Matt Gartner, XL Specialty Insurance Company

Technology allows us to easily conduct business from anywhere in the world. But what happens when the next latest and greatest device comes along, ushering a once indispensable tool into the end of its useful life? In the United States alone, an estimated 400 million electronic devices are discarded each year, according to a 2007 U.S. Environmental Protection Agency study. That makes e-waste the fastest growing piece of the nation’s municipal waste stream.

While this creates business opportunities for recyclers, e-waste handling also presents a range of pitfalls. As e-waste contains lead, mercury, cadmium and other pollutants, it’s an environmental issue of growing concern, and some 24 states have adopted legislation banning the disposal of e-waste in traditional landfills. In addition to toxic chemicals, discarded electronics also may contain an individual’s or business’ proprietary information, which has to be handled appropriately. Data security is a constant concern these days, right up until the data containment device is destroyed. Thus, the recycling industry is now asked to verify the destruction of data along with the physical components that contain it.

In May, New York City’s municipal hospital system disclosed that confidential medical records from four Bronx facilities were stolen on Dec. 23, 2010, when a van was left unlocked and unattended. The hospital system was required to track down and notify 1.7 million people possibly affected by the data loss. A single missing hard drive could have similar consequences for an e-recycler.

Companies conducting business in the United States must navigate myriad changing privacy regulations, which often require them to immediately disclose (usually in writing) to customers any breaches of personal information. The costs involved with notifying customers about breaches can be substantial. According to Ponemon Institute’s Fifth Annual Cost of Data Breach Study issued in January, the average cost of a data breach has risen to $214 per customer.

Federal regulations mandate that there are no information security leaks in the lifecycle of data; this includes its destruction and recycling. Businesses storing tax records or employee information present a particular challenge to recyclers. While most people will try to wipe their hard drives clean before disposing of their old computers, only 5 percent employ an industry specialist or a third party to completely clean the system before disposing of their data-containing devices, according to an IBM survey.

Close Call in New Jersey

A recent situation in New Jersey highlighted the importance of data destruction. The state was about to auction off old computer equipment when an auditor intervened. More than three-quarters of the machines still contained confidential government information. It was reported that 46 out of the 58 hard drives that New Jersey was about to sell contained sensitive information, including social security numbers and files about child abuse victims. The incident revealed inadequate data destruction measures and almost non-existent record keeping that could potentially lead to a massive data breach.

Given the tremendous potential for identity theft and security breaches, companies should closely examine their risk management strategies, including employee training and insurance. Stand-alone cyber liability insurance has been around, in some form or another, for more than a decade. Insurers offer coverage for costs related to crisis management, business interruption, privacy notification or credit monitoring costs, and regulatory fines that a business might suffer following an incident such as an extortion attempt or privacy breach.

Today’s coverage is tailored more specifically to a business’ needs and may include a variety of other protections, including network security liability — privacy liability, media content services liability and extortion threat insurance — to protect a company against disgruntled employees, customers or vendors who have the ability to cause significant harm to a firm using technology.

Similar coverage is available for the e-waste handling industry. Through such coverage, e-recyclers may gain some degree of protection from pollution and privacy liability. It may also provide an added layer of confidence to customers, who are assured that their electronic data will be properly destroyed in the recycling process.

After all, everyone enjoys their privacy.

—Matt Gartner
XL Specialty Insurance Company
[email protected]