The Risk Of E-Waste At Your Company

May 27, 2010

Most security practitioners are not aware of a very real threat to their company’s image and reputation posed by E-waste. I was involved, as a consultant, in the physical security portion of a lengthy review concerning E-waste which poses serious and often unmanaged environmental and data security threats to any company that decides to get rid of their old and out of date computers.

I watched a "60 Minutes" documentary with the intent of following computers dropped off by individuals in good faith to a recycling location, placed in a container and taken to China and dismantled for parts, pieces and metals by children. The old electronics have toxic components which can contaminate the people, ground and water in the areas where this takes place. Although my main focus is on the physical security aspects, I am also interested in the whole problem so I can articulate the complete risk picture to a client.

Discarded computers, servers and other electronic hardware make up one of the fastest-growing waste streams in the United States. Electronic waste or “e-waste” contains toxic substances such as lead, cadmium, mercury, and chromium. In addition, these devices often hold confidential or personal information saved on internal storage media. While a handful of retailers, resellers, and distributors handle e-waste responsibly, many dispose of electronics in a manner that threatens human health, the environment, and data security. As a result, companies that do not handle take-back electronics and e-waste responsibly face increasing public relations risk and potentially significant legal liabilities.

Computers and other electronic devices contain notable amounts of toxic metals. A typical desktop computer system has 57 grams of lead, 2.5 grams of barium, 0.01 grams of arsenic, 0.8 grams of antimony, and various amounts of other toxic metals.4 Cathode ray tube (CRT) monitors contain four pounds of lead.5 These toxics are dangerous to human health and the environment.

According to a white paper by TechTurn, a company in the forefront of clean tech recycling, while technology to safely refurbish or recycle used electronics is available, the majority of e-waste ends up in developing countries where it is often disposed of in a manner that damages human health and the environment. A United Nations Environment Program-sponsored report estimates that the trans boundary movement of e-waste will soon reach 50 million tons a year; principally flowing into developing countries.6 Disassembly frequently involves open-air burning and acid baths to recover metals. These practices expose unprotected workers to serious health hazards. A host of research documents toxics in the air, water, soil, and blood of town residents where e-waste is improperly disposed.7 E-waste not shipped to the developing world is frequently discarded in landfills where it can potentially leach toxic substances like mercury, lead, and chromium into groundwater.

An increasing number of non-governmental organization (NGO) reports, news headlines, and government regulations focused on the environmental impacts of e-waste demonstrate growing stakeholder concern and underscore the importance of managing e-waste responsibly. Companies touting the environmental and security benefits of take-back or e-waste disposal programs are particularly vulnerable to criticisms of hypocrisy.

Activist NGOs are engaged on e-waste and have vocally criticized waste handlers for irresponsible practices. For example, the Basel Action Network (BAN), an advocacy group founded to curb the export of e-waste from the U.S., published a sneering criticism of EarthECycle for falsely claiming to recycle waste safely, when in reality it sells the take-back electronics downstream to the highest bidder. BAN tracked computer equipment that EarthECycle collected at a collection event in Pennsylvania to ports in China and South Africa. The story made it into the New York Times.8 A 2008 General Accounting Office sting operation uncovered a similar operation and found 42 U.S. companies willing to illegally ship e-waste to Hong Kong.9 NGOs stand ready to capitalize on any misstep in the handling e-waste by a major retailer or corporation in order to raise awareness and generate momentum for e-waste legislation.

The environmental impacts and data security concerns surrounding improper e-waste disposal are on the media’s radar. A host of news sources continue to cite a seminal 60 Minutes piece that follows CRT monitors from Executive Recycling in Englewood, Colorado, to Hong Kong. 60 Minutes shows people burning waste to recover materials in Guiyi, China, one of the most “toxic places on Earth,” where seven out of ten local children have too much lead in their blood.10 The media is already reporting on the disastrous impacts of improper e-waste disposal and has targeted individual waste handlers for imprudent practices. E-waste critics are becoming increasingly adept at connecting the dots between toxic e-waste dumps, irresponsible waste handlers, and the businesses that supply them.

Although under current Environmental Protection Agency (EPA) regulations companies can export used electronics from the U.S. with few restrictions, regulators and politicians increasingly place the onus on retailers and companies to ensure e-waste is handled responsibly. Nineteen states have passed laws mandating the recycling of electronics to stop products from contaminating landfills or being exported. Fourteen other states are considering similar legislation.11 Furthermore, under new leadership, EPA is toughening regulations on the shipping of e-waste. New rules increase the documentation required at various stages of the trans boundary shipping of hazardous wastes among OECD countries.12 The EPA has also shown its commitment to greater e-waste stewardship. The agency has recently sought penalties totaling $37,500 per day from California-based ZKW Trading for failing to properly manage e-waste that it attempted to export to Hong Kong without providing the required notification.13 increasing stakeholder concerns over the environmental impacts of e-waste heighten the public relations risk and legal liabilities of improper IT waste disposal.

As a security professional we must also consider data security issues in addition to environmental risks. Private electronic information remains on devices such as hard drives if it is not properly removed before disposal. Retailers also face the challenge of handling consumer returns which may contain sensitive or explicit material. A series of recent academic reports and news stories show that improper e-waste disposal can threaten brand. Moreover, a host of regulations hold companies accountable for their handling of sensitive information stored on e-waste

A string of recent reports spotlight the reputational risks of mishandling confidential or personal information. For example, two MIT graduate students collected 158 hard drives from eBay and other resellers and found that over 30 percent contained sensitive information, including credit card numbers.14 A team of University of British Columbia graduate students recently found information about defense contracts between the Pentagon, Department of Homeland Security and Northrop Grumman, a large military contractor as well as credit card numbers and family photos on hard drives purchased in Ghana.15 A different team of researchers discovered information about defense contractor Lockheed Martin including a document detailing test launch procedures, blueprints of facilities and employee social security numbers on a computer purchased online.16

Private and confidential data stored on computer hard drives also pose legal risks. The Health Insurance Portability and Accountability Act (HIPAA), Fair and Accurate Credit Transaction Act (FACTA), and The Gramm-Leach-Bliley Act (GLB) offer three examples of laws that require specific industries to implement and document electronic data destruction procedures. Similarly, the Sarbanes-Oxley Act requires businesses to protect confidential information that could devalue the company if compromised. Non-compliance subjects companies to regulatory fines or lawsuits.

Anecdotes demonstrating the risk of reselling returned electronics abound on the internet and in local media. In a case picked up by Fox News and a diverse set of bloggers, a Tampa Bay 6-year-old found hundreds of pornographic pictures on a memory card inside a PSP she received for Christmas.17 Similarly, a 10-year-old in Tennessee, a 12-year-old in Chicago, and a 9-year-old in Oklahoma found pornographic materials on newly purchased MP3 players and digital cameras.18 In each of these cases, it is likely that the retailers put returned items back on the shelf for resale. Retailers face a unique problem of handling consumer returns which may contain sensitive or explicit material.

In sum, e-waste poses serious and often unmanaged environmental and data security threats. Getting tied to damages caused by e-waste or compromise of sensitive data can create a public relations nightmare, and expose a firm to the financial and reputational risks of litigation.

Finding a responsible e-waste disposal provider - a task that is often overwhelming. A first-rate recycler will meet or exceed EPA disposal regulations and guarantee that it will remove all confidential information stored on a computer. Recyclers should also return value.

The best way to determine if a recycler is responsible is to ensure it is certified. The EPA’s Responsible Recycling Practices certification program (R2) offers one such third-party certification. The EPA developed and endorsed the standard in partnership with the Institute of Scrap Recycling Industries (ISRI), recyclers, equipment manufacturers, state and local governments, and public interest groups. In 2009 the American National Standards Institute-American Society of Quality National Accreditation Board (ANAB) announced that it would endorse organizations to certify recyclers under the R2 standards. Third-party certification bodies conduct audits and certify recyclers that meet the R2 requirements.19

Companies should carefully evaluate and compare recycling options, but the R2 certification offer a good starting point.

In addition to certification, I recommend evaluating e-waste handlers using the following checklist:

  • Provides logistics support, insurance, and favorable rates
  • Takes ownership of used assets
  • Meets or exceeds environmental standards set by the EPA and guarantees a zero landfill policy
  • Employs International Association of Electronics Recyclers (IAER) or Institute of Scrap Recycling Industries (ISRI)-certified recycling process
  • Audits downstream partners
  • Ensures toxics in e-waste never go to the developing world
  • Removes asset tags and customer asset labels from equipment
  • Provides audit and tracking details on returned assets 
  • Puts assets to their highest and best use
  • Sanitizes electronics using Department of Defense- compliant and Health Insurance Portability and Accountability Act or HIPAA-compliant data procedures

In conclusion the environmental and data security risks facing organizations that handle used electronics are significant and must be managed. Increasing NGO, media, and regulatory scrutiny of take back practices heighten the public relations risk and legal liabilities for improper disposal. By employing best practices and utilizing a responsible e-waste recycler, companies can minimize risk and cost and maximize value from their used electronics.

Chris Hills CPP, CRMP

[email protected]

.......................................................................................................................

4 Esty Environmental Partners. “Environmental Imperative of Responsible E-waste Disposal: Science, Impacts, and Savings.” 2008. http://www.estyep.com/documents/EstyTechTurnE-wasteWhitePaperFINAL_000.pdf.
5 Government Accountability Office. “Electronic Waste: EPA Needs to Better Control Harmful U.S. Exports Through Stronger Enforcement and More Comprehensive Regulation.” August 2008. GAO-08-1044.
http://www.gao.gov/new.items/d081044.pdf.
6 AFP. “‘Catastrophic’ e-waste fuels global toxic dump.” November 13, 2009.
http://www.google.com/hostednews/afp/article/ALeqM5gYUlBYRTFfxF-TdqWYp83fYd8lPw
7 Esty Environmental Partners. “Environmental Imperative of Responsible E-waste Disposal: Science, Impacts, and Savings.”
8 Tom Zeller. New York Times, Green Inc. Column. “Few Rules for Recycling Electronics.” May 31, 2009.
http://www.nytimes.com/2009/06/01/business/energy-environment/01iht-green01.html.
9 Government Accountability Office. “Electronic Waste: EPA Needs to Better Control Harmful U.S. Exports Through Stronger Enforcement and More Comprehensive Regulation.”
10 60 Minutes. “Following the Trail of Toxic E-Waste.”
11 Oladele Ogunseitan et al. Science. “The Electronics Revolution: From E-Wonderland to E-Wasteland.” October 2009.
12 Environmental Leader. “EPA Toughens Transboundary Hazardous Waste Shipment Regs.” December 29, 2009.
http://www.environmentalleader.com/2009/12/29/epa-toughens-transboundary-hazardous-waste-shipment-regs/.
13 U.S. Environmental Protection Agency. “EPA Fines Monterey Park Firm for Defying Order on Electronic Waste.” January 20, 2010.
http://yosemite.epa.gov/opa/admpress.nsf/0/af35e11510bad918852576b1006506c0?OpenDocument.
14 Tom Spring. PCWorld. “Hard Drives Exposed.” April 3, 2003.
http://www.pcworld.com/article/110012/hard_drives_exposed.html.
15 Petti Fong. Toronto Star. “Secret U.S. Data Found on Cast-off Hard Drive.” June 23, 2009.
16 Pete Warren. Guardian. “Anti-missile defence details found on secondhand computer.” May 7, 2009.
http://www.guardian.co.uk/technology/2009/may/06/data-loss-lockheed-missile-defence
.
17Alcides Segui. Fox News, Tampa Bay. “Child Finds Porn on PSP.” April 13, 2009.