The Risk Of E-Waste At Your Company

Most security practitioners are not aware of a very real threat to their company’s image and reputation posed by E-waste. I was involved, as a consultant, in the physical security portion of a lengthy review concerning E-waste which poses serious and...

The environmental impacts and data security concerns surrounding improper e-waste disposal are on the media’s radar. A host of news sources continue to cite a seminal 60 Minutes piece that follows CRT monitors from Executive Recycling in Englewood, Colorado, to Hong Kong. 60 Minutes shows people burning waste to recover materials in Guiyi, China, one of the most “toxic places on Earth,” where seven out of ten local children have too much lead in their blood.10 The media is already reporting on the disastrous impacts of improper e-waste disposal and has targeted individual waste handlers for imprudent practices. E-waste critics are becoming increasingly adept at connecting the dots between toxic e-waste dumps, irresponsible waste handlers, and the businesses that supply them.

Although under current Environmental Protection Agency (EPA) regulations companies can export used electronics from the U.S. with few restrictions, regulators and politicians increasingly place the onus on retailers and companies to ensure e-waste is handled responsibly. Nineteen states have passed laws mandating the recycling of electronics to stop products from contaminating landfills or being exported. Fourteen other states are considering similar legislation.11 Furthermore, under new leadership, EPA is toughening regulations on the shipping of e-waste. New rules increase the documentation required at various stages of the trans boundary shipping of hazardous wastes among OECD countries.12 The EPA has also shown its commitment to greater e-waste stewardship. The agency has recently sought penalties totaling $37,500 per day from California-based ZKW Trading for failing to properly manage e-waste that it attempted to export to Hong Kong without providing the required notification.13 increasing stakeholder concerns over the environmental impacts of e-waste heighten the public relations risk and legal liabilities of improper IT waste disposal.

As a security professional we must also consider data security issues in addition to environmental risks. Private electronic information remains on devices such as hard drives if it is not properly removed before disposal. Retailers also face the challenge of handling consumer returns which may contain sensitive or explicit material. A series of recent academic reports and news stories show that improper e-waste disposal can threaten brand. Moreover, a host of regulations hold companies accountable for their handling of sensitive information stored on e-waste

A string of recent reports spotlight the reputational risks of mishandling confidential or personal information. For example, two MIT graduate students collected 158 hard drives from eBay and other resellers and found that over 30 percent contained sensitive information, including credit card numbers.14 A team of University of British Columbia graduate students recently found information about defense contracts between the Pentagon, Department of Homeland Security and Northrop Grumman, a large military contractor as well as credit card numbers and family photos on hard drives purchased in Ghana.15 A different team of researchers discovered information about defense contractor Lockheed Martin including a document detailing test launch procedures, blueprints of facilities and employee social security numbers on a computer purchased online.16

Private and confidential data stored on computer hard drives also pose legal risks. The Health Insurance Portability and Accountability Act (HIPAA), Fair and Accurate Credit Transaction Act (FACTA), and The Gramm-Leach-Bliley Act (GLB) offer three examples of laws that require specific industries to implement and document electronic data destruction procedures. Similarly, the Sarbanes-Oxley Act requires businesses to protect confidential information that could devalue the company if compromised. Non-compliance subjects companies to regulatory fines or lawsuits.

Anecdotes demonstrating the risk of reselling returned electronics abound on the internet and in local media. In a case picked up by Fox News and a diverse set of bloggers, a Tampa Bay 6-year-old found hundreds of pornographic pictures on a memory card inside a PSP she received for Christmas.17 Similarly, a 10-year-old in Tennessee, a 12-year-old in Chicago, and a 9-year-old in Oklahoma found pornographic materials on newly purchased MP3 players and digital cameras.18 In each of these cases, it is likely that the retailers put returned items back on the shelf for resale. Retailers face a unique problem of handling consumer returns which may contain sensitive or explicit material.

In sum, e-waste poses serious and often unmanaged environmental and data security threats. Getting tied to damages caused by e-waste or compromise of sensitive data can create a public relations nightmare, and expose a firm to the financial and reputational risks of litigation.