Supply-Chain Services (SSI) is proud to announce that the company will be featured in the 1st annual Corporate e-Waste Disposal Summit. The event will be held in Chicago on July 30 – August 2. SSI will host a private facility tour prior to the conference kick-off. SSI will also conduct a workshop session, “Changing the Way You Look at Your Corporate e-Waste Process and Methods” that will give insights on best practices for company’s disposal program. Expected in attendance includes CIOs and IT executives from many Fortune 1,000 and Chicago-area companies. For more information about the Corporate e-Waste Disposal Summit, please visit www.corporateewaste.com. To learn more about SSI, please visit www.supply-chainservices.com.
Last week, the United States General Services Administration announced that the US federal government will be banned from disposing of old electronics in landfills. This measure falls in line with several individual state laws that enforce a landfill ban on electronics for both residents and businesses. Also announced was that federal agencies are now required to use a certified recycler for their e-waste disposal. This is a very significant step taken by the US government, the country’s largest consumer of electronics, which has faced scrutiny in years past on its e-waste disposal practices. This new measure will ensure that all government-generated e-waste is processed by e-Stewards or R2 certified recyclers.
This creates an opportunity for electronics recyclers who have R2 or e-Stewards certification, as currently there are only a handful of recyclers on the GSA schedule with either certification. To read more about the latest announcement by the GSA, see the story here.
The State of Illinois has seen much development of legislation regulating the disposal of electronics equipment by its residents. Just over two years ago, most residents had to pay for a recycler to take their old equipment off their hands. As a result, many people would store their old CRT televisions in a basement or garage until they were forced to deal with them. In 2010, the “Electronic Products Recycling and Reuse Act” provided free recycling of specific types of equipment for Illinois residents. Many municipalities began to partner with electronics recyclers to host electronics collection drives where residents could bring their items for recycling. In 2011, the law was improved to expand the types of equipment that would be eligible for free recycling. In addition to televisions, printers, monitors, computers, laptops, and MP3 players, residents are now able to recycle their old scanners, satellite and cable receivers, digital converter boxes, and more. One thing, however, that the Illinois law had previously failed to address was any penalty for residents who were still discarding their equipment in the garbage. Well, that has all officially changed. Beginning January 1, 2012, another stipulation of the law prohibits landfills from accepting any electronics devices for disposal. In addition, any resident who mixes electronics with their municipal waste subjects themselves to a $25 fine for a first-time offense, and a $50 fine for subsequent offenses.
What About Businesses?
Prior to the calendar turning to 2012, the “Electronics Products Recycling and Reuse Act” applied strictly to residents. However, the landfill ban applies to both residents and businesses. And since businesses are not afforded the same legal right as residents for free recycling services, many companies will have to develop new procedures to remain in compliance. They will have to find extra funds in an already thin budget to ensure that this equipment is managed and disposed of properly (unless the equipment has residual value, then disposal may be a revenue stream!). In addition to any potential fines for violating the landfill ban (which are much higher for businesses than for residents), companies face potential fines from the EPA for improper disposal, as well as penalties for lack of data security associated with hard drive disposal, and for violation of other Federal regulations (Sarbanes-Oxley, HIPAA, etc.). Most companies would agree that disposing of equipment in a responsible manner is the right thing to do. The problem is that when it becomes a cost for businesses to do the right thing, often they choose to be green in another way.
In South Carolina, a used computer was purchased on the secondary market. The buyer of the used computer found a hard drive that contained patient records from Behavioral Health Services, a non-profit organization that treats patients for drug and alcohol addictions. It is unknown how much the organization made by selling the computer. By spending a couple of bucks to have the data destroyed by a NAID (National Association for Information Destruction) certified electronics recycling vendor, this could have been easily avoided. Behavioral Health Services will likely have to spend thousands of dollars in credit protection services for the patients whose records were exposed. This incident is likely a result of lack of knowledge by the staff, tight IT budgets, or both. When companies retire their old IT equipment, this is one of the unfortunate unintended consequences of not following best practices for IT Asset Disposal.
Working in the electronics recycling industry, my company generates revenue from recycling electronics products such as TVs, computers, network gear, iPods, etc. It is safe to say that we benefit from the fact that manufacturers use potentially dangerous materials to make their products. If CRT monitors did not have such a high lead content, there wouldn’t be as much concern with how they are discarded, and thus companies like SSI (Supply-Chain Services, Inc.) would not be in business. However, I think that anybody would agree, including people representing the electronics recycling industry, that the best way to eliminate the negative environmental impacts of e-waste is for manufacturers to design safer products. While companies like SSI will surely suffer from this in the long run, I believe it is the only truly viable solution to the growing problems that e-waste poses.
There are several guides that manufacturers can follow to create safer products. The Electronic Product Environmental Assessment Tool (EPEAT) grades products on both required and optional criteria. Criteria include everything from the elimination of environmentally sensitive materials, to energy efficiency, to product longevity, and more. EPEAT has gained significant traction over the past few years, and many large purchasers of electronics (Fortune 500 companies, Federal Government agencies, etc.) are pressuring their suppliers (the manufacturers) to become EPEAT certified. EPEAT has become internationally recognized, with products in over 40 countries now certified at either Gold, Silver, or Bronze level. One limitation about EPEAT is that it is primarily product-specific, and doesn’t entirely tell you who the “greenest” manufacturers are.
Greenpeace has developed its Guide to Greener Electronics as an attempt to grade the manufacturers, rather than their individual products. Criteria are very similar to EPEAT’s criteria, with a focus on energy efficiency and elimination of harmful materials. Currently, HP tops the list with a score of 5.9 out of 10. Dell (5.1/10), Nokia (4.9/10), Apple (4.6/10), and Philips (4.5/10) round out the top 5. While this is a nice achievement for these companies to be recognized amongst their peers, Greenpeace doesn’t actually consider a company to be “green” unless they score 7 out of 10. This means that zero manufacturers are green according to Greenpeace’s requirements.
I am glad that these different ranking systems are becoming more widely recognized, and it is encouraging to see manufacturers actually striving to improve their scores. But the fact remains that the industry as a whole needs to step up its game in the “green” department. With the rapid pace of technological advances, and new gadgets coming out on a monthly basis, it is becoming increasingly crucial that these manufacturers take accountability for their products. While recyclers like SSI are doing their part to divert dangerous materials from the landfills, there is no better way to eliminate e-waste than to cut off its supply.
In many offices around the country, employees are becoming more and more mobile by swapping out their desktop computers for laptops, trading in laptops for iPads, and getting their hands on whatever latest mobile device has been released. This increased mobility has improved productivity by allowing work to get done from virtually anywhere; at home, on the bus, in the middle of the woods. Employees can connect with more people in more ways than most people ever thought possible. But is this increased mobility always a good thing?
Imagine that you are applying for a mortgage to buy your first house. Your loan officer, Michael, is very professional. He knows that this is your first experience with buying a home, and wants to help you avoid many of the stresses that are often associated with mortgage applications. So Michael suggests that rather than meet at his office for your first consultation, he will drive to your house to meet you. This is great, you think. The meeting lasts an hour, and you go over practically your entire life of the past three years. You give him pay stubs, income tax returns, credit card statements, the whole nine yards. The meeting ends and you are well on your way to homeownership. Or at least you think so…
The next day you get a phone call from Michael, and he tells you that his car was broken into and his laptop was stolen. The laptop contained all of the information that you gave to him the day before. What now? This scenario is all too real in today’s world of technology. The more mobile we get, the more often information is taken out of the security of our office. Having your financial records and information compromised is one of the worst things that can happen. But what if it were worse?
A recent Information Week article reports that the Department of Veterans Affairs has reported a stolen iPad, just weeks after deploying the tablets within their organization. Supposedly the device did not contain any confidential information on it. But what is most worrisome to me is that this iPad was not stolen from a car or an employee’s house. It was stolen out of an IT office at the VA. To me, this appears that a federal employee is responsible for the theft. Mortgage officers collect a lot of information, but nobody knows more about you than the government. They have medical records, background information, financial records, social security information, and more.
I don’t understand all of the ins and outs of cyber security, and what safeguards can be put in place to protect information on a compromised device. But this theft makes me nervous. I want to believe that the government has security protocols in place in the event of a theft. The fact that iPad dominates the tablet market share is a clear sign that it is a hot item, and likely to be stolen. But if a federal employee is willing to steal it, what security protocols can you really put in place?
Imagine you show up to work one day and you find a new assignment in your inbox: Dispose of the company’s old electronics equipment. So you search online for local electronics recyclers, and you find three companies that are located near your office. All of them have well-designed, professional-looking Websites. They all claim to process materials in compliance with all federal, state, and local regulations. So who do you choose? You compare prices and they are all relatively similar. So you pick one at random and give them a call. The sales representative sounds nice enough on the phone, so you choose his company. Three days later, your equipment is gone, and you tell your supervisor that you’re ready for your next task.
This is probably a typical process for many companies. However, there are many problems that can arise. First off, who are you actually giving your equipment to? Is this a real recycling company? How long have they been in business? Do they have the expertise to process CRT glass, toner, circuit boards, etc.? In reality, all you need is a cell phone and a computer to appear as if you are running a business.
In August 2009, 60 Minutes detailed its investigation of an electronics recycling company in Colorado. The footage showed that even though the company claimed to process in accordance with all environmental regulations, materials were being illegally exported to China. The video will show you how these materials are crudely separated by harmful measures to recover valuable materials. As a matter of fact, the management of that same company now faces several criminal charges for illegally exporting hazardous waste, outlined in this CBS article.
How do you avoid giving your equipment to a recycler like this? Let’s go back to the beginning when you are looking at your potential vendors. One good practice would be to evaluate the third-party certifications that they hold. You see that of the three companies, one is R2 certified, one is e-Stewards certified, and one has no certifications. You immediately eliminate the company with no certifications, but who do you select from the remaining two? There is much debate as to which certification is better: R2 or e-Stewards. Both of them are very good, and I will not go into a detailed comparison in this post. But the answer is that while either one of these certifications is a good requirement, certification alone is not enough to select a recycler.
The safest way to select your recycling partner is to visit their facility in person. By doing this, you get to meet their staff. You get to see their processes. You can look at their facility security. You can check for cleanliness. Is this a company that appears to be able to properly manage a truckload of your equipment?
You can ask these questions:
- How do you keep my equipment separate from other customers’ equipment?
- Where do you perform data sanitization for hard drives?
- Can you show me your chain-of-custody process?
- How do you process your CRT glass?
- What materials are exported out of the country? Why?
- How many security cameras do you have inside your facility?
Until you are satisfied with the answers to questions like these, you should not be satisfied that your recycler is properly managing your materials. Imagine that you selected the recycler who is now facing the criminal charges. Your boss comes to you tomorrow and tells you that your company is now being investigated because several computers were found overseas with your company’s asset tags on them. He wants to know who you sent the equipment to, and how you evaluated them. Telling him that “they had a nice Website” probably won’t be sufficient. Next time, visit your recycler!
SSI just attended IAITAM’s (International Association for IT Asset Managers) Annual Conference and Exhibition in Las Vegas, and thought it was a great conference. The first thing that we have learned from the world of IT Asset Management is that IT Asset Managers have a lot of stuff to do, and often they need to do this stuff with what seems like little support from upper management. Many companies are beginning to see the need for an IT Asset Management program; however, most of these companies are still defining what exactly their programs will consist of. The most comprehensive of programs will include everything from software asset management (SAM), to licensing compliance, to hardware discovery, to asset disposal, etc. Every company implements the majority of these functions in one fashion or another. But until recently, they have been fragmented throughout the enterprise. IAITAM has created a platform for asset managers to access a number of invaluable resources to do their jobs better.
Perhaps the most dynamic responsibility of the IT Asset Manager is disposing of IT hardware. At first glance, one might think “how hard could that really be?” But asset disposal is much more complicated than simply calling somebody to pick up your equipment. Hard drives must be cleaned, assets must be tracked as they leave the organization’s books, value must be recovered, environmental compliance must be ensured, etc., etc., etc. After looking at just some of the factors involved, it can be argued that asset disposal should have its own dedicated team to manage it. But why does it seem like it is always put on the back burner?
One reason could be that when an asset goes out the back door, there typically is a newer, shinier, faster device coming in the front door. This device needs to be configured, assigned to a user, deployed, installed, etc. Who manages this? Often it is the same asset manager that needs to find a final resting place for the old machine. This asset manager may not know that the company is exposed to millions of dollars in liabilities by losing one hard drive. Or they may not realize how much brand identity damage can occur from having a truckload of its computers found in the local landfill.
However, there is hope! This year at IAITAM’s conference, there were multiple sessions dedicated to the how-tos of IT Asset Disposal (some more valuable than others). There were even more vendors exhibiting whose core business is some form of asset disposal. And most important of all, IT asset managers are starting to become aware of the importance of a well-developed ITAD program. They may not have all of the information, but they are asking the right questions. We anticipate that this trend will continue, and we see a bright future for ITAD. What remains to be seen is whether it is bright enough to dim the shine of the new laptops being delivered tomorrow…
Protecting data in the retired assets is a complex issue that goes way beyond data destruction. It encompasses a variety of critical aspects. Based on our own experience and what we have learned from our stringent corporate customers, we have developed the following best practices blueprint for CIOs to select a technology asset disposal service provider.
What is the service provider’s chain-of-custody program?
The chain-of-custody program usually starts before receiving assets at the service provider’s facility. It involves a holistic view of the service provider’s entire receiving, processing and disposal process. The service provider must have detailed procedures and be able to answer these questions and many more.
- If transportation is the responsibility of the service provider, does the service provider have a logistics security program in place?
- What is the service provider’s facility security infrastructure?
- What is the service provider’s receiving procedure? o What is the service provider’s general processing procedure?
- For assets to be remarketed, do they only remarket tested and functional units so as not to violate domestic and international laws and/or certification standards such as Responsible Recycling (R2) and e-Steward?
- For assets to be recycled, do they have a good process in place either via manual demanufacturing or mechanical shredding?
What is the service provider’s procedure in executing a data destruction management program?
This is an extremely important issue whereby companies need to exercise highest due diligence via both paper and on-site audit. The critical areas warranting special focus include:
- Does the service provider perform the data sanitization in a secured area with access control?
- What is their data sanitization procedure?
- Does the service provider also have software and procedures for enterprise data storage units, cellular phones and tablets?
- Does the service provider have a NAID Computer Hard Drive Sanitization and Destruction certification?
For in-depth information, please read “Securing the Back Door on Data Security: Best Practices Blueprint on Technology Asset Disposition for CIOs.”
Few corporations, financial institutions and federal and state governmental institutions possessing significant consumer information in their systems have implemented proper controls over their technology equipment disposal protocols. They simply designate their purchasing department or a staff member in charge of salvage to handle the disposal process. Their primary concern is cost. They do not comprehend the laws, nor do they ask their recycling service providers key accountability questions about chain-of-custody programs, data destruction processes, certifications and report details. They do not involve their IT management and security officers when performing in-depth, on-site audits during the vendor selection process. Usually, the vendors with the lowest rates or those offering the most recovery value win the business.
The back-end security should involve the same scrutiny as the front-end security. Negligence may lead to millions of dollars in financial penalties, not to mention the negative publicity, loss of customer confidence and the danger of proprietary information falling into the hands of competitors or criminal perpetrators. Many governmental institutions and their contractors may also possess national security information, so any data breach could become a serious Homeland Security issue. The liability issues at stake are significant. These types of worrisome practices warrant the importance of outlining a best practices blueprint for CIOs regarding the management of technology asset disposal, particularly in an area as critical as data security and data destruction.
CIOs should institute comprehensive technology asset policies and procedures, such as:
- Define the pertinent technology assets.
- Develop precise procedures for technology asset retirement and disposal.
- Assign a dedicated manager or team to manage the process.
- Establish criteria for selecting a service provider.
- Clearly define the transfer of liabilities between the asset holder and the asset disposal service provider.
For in-depth information, please read “Securing the Back Door on Data Security: Best Practices Blueprint on Technology Asset Disposition for CIOs.”