Chain of custody is the process of documenting the location and stage of e-recycling for the electronic devices that you’ve handed over to someone else for recycling. It’s essential that you know where your electronics are once they leave your business or organization.
Why is a chain of custody so important? If you cannot prove where your electronics are and those electronics contain personally identifiable information (PII), you face government fines and penalties, as well as legal action. PII is information like bank accounts, phone numbers, SSNs, addresses, biometrics, driver’s licenses/passport numbers, etc. In the wrong hands, this information can be used to commit crimes like identity theft.
There is sensitive PII and non-sensitive PII. Non-sensitive PII includes things that are part of public records, such as your ZIP code, gender, or date of birth. But, while it may be classified as non-sensitive PII, it’s still useful to thieves if they can combine it with sensitive PII like a driver’s license number. A good rule of thumb is for people to omit sharing as much of this as they can online, but there are times that consumers, clients, or patients cannot avoid sharing. It’s your company’s responsibility to keep PII safe.
Breaches and Potential Data Theft Caused by Improper Chain of Custody
One of the best cases detailing the importance of chain of custody in ITAD and e-recycling comes from Morgan Stanley’s data breach class-action lawsuit and government fines. It all started in 2015 when the company switched ITAD vendors to save $100,000. The new company hired a third-party e-scrap processor to wipe or degauss 4,000 devices and 8,000 backup tapes as the vendor decommissioned close to four dozen of Morgan Stanley’s old servers and data center equipment.
At first, all seemed to be going well and the e-waste company provided certificates of destruction and a database of all of the electronics that had been received. But, the vendor decided to switch e-scrap processors. Data was not destroyed before the devices were resold.
In 2017, an IT consultant reached out to Morgan Stanley to say they’d found client data on some devices. While the devices were capable of encryption protections, no one ever activated the software.
After an investigation, Morgan Stanley was told to notify former and current clients about the incidents. The U.S. Treasury fined Morgan Stanley $60 million and another $68.2 million was set aside for class-action lawsuit claims. Two years later, they were fined an additional $35 million by the U.S. Securities and Exchange Commission.
While this was one of the biggest chain of custody issues in recent history, Morgan Stanley is certainly not alone. NYC Health lost a hard drive containing the health information of more than 2,100 patients. The defective hard drive was supposed to be located at the NYC Health Hospital/Woodhull location, but it couldn’t be found. Staff had to be retrained regarding the proper chain of custody on all devices that are taken out of service.
Fines Can Be Costly
If you suspect there’s been a data breach due to improperly recycled electronics, malware, spyware, etc., the government requires you to take these actions.
- Secure areas related to the breach, whether it’s online or in your building, and make sure your IT team or breach response team takes immediate action.
- Cut access to any affected equipment or devices and take down any websites or pages that contain information that shouldn’t be visible.
- Hire a forensic team to find out why it happened.
- Talk to your legal team.
- Notify appropriate parties, including police and government agencies like the FTC.
- Notify anyone whose information was breached.
Failure to take these steps can increase the fines you face. If you step up and take action and responsibility, it works in your favor and can minimize fines and legal action. Always take action and look at ways to keep this from happening again.
You also need to look up your state’s requirements. Data breach notification laws are also set on a state level. For example, California law requires you to notify California residents if the data breach could or has resulted in the exposure of unencrypted personal information. You must notify them as quickly as possible. If more than 500 California residents’ PII was exposed, the California Attorney General has to be notified.
Medical organizations are bound by the standards listed in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These rules are in place to protect a patient’s information. If a HIPAA violation takes place, either unintentionally or intentionally, the possible fines are as follows.
- Tier 1 (lack of knowledge) – $100 to $50,000 per violation with an annual cap of $31,987
- Tier 2 (reasonable cause) – $1,000 to $50,000 per violation with an annual cap of $127,974
- Tier 3 (willful neglect) – $10,000 to $50,000 per violation with an annual cap of $319,865
- Tier 4 (willful neglect that has not been corrected within 30 days)n- $50,000 minimum per violation with an annual cap of $1,919,173
That’s just health organizations. Retailers and other companies that accept payments face Payment Card Industry Security Standards Council fines. There’s also the cost of hiring a company to do a forensic investigation to find the cause of the breach.
If data is stored and not protected, the FCC fines up to $500 per day for violations. In 2020, four carriers faced fines of more than $200 million for disclosing customers’ location information without proper permission or taking measures to secure the information.
How Do You Find an ITAD and E-Recycling Company With Strict Chain of Custody Policies?
How do you find a vendor that does follow the chain of custody procedures? Start by looking at the ITAD and e-waste vendor certifications. You specifically want a company that is certified by R2, e-Stewards, and NAID.
Ask if the company has an online portal where you can track your electronic assets in real time. If a company does not offer transparency regarding your electronics’ current location and stage of processing, you won’t have the level of proof you need to ensure your clientele’s PII is safe and secure at all times.
ERI offers Optec for free real-time tracking of devices and equipment the moment they leave your business or organization. If you want additional peace of mind, talk to us about on-site data destruction. Before your electronics leave your location, our team can destroy data on your devices while you watch.
ERI has eight certified e-recycling locations in the U.S. and global partners in 46 countries. Enjoy the security and protection that chain of custody provides with our services. How can we help?
Talk to our ITAD and electronics recycling team about your project. Whether you’re decommissioning a data center or clearing out your storage room of unused medical office equipment, ERI’s attention is on the chain of custody, data destruction, and recycling processes that protect our workers and the environment. Reach out to us with your questions and to learn more.