Preventing Final Disposition Data Breaches – How to evaluate an ITAD vendor for your organization

By Jim Kegley

The IT asset disposition (ITAD) industry finds itself at the unique juncture of two important issues in corporate America that are attracting more scrutiny every year; data security and environmental responsibility. Businesses must secure data to protect customers and their bottom line, while simultaneously protecting the environment to comply with regulations and build goodwill in the community. Without a capable ITAD vendor, they will likely fail to accomplish these goals. The threats of weak ITAD processes to a company’s bottom line and reputation are already massive – and growing every year.

E-waste is an example of a global news story that companies will spend more time addressing in the years ahead. The U.S. Environmental Protection Agency (EPA) estimates that 438 million new consumer electronics were sold in 2009. That same year, 2.37 million tons of electronics were retired, an increase of more than 120 percent compared to 1999. According to BCC Research, a market forecasting organization focused on science and technology trends, e-waste will continue growing indefinitely at 8 percent annually.

The scale of the issue is attracting more media interest every year. In January, The Economist reported on global e-waste and estimated that China alone retired 160 million electronic devices in 2011. CBS News covers the issue regularly and special interest groups work actively to raise awareness as well. As regulators, elected leaders and environmental groups read more news stories about e-waste; they will naturally begin to ask what U.S. businesses are doing about it, ratcheting up pressure on companies to demonstrate their commitment to the environment.

Data Breaches are Threatening More Companies

As important as protecting the environment is, data security – or the lack thereof – has damaging headlines more often. The past few years have seen a steady stream of high profile breaches. In 2009, 57 BlueCross BlueShield of Tennessee hard drives containing data on over one million people were stolen from a storage closet. As a result, the company has paid more than $18 million in costs associated with the breach, including forensic fees to determine what was on the hard drives and identity theft protection for the impacted individuals.

In 2012, NASA suffered a data breach when an employee’s laptop containing personal information on over 10,000 employees was stolen from a car. This past January, Global Payments Inc. announced that its April 2012 data breach, which affected an estimated 1.5 million payment cards in North America, cost the company $93.9 million. The list goes on.

Such statistics and data breach examples are likely not surprising to the average ITAK Magazine reader. The vast majority of corporate executives who handle end-of-life ITAD issues for their company are well aware of how unforgiving mistakes can be – both financially and for their company’s reputation. What is less clear to them, however, is whether their company has the right process in place to protect against unsafe industry practices. What is the best method of destroying data on hard drives? Is it okay if an ITAD vendor uses downstream vendors to process e-waste? The answers to these questions are much more controversial than they should be.

What the industry lacks are standardized practices to ensure that the environment is protected and data breaches do not occur. The two main certifications governing IT asset disposition, R2 and e-Stewards, have made important steps in that direction, but the industry still has a long way to go. In order to identify areas that need improvement and measure future progress, it is helpful to understand how and why standards vary between certifications.

Knowing how the R2 and e-Stewards certifications are different means going back to their origin and the divergence that resulted in two certifications instead of one.

History of R2 and e-Stewards

The R2 Standard, or R2, began in 2006 as an effort to create best practices in the electronics recycling industry. Various stakeholder groups, including regulators, electronics recyclers, refurbishers, trade associations and Original Equipment Manufactuers (OEMs) developed the standards, which were the first of their kind. The EPA provided funding to facilitate the development of R2, and in 2010 R2 Solutions was formed to officially administer the certification, the most widely accepted accreditation among IT recyclers.

In 2010, e-Stewards came into existence after the Basel Action Network (BAN), an environmental justice organization focused on protecting developing countries from e-waste, decided not to participate in the final development stages of the R2 standards. They withdrew after two years over disagreements about export rules. BAN wanted to prohibit the export of e-waste to other countries, regardless of whether it was processed in accordance with R2 standards. BAN would go on to form e-Stewards.

In an industry that lacked adequate regulations to protect the environment and human health, the certifications were an important step forward. Both have the support of different recyclers and are accredited by the ANSI-ASQ National Accreditation Board (ANAB).

Where R2 and e-Stewards Diverge

The main difference between the two certifications is e-Stewards’ ban on the export of e-waste to developing countries. R2 does not support this ban, instead requiring due diligence to verify that downstream vendors handle e-waste according to R2 standards.

Under e-Stewards, sending equipment to an audited and responsible overseas recycling facility for processing would not be allowed. Critics argue that through this policy e-Stewards is actually harming the development of proper recycling in developing countries. This argument is a serious one. According to reporting in The Economist, a quarter of the world’s e-waste is produced by developing countries. As early as 2018, developing countries could overtake wealthier nations in the amount of e-waste they produce. These countries need to be building the infrastructure and developing the expertise to refurbish or recycle their own retired electronics.

With Proper Oversight, Foreign Recycling Can Work

The process for recycling plastic bottles is an example of how foreign countries can play a positive role in the recycling industry. Local governments in the U.S., for example, often send plastic bottles to foreign countries, such as China, to be processed. Companies in these countries then use the items to manufacture new materials and products that may end up being exported back to the U.S. As long as there is oversight of the process and the recyclers are legitimate, IT equipment could be recycled in a similar way.

Health and Safety Standards and Data Security

Other differences between the two certifications include how they deal with the management of certified companies’ environmental processes and impact. R2 allows recyclers to choose among ISO 14001, OHSAS 18001, RIOS and other standards. In contrast, e-Stewards delineates specific minimum requirements related to such things as air quality and CRT processing. Additionally, R2 allows individual facilities to be certified, whereas e-Stewards requires that all locations of a company be certified within 18 months of the first site certification.

Although protecting data is addressed by both certifications, they primarily recommend adherence to other national standards, such as the National Institute of Standards and Technology (NIST) guidelines for data sanitization. Because R2 and e-Stewards began primarily as an effort to deal with e-scrap, neither has produced best practices stringent enough to sufficiently protect against data breaches. Yet, by requiring adherence to the NIST guidelines, they seem to suggest that doing so is sufficient to protect data.

Evaluating Vendors Based on Certifications

Even though certifications have helped to establish baseline standards for the industry, the lack of a certification should not automatically disqualify a vendor. OEMs such as HP, Dell and IBM, for example, are not certified by R2 or e-Stewards, but are known to have high standards and a good reputation in the recycling industry. However, these companies generally rely on certified “recycling partners” to conduct recycling activities on their behalf. These partners are increasingly qualified by the R2 or e-Stewards designation.

Some companies may choose not to be certified because their own internal standards are even more stringent than R2 and e-Stewards. For example, consider a company’s policy on shredding hard drives. Since some hard drives – such as solid-state drives (SSDs) – cannot be completely wiped of data, some organizations opt to destroy and recycle devices as an extra precaution. The challenge these companies face is proving adherence to a credible, third party standard.

To demonstrate a higher standard, companies can pursue third party designations other than R2 and e-Stewards, such as a Service Organization Controls (SOC) report offered by the American Institute of CPA’s (AICPA).

Lack of certification does not mean a vendor should be disqualified, and the converse is also true: certifications do not guarantee that IT equipment is handled in the safest and most environmentally responsible manner.

Know Your ITAD Vendor

The old adage “buyers beware” applies to the process of shopping for an ITAD vendor. R2 and e-Stewards set important minimum standards for disposition, but companies should perform their own due diligence to ensure their retired assets are being processed according to the highest standards.

Companies do not generally set out to find an adequate ITAD vendor that meets minimum regulatory and certification standards. They want excellent vendors that have the processes and capability to protect their bottom line and reputation. However, that means vetting a vendor thoroughly. The stakes are too high to risk a mistake.

The solution is to know a potential ITAD vendor’s processes before entrusting them with your assets. This should include a visit to their facilities to test whether their physical infrastructure and internal processes can deliver the services they promise.

How to Evaluate an ITAD Vendor

When evaluating a vendor, ask questions that go beyond whether they adhere to a particular certification. For example, certifications do not address whether companies can use subcontractors to pick up equipment, engage third parties to actually process e-waste, or ship unencrypted data-bearing devices without first sanitizing them. Below are three main areas for consideration:

Data security: Know your vendor, visit its facility and ask if it uses subcontractors. Understand its process for destroying data. The risk of data ending up in the wrong hands is reduced when data is destroyed before shipping devices offsite. If data remains on hard drives or other devices that are transported, there is greater risk of loss or theft. The vendor should provide verification that all unencrypted data has been wiped prior to shipment.

The environment: Technology assets contain pounds of toxic materials and chemicals, from lead and mercury to flame retardants. If companies do not have the capability to process IT assets internally – including demanufacturing them into base commodities for resale – then they must rely on third parties that may not have adequate environmental controls to ensure proper recycling. To retain control and eliminate reliance on multiple vendors, look for a partner that has the infrastructure in-house to refurbish or process e-waste. Schedule a visit with your vendor to see its facilities firsthand.

Third party audits: Consider other third party audits besides those required by e-Stewards and R2. For example, in addition to R2 certification, U.S. Micro Corporation recently achieved the American Institute of Certified Public Accountants’ (AICPA) Service Organization Controls (SOC) 2, Type II designation. As part of this audit, independent auditors evaluated and tested various controls at U.S. Micro, including those related to data elimination; information security; disposition; electronic inventory counts; human resources; IT change management; information systems operations; and other controls.

The Proper Role of Certifications

The R2 and e-Stewards certifications are competitors and each one is seeking to achieve the upper hand as the industry standard for proper recycling. This is not surprising given the growing global concern over e-waste and the attention regulators will increasingly place on its proper disposal. However, minor schisms between the two certifying bodies do not diminish the importance of the standards that they have set for the industry.

While some in the ITAD industry bemoan the lack of a unified standard and wonder if R2 and e-Stewards will join to offer one certification in the future, even that would not absolve companies of the responsibility to perform their own research when selecting a vendor – especially how they protect against data breaches. It is up to executives to carefully choose a vendor that sets standards higher than the certifying bodies. Investing the time to find the right vendor will make an organization more secure and a better steward of the environment, and also keep it out of unwanted data breach and e-waste headlines.

About the Author

Jeff Kegley is the Chief Security Officer for U.S. Micro Corporation.