Risk of Exposing Sensitive Materials when Repurposing Digital Systems

A Guest Blog Post by Mike Dejopopompak, EnCE

Recycling electronics is one of the best ways to keep toxic and hazardous substances out of landfills, and repurposing digital systems is a great way to make electronics available to a wider range of people and learning institutions. Although previous owners may attempt to erase data prior to discarding their old systems, eDiscovery and digital forensics efforts are often able to find surprising amounts of sensitive information. Then, when outdated and disused systems are discarded from corporations whose sensitive records may still be hidden within the circuitry, concerns about data misappropriation and identity theft become very real issues.

Importance of Component Disposal

Electronic components by their nature are highly recyclable. Nearly 60 percent of electronic devices can be used again, and nearly 40 percent more are able to be fully recycled back into their raw, original state. Disposing of these items in landfills can leach substantial toxins into the environment, including mercury and lead. In fact, improper disposal of electronics accounts for the majority of heavy metals within the solid waste stream.

When electronics reach the end of their life, or the end of their usefulness, proper disposal is vital, not only because of environmental concerns but because not following correct procedures may cause organizations to get slapped with stiff fines and other penalties. When this happens at the corporate level during widespread technological upgrades, the financial impact can be substantial.

Importance of Data Disposal

It’s clear that physical recycling and repurposing of electronics is the responsible choice, but how do you handle the data contained in those recyclable materials? In New Jersey, the comptroller’s office found that 80 percent of computers marked for public auction still had sensitive data on them from the previous owners, such as tax records and social security numbers. A federal audit conducted in 2010 showed that computers sold or discarded from NASA personnel still retained data that had not been properly removed. This point only illustrates how the data erasure process is much more complex than even rocket scientists realize.

Without properly erasing a hard drive, customer and client information including credit card numbers, records of online transactions, account information and private financial records can all be accessed by the right people — with the wrong motives. This can leave companies wide open to litigation, especially if eDiscovery and digital forensics efforts are able to show willful negligence.

The True Cost

The true cost of data breaches can range into the billions of dollars. Besides the immediate damages of potential identity theft, the cost of potential litigation, sanctions and loss of business due to a now-damaged reputation for lack of proper customer data protection can take a corporation out of the running completely.

By law, organizations are required to properly dispose of customer data with the same caution and attention to detail that is needed when disposing of physical electronic components. While companies are more than willing to spend millions of dollars upgrading to new electronics, they seem reluctant to commit to the much smaller investment for proper data disposal. What may seem like a waste of time and money can come back to haunt corporations in a very big way, if eDiscovery and digital forensics efforts are later able to recover sensitive customer data that should have been deleted.