How E-cyclers Are Doubling Down on Heightened Data Security Issues

With a digitization explosion in full force, we are producing data at near-unfathomable speed. And we’re discarding the devices that house that data at dizzying rates too. Electronics recyclers and refurbishers are hard pressed to ensure no information lingers on the hundreds of millions of devices that come through their doors. A simple data erasure may not be enough to do the job —not with the glut of financial records, personally identifiable data (PII), personal health information (PHI), and other sensitive and or classified documentation that’s mass-generated these days.

The volume of digital documentation will continue to increase exponentially and, with that pattern, demand for service providers to permanently reduce unwanted or unneeded data is becoming a global trend—especially among enterprises. Government and businesses’ electronic information is growing twice as fast as consumers’, according to the International Data Corporation, and much of that growth is happening within tightly regulated entities.

A fair amount of sensitive data tends to stick around, stored in enterprise data centers, on corporate and personal devices, and in cloud storage, and it just sits there, says Maurice Uenuma, vice president & general manager, Americas, Blancco.  That means there’s potential for it to end up in the possession of an unauthorized party or to leak.

IT assets themselves continue to evolve to hold increasing volumes of input. Even tiny shards of a drive may have recoverable data. To mitigate security risks, processors/e-cyclers need to implement effective software-based data sanitization, Uenuma advises.

While erasure entails removing or overwriting information, sanitization is a more thorough and permanent process; if any information is left at all it’s at such minuscule traces it can’t be recovered, even with advanced forensic tools.

For e-waste processors, including ITADs, mobile processors, and recyclers, complete data sanitization is essential for R2v3 (Responsible Recycling) and NAID (National Association of Information Destruction) certifications. Savvy down-stream purchasers tend to look for these certifications to know that refurbished equipment or recycled parts meet stringent data security standards.

Today’s gold standard for data erasure and sanitization is that of the National Institute of Standards and Technology (NIST) under the Department of Commerce.  But there are others.

Additional certifications such as the Service Organization Control (SOC) 2 Type 1 and 2 are also important, says John Shegerian, co-founder, Chairman/CEO of ERI.

“SOC 2 compliance certification is recognized globally for its rigor in the review of organizations’ systems and controls. It affirms that certified companies’ practices, policies, procedures, and operations meet the SOC 2 standards for security and data protection,” he says.

Newest on the block, specifically in data sanitization standards, is that of The Institute of Electrical and Electronics Engineers (IEEE). IEEE 2883-2002 applies to logical and physical storage applications. It’s a leap forward on the security front, developed to fill a widening information gap as technology progresses. It addresses more device types than earlier specifications, which typically only applied to hard disk drives. IEEE 2883-2022 also applies to solid state drives, USB drives, optical drives, among storage devices. 

To meet this new standard, e-cyclers will need to update their sanitization procedures to ensure that they are securely erasing data from each of these devices, which can be harder to do securely, says Farzin Arsanjani, president, HyperOffice.com.E-cyclers will also need to use specialized sanitization tools and procedures to ensure that data is completely erased.  

While technology and certifications evolve, data privacy laws are lagging. They exist but generally are only enforced when there is a breach, according to Joe Marion, president ASCDI- The ITAD Association.

“There needs to be greater scrutiny of the companies that are providing the refurbishment services before there is a breach,” he says.

Regulations lag because it takes time to see a problem and for lawmakers to move on it and fight it on Capitol Hill, Uenuma says.

“So, it’s a slow process to begin with. Technology evolves so fast there’s an even bigger gap. But we are seeing regulations starting to catch up,” he says.

Europe is leading the pack in privacy laws with general data protection regulations (GDPR), considered the strictest. GDPR fines are stiff—up to 4 percent of a company’s revenue—a sizable blow to the bottom line. But U.S. entities do not get to skate. Personal data collected in, or transferred from, any country that GDPR applies to are subject to the stipulations. 

Domestically, California is going out on its own to clamp down. The California Privacy Rights Act (CPRA) is similar to Europe’s GDPR policy.

Evolving regulations, new certifications, and fast-developing advancements in technology are keeping processors of used electronics on their toes as they work to void secondhand devices and parts of data and to maintain their overall integrity.

Much has changed in the last two decades in particular.

In 2002, 180 million people had a cell phone; that number has spiked to over 5 billion.  Most users replace them and other electronic gadgets within a few years because they want what’s newer, faster, or somehow better. They typically leave behind data. 

Shegerian calls out the Internet of Things (IoT) as one of the greatest contributors to e-waste and potential data exposure. Wearables are electronic waste. White goods now have TVs and computers embedded in them. Nest, Google Home, Echo, Ring, and even automobiles like Tesla are basically computers on wheels, he says.  

“These devices make our lives easier, but it should not be forgotten that they contain our personal data – more than ever before. When e-waste is improperly and irresponsibly disposed of, it’s easy for hackers to steal confidential, highly personal information. We must responsibly handle hardware and the data that’s embedded in it if we want to avoid a sharp increase in cybercrimes in coming years.”