Over the past several years, it seems we hear about data security breaches more and more often. When financial institutions get hacked, this is especially alarming. Our SSN, bank account information, home address, etc., are out there in the hands of individuals that have bad intentions. But as consumers, we give out our information multiple times a day, usually in ways we can’t even imagine. The truth is, most of our information is already out there. How many passwords do you have saved on your phone and computer? If someone got your phone, could they open a banking app, social media app, Nest thermostat app and be “in” without entering a password? By the way, you should not have your password saved on a banking app on your phone for this very reason. Take the two extra minutes to enter your password.
The Industry of Data Security
The industry ACE Recycling is in is called IT Asset Disposition (ITAD). This industry is created around removing data securely, which makes sense considering all the data out there that would rock the world if it got out (think CIA). More recently, it has become central to the idea of a circular economy and the purpose of disposing of electronic equipment in an environmentally responsible way. Ensuring toxic materials are disposed of properly, materials are recycled for reuse to reduce the need to extract more is all part of ITAD.
Like most things, electronic disposal and creation is a multi-faceted issue with enough information to write a book on. Electronics contain many toxic materials, such as arsenic, mercury, and lead. They also contain elements that are not harmful, but the environmental and human cost of the extraction of those materials is steep. Three of particular importance are cobalt, neodymium, and dysprosium. The latter are rare earth minerals. These are minerals found sporadically within the Earth instead of being found in large seams like coal or copper. Therefore, they are not economically exploitable and are rare in any given area. With the pace of mining these materials accelerating as demand for electronics increases, they become rarer and rarer. By re-using the elements in current electronics and the various components within them, fewer of these elements are being pulled from the Earth.
The Human Impact
Cobalt is of particular concern because of the widespread exploitation of the people and the mines’ natural environment. Cobalt is used for various electronics and is a conflict mineral (or conflict resource). A conflict mineral is a natural resource extracted in a conflict zone that is mined and sold to perpetuate the fighting. The Democratic Republic of the Congo (DRC) harbors ⅔ of the world’s cobalt. Many mines in the DRC are small and unregulated, where child labor is widespread. What’s more, the political and ethnic dynamics of the region have resulted in violent armed conflict. This conflict is mostly financially supported by the mining and sale of cobalt. For every new electronic device we buy, we are, in some way supporting militant groups and child labor.
In addition to this human cost, there is an environmental cost in creating new electronics. Ten tons of carbon dioxide is emitted into the atmosphere to produce 1 ton of laptops. By 2040, carbon emissions from the production of electronics will reach 14% of total worldwide emissions. There is 100 times more gold in a ton of mobile devices than in a ton of gold ore. Extending the life of electronics or harvesting the resources from them is far more sustainable than the current system. Not to mention, it has a more significant economic benefit than throwing them away.
Data Security Laws and Standards
Several data protection laws are in place at the Federal level. The Health Information Portability and Accountability Act (HIPAA) protects your health information, while The Family Educational Rights and Privacy Act (FERPA) protects student education records. The Wiretap Act and the Electronic Communication Privacy Act (ECPA) protect your communications (electronic or on “landlines”). Each state has laws in place to protect data at the individual and business levels as well. In addition to statutes, The Department of Defense, the National Security Agency, the U.S. National Institute of Standards and Technology (NIST), and various other institutions directly concerned with data security have data destruction standards and policies. However, the go-to industry standard for data erasure is the NIST report Guidelines for Media Sanitization SP 800-88 Rev. 1. This document is written for, and to, the business owner.
Techniques for Data Sanitization/Wiping
Media sanitization/data erasure/data wiping are all the same names for the process of making data on a device unable to be retrieved. The NIST report defines three categories of sanitization: Clear, Purge, and Destroy. Clearing data is “logical techniques applied to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques.” Simply put, restoring your device to factory settings or using on-device standard Read and Write commands would constitute clearing your data. These techniques can be applied by the average consumer, perhaps with a little help. Purging is “physical or logical techniques that render the Target Data recovery infeasible using state of the art laboratory techniques.” Purging data is what ACE Recycling does through a process explained below. Destroy “renders the Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for the storage of data.” Physical destruction is the result here, removing the device from circulation.
What Wiping Data Means
Imagine a book. Now imagine erasing every word from the book and writing over the pages with random letters. If you think of the data stored on a hard drive like the pages of that book, you get an idea of data erasure. The hard drive is “overwritten” with random 1s and 0s (computer language). One overwriting pass “hinders recovery of data even if state-of-the-art laboratory techniques are applied to attempt to retrieve the data”; however, most programs use multiple passes. The number of passes has become unnecessary with the inclusion of a “verify pass.” The verify pass scans for verification of data removal by selecting random places on the device to “check” for overwriting. According to the National Security Agency, data wiped using these standards is “permanently destroyed as to make any type of forensic data recovery impossible.” Complete data erasure destroys all data, including operating systems. Your hard drive is never booted. Thus, there is no access to data during the wiping process.
ACE Recycling’s Data Security Standard
ACE Recycling adheres to the Department of Defense 5220.22-M and HIPAA specifications for data erasure; the foundation of both is the NIST report. We use a three-pass overwrite with verification, completed using the latest version of Active@ KillDisk. This verification comes in the form of a serialized printout of devices subject to the sanitization process. According to the NIST report, “verifying the selected information sanitization and disposal process is an essential step in maintaining confidentiality.” In addition to the software verifying the sufficient wipe of your data, we check ourselves. ACE Recycling takes a random sampling of the devices that have gone through the sanitization process. This three-tier system ensures data security, giving our customers peace of mind while keeping the device in circulation.
Which Data Security Path is Best for your Organization?
The best way to answer this is to consider the confidentiality level of the information on the device. In general, if the device is leaving the organization’s control, as it would be if you have ACE Recycling disposition it for you, it should be purged and validated. Both of which ACE Recycling does. Clear should only be an option if the device is remaining within the organization. Data wiping offers an alternative to physical destruction, allowing the hard drive to remain in circulation, reducing electronic waste and carbon emissions. The NIST report clearly states that “organizations should consider environmental factors” when disposing of electronic waste. For most companies, purge “may be more appropriate than Destroy when factoring in environmental concerns…”
When to DESTROY
In general, destroy is an option only if the drive is not functioning or physically cannot go through the purge process. According to the NIST report, “The application of Destructive techniques may be the only option when media fails…other clear or purge techniques cannot be effectively applied…or when verification of Clear or Purge methods fails”. ACE Recycling adheres to this statement. Purge and Destroy achieve the same outcome concerning data protection. The main difference is the hard drive is taken out of the circular model when destroyed. In a genuine circular economy, items would be reused, refurbished, repaired, or reduced in consumption before the last resort of destruction.
ACE Recycling is committed to the security of your data and a circular economy. The NIST Report outlines a path to achieve both. With a focus on reusing as many materials as possible, we help lower technology costs, reduce environmental impacts, and make technology accessible to all.