indemnification that assets were handled the way they're supposed to be handled."
The first step in the sanitization process involves using software to overwrite a product's hard drive in keeping with U.S. Department of Defense standards. Several commercial products can accomplish this task, including Blancco, WipeDrive, Max File Shredder, DiskDeleter, Acronis, and ShredIt. Cascade Asset Management (Madison, Wis.) uses WipeDrive, which "goes in and looks at the geometry of the hard drive, then overwrites everything, all the writable surfaces," says Kevin Myrant, security manager. Computers for Classrooms (Chico, Calif.), a nonprofit that refurbishes computers for schools and low-income families, uses Blancco and does three passes with the software to ensure data destruction, says Pat Furr, founder, president, and CEO. "It gives us a hard copy of the type of wipe, the serial number of the drive, and the success or not of the wipe." Some companies provide data sanitation services even for equipment that's not being recycled, such as lease returns. They wipe the data, ship the equipment back to the lessor, and provide third-party verification that the sanitization process took place.
To get into the data destruction business, companies might need to obtain an enterprise license from one of the major software overwriting firms. "Most of them charge by the wipe, a wipe meaning not the number of passes but the number of hard drives or systems that you're wiping," Myrant says. License fees vary according to volume beginning at $3 a wipe and dropping to 25 cents a wipe for high-volume users. A startup also would need to spend a few thousand dollars for a server to run the software overwriting equipment.
When software can't do the trick, Plan B is degaussing—using a large magnet to pull all the information off the drive. "Degaussing basically destroys the drive; you can't use the drive after degaussing," says Ryan Laber, director of outside sales, large businesses, for Asset Recovery Corp. (St. Paul, Minn.), which started out recycling mainframe computers nearly 21 years ago. On modern hard drives, he notes, "the information is so compactly populated on the drive that you need degaussers of increasing strength." The problem is that there are "a lot" of degaussers "sitting around in corporate environments that aren't strong enough to adequately erase the drive," he says. When disk erase software and degaussing aren't enough, companies turn to Plan C—physical destruction of the storage medium. Computers for Classrooms uses a drill press to punch holes through hard drives that don't fit into the degausser, or it shreds the drives upon a donor's request. Intechra takes a similar approach. "We use a hydraulic punch press that actually crushes the drive, puts a hole right through the platter," Sandlin says. "Then we'll take that drive back to our recycling plant and shred it." Cascade also uses a shredder—a Vecoplan slow-speed, high-torque model that cost around $50,000—to destroy hard drives.
What's the going rate for a good sanitization? The industry standard is $5 to $10 per drive, sources indicate. Recycling fees, on the other hand, range from as low as 10 cents a pound to 50 cents a pound. If electronic items contain enough precious metals—cell phones, for example—e-recycling companies sometimes will take them for free.
Satisfaction Guaranteed
Some companies provide additional services to give customers a greater level of security. Intechra dispatches its own vehicles to collect customers' electronic assets, for example. "Because we have our own trucks, we can provide a secure chain of custody," Sandlin notes. "When we pick up the assets at a client's facility, it's us picking them up, not the freight company du jour." Bar coding and similarly detailed inventory tracking can follow the dispostion of specific pieces of equipment, not just truckloads. "We're seeing a trend of companies not wanting to release data from their custody until they have a serialized list of what we're taking," says Cascade's Myrant.
A few recyclers allow customers to witness their equipment destruction in person or remotely via the Internet. If that's not enough, firms will perform the sanitization process at the customer's location. "We're able to wipe PCs booting on from a CD and sending a tiny little report to our server," Myrant says. "From a report standpoint, it's the same as if we were wiping them [in our plant]."
Whether they perform their services in-house or on-site, data destruction companies offer customers an array of reports and assurances that their data is gone for good. "Many companies, including ours, provide a certificate of recycling that specifies who the customer is, the lot number of the material they sent to us, and some verbiage about how we guarantee that the material has been processed in accordance with all federal, state, and local guidelines, and that any information deemed sensitive by the customer has been sanitized or destroyed," says Asset Recovery's Laber. His company follows the standards outlined in the National Industrial Security Program Operating Manual (DoD 5220.22-M)—the Department of Defense standard for hard-drive erasers—and all applicable laws under FACTA, the Financial Modernization Act (aka the Gramm-Leach-Bliley Act), the Family Educational Rights and Privacy Act, the Federal Information Security Management Act, the Public Company Accounting Reform and Investor Protection Act (aka Sarbanes-Oxley), and the Health Insurance Portability and Accountability Act. The latter requires that all electronic assets that contain protected health information be destroyed in a way that the data "cannot be practicably read or reconstructed."
The Value of a Blank Slate
When a recycler is hired to not just sanitize the electronics but also to recycle them, the value it can derive from the equipment depends on a variety of factors: the item's age and condition, the process used to destroy the data, and the customer's requirements, to name a few.
Some customers allow recyclers to refurbish and resell electronic assets once they're completely sanitized. Recyclers estimate they can refurbish and resell about 30 percent of the end-of-life equipment they process. Large quantities of common items go to national and international brokers; unique items might wind up on in-house Web sites or eBay, with the two companies sharing the profits from such online transactions. "Consignment rates can vary, from splitting it 50-50 with the customer to giving the customer 70 to 80 percent of the value, depending on how much the equipment is worth," says Asset Recovery Corp.'s Laber.
Computers for Classrooms can refurbish about half the computers it receives, mostly those from hospitals, schools, state and local government agencies, and other organizations that favor reuse over recycling. The company will resell PCs with a minimum Pentium III microprocessor with 600 MHz at nominal prices to local schools and low-income families. For example, schools can buy a Pentium IV with a 40-GB hard drive, 512 RAM, and Windows XP for $135. The organization ships older models to schools overseas. "Last year," Furr says, "we sent 650 computers below Pentium III 600 to Peru … they are excellent for schools in other countries, where they can't get their hands on them" otherwise, she says.
If the sanitization process rendered the equipment unusable, the recycler still has the option to dismantle the item for parts or shred it for commodity recovery. "When hard drives are degaussed, they are ruined as hard drives, but they still have a value for scrap," Furr explains. "The disks are coated in titanium and the case is cast aluminum."
Just the Eve of Destruction?
As people increasingly clean out their closets and drawers, as technological advances render more and more current devices obsolete, as the e-scrap collection infrastructure expands, and as governments further mandate electronics recycling and information security policies, the future of the data-destruction business looks bright. "I think of all the garages and attics out there filled with old computers that have never been sanitized, and someday those computers are going to hit some recycler," says NIST's Kissel. "Recyclers will look at this as a business opportunity and say, ‘We can also offer sanitization and guarantee that we'll dispose of it properly...I smell money.'" That's great news for data destruction companies—assuming they operate their businesses prudently and meet their obligations under the law.
Kissel cautions recyclers that electronic devices generate a lot more headaches than data-free scrap commodities like metals and recovered fiber. "It's not just a matter of taking [products] in, cleaning them a little bit, bundling them up, and passing them on," Kissel says. "These products can contain significant amounts of incredibly sensitive medical and financial information that can cause issues," he says. Companies "just have to understand that and build that into their price model." If a processor allows a customer's confidential information to be compromised, for instance, it could run afoul of federal laws and face legal repercussions, not to mention the damage to its reputation.
E-recyclers tempted to cut corners ultimately may be set straight by the realities of the marketplace—to survive, companies will need to build a reputation for doing things the right way. "We're excited about being able to do this business in an upstanding manner," says Intechra's Sandlin. "It's not a situation where we need to resort to unscrupulous behavior. With 85 percent of discarded electronics going into landfills, with all the data security and environmental regulations that are out there, there's a real need for what we do." •
Theodore Fischer is a writer based in Silver Spring, Md.
With today's growing awareness—and regulation—of information privacy and data security, electronics recyclers with the right equipment and know-how see data destruction as a growth opportunity.