When you have an electronic item that’s no longer needed or is broken and doesn’t work, it becomes e-waste. At that point, they may be refurbished, repurposed, or recycled. The 2020 Global E-Waste Monitor reported that 53.6 metric tonnes (about 59.1 million U.S. tons) of e-waste was generated in the world. That was an increase of 21% from 2015. The report estimated that the rate will reach 74 metric tonnes (81.6 U.S. tons) by 2030. It’s a mind-blowing amount of unused or broken electronics.
Smartphones, tablets, and computers are some of the common types of e-waste, and most contain rechargeable lithium-ion batteries. They need to be carefully recycled, starting with data destruction. If your business is giving away or selling old electronics to save time and money, there are legal and ethical implications you’re overlooking.
Understand the Ethical Implications of Improper E-Waste Disposal and Data Destruction for a Business
An ethical business owner is looking at more than the bottom line. You have an ethical responsibility to keep your customers, workers, shareholders, and contractor’s personal and financial information private and away from potential theft.
Businesses have an ethical responsibility to operate in a way that protects customer data. If you’re processing credit cards, in possession of medical information or PII like an SSN or tax ID number, or keeping dates of birth, addresses, and phone numbers, it’s your responsibility to keep it secure and wipe that information from hard drives when an electronic device is no longer being used.
Plus, businesses need to promote environmental responsibility, which is also part of proper e-waste disposal. You cannot just toss your company’s older tablets and phones into the trash. E-waste harms the environment by leaching heavy metals into the soil and water. While today’s landfills are lined, there’s no guarantee that those liners will still be intact 100 years from now, and it can take plastic, glass, and other components longer than that to decompose.
If you hire a company to take them away without thoroughly vetting that company, they could be saving money and shipping things to other countries for processing. The problem is other countries may use child labor or incinerate items without filtration, which releases toxins into the air.
What Are the Data Protection Laws in the U.S.?
Consumers have a lot of laws protecting them from harm when it comes to the information that’s collected on them. The Privacy Act of 1974 requires agencies to follow “Fair Information Practices” when gathering and handling personal information. Agencies are also restricted on how they can share that information with others. If a person’s right to privacy is violated, they are entitled to sue.
There’s also the Right to Financial Privacy Act of 1978 that specifies these protections for banks and other financial agencies. Banks, government agencies, and others must keep your personal information hidden and do everything possible to protect your PII. Since then, there have been several others.
- Privacy Protection Act of 1980
- Cable Communications Policy Act of 1984
- Electronic Communications Privacy Act of 1986
- Video Privacy Protection Act of 1988
- Telephone Consumer Protection Act of 1991
- Driver’s Privacy Protection Act of 1994
- Telecommunications Act of 1996
- Children’s Online Privacy Protection Act of 1998
- Identity Theft and Assumption Deterrence Act of 1998
One of the biggest laws today when it comes to data destruction is the Health Insurance Portability and Accountability Act of 1996. It requires health information to be kept private. Personally identifiable health information (PHI) must be protected at all times – past, present, and future. Healthcare providers, health plans, and healthcare clearinghouses have to ensure data of any PHI is destroyed or kept secure to avoid theft.
To add to this, 2009’s Health Information Technology for Clinical and Economic Health Act mandates that any data breaches are reported to both the U.S. Department of Health and Human Services and affected patients.
The Gramm-Leach-Bliley Act of 1999 is another biggie. Anything like a bank balance, account numbers, and other private banking information is protected by this law. Banks, brokerages, insurance companies, and credit unions must keep your banking information private and secure.
Is It Really That Bad if You Don’t Properly Vet Your ITAD Specialist?
As a business owner, it’s imperative that you protect your employees, customers, contractors, and shareholders’ confidential information. If any PII is stolen as a result of improper storage or e-waste disposal practices, you’re to blame. You face lawsuits, government fines, and financial ruin. Even if you make it through the cost of legal fees, court settlements, and fines, your company’s reputation is shattered. You’ve lost trust.
When you have electronics that you no longer need, hire an ITAD specialist and have the documentation to prove you did everything right. As long as you have the documentation showing data was destroyed per the current legal requirements for your field, you’re protected.
It was all over the news last year that Morgan Stanley Smith Barney (MSSB) hired a company to decommission two data centers. The moving company they hired was not a data destruction specialist and hired an e-waste management specialist to help out. Eventually, the data destruction specialist was removed from the picture to save money, and electronics were sold to a third party with personal information still on the hard drives.
A year later, an IT consultant purchased some hard drives and found the PII. That consultant alerted MSSB. A few years later, MSSB decided to decommission hundreds of storage devices. In the process, they found that several dozen were missing. Those devices contained unencrypted private information of customers. It was another blow to their reputation and a breach of federal banking regulations.
The fines the company paid topped $60 million, plus there are settlements with individual states, too. New York’s attorney general joined other states in securing a $6.5 million settlement. While it didn’t bankrupt the company, it was a costly lesson to learn.
What Are the Best Practices for E-Waste Disposal?
When you have any electronics that are no longer needed, you need to ensure that data wiping or physical destruction takes place. Data wiping is done using one of several methods.
- Degaussing – High-powered magnetics wipe information from magnetic devices like magnetic tapes, floppy disks, and older hard disk drives.
- Overwriting – Special software is used to rewrite nonsensical patterns of binary code over older material until it’s been rewritten so much that it’s impossible to get back to older information.
- Reformatting – You can restore a device to factory settings, but that’s not good enough for devices with PII. It may remove connections to old ones, but the information is still buried deep within and can be accessed by someone with the proper knowledge.
If a device has no life left, shredding it into tiny pieces and recycling the glass, plastic, and metals is better. But, once you’ve done this, the item is no longer usable. For electronics that still have life left, overwriting or degaussing are often used before the items are refurbished for resale.
You want to make sure the company you partner with is certified by R2, NAID, and e-Stewards. If a company doesn’t hold those certifications, move on. ERI has all three and is also the first company to gain AICPA SOC 2 Type II. Plus, we have several ISO certifications in place, too. Not only are we experts in data destruction and e-recycling, but we ensure our employees and the environment are protected, too.
Reach out to ERI’s ITAD experts online or by phone to get questions about e-waste recycling and data destruction that ensures your employees, clients, shareholders, and contractors are fully protected.