To see a list of state e-waste laws, click here.
To read about changing computer manufacturing technology, click here.
In 2007, 205.5 million computer products reached the end of their useful lives, according to the Environmental Protection Agency. But owners recycled only 18 percent of them.
As environmental consciousness takes hold throughout corporate America, however, companies are beginning to use environmentally friendly methods to dispose of their outdated computers, as well as cell phones and personal communication devices. A key concern is finding ways to assure that the stored data is destroyed to protect confidential and proprietary information.
About 20 states have eased the burden on corporations by passing laws requiring the computer manufacturers to collect and recycle their outdated equipment so it doesn’t end up in landfills. Although manufacturers have started eliminating toxic chemicals from their products, circuit boards and other computer parts often contain brominated flame retardants and polyvinyl chloride–both toxic. Traditional LCD displays (also being slowly phased out by equipment makers) contain mercury and arsenic.
“Most states that have an e-waste law put the burden on the manufacturer to take the financial responsibility for the obsolete product,” says David Wagner, an associate at Reed Smith.
Manufacturers sponsor periodic drop-off centers at local high schools, for example. Then they take the old computers and refurbish, resell or reuse their parts. But these laws don’t constitute a free pass to unplug old computers and dump them off without securely clearing the data first.
That’s because a tech-saavy person can quickly recover information a layman assumes has been deleted from a hard drive. In 2003, two graduate students at the Massachusetts Institute of Technology purchased 158 used hard drives from eBay and other sources for a total of less than $1,000. As part of their experiment, they recovered personal and corporate financial records, medical records and more than 5,000 credit card numbers.
“It comes down to, ‘Who do you trust?’ says Jeff Pederson, manager of operations for Kroll Ontrack’s data recovery product line. “If an equipment manufacturer takes that system back, you’re putting trust in their service that they’re going to get rid of the data. Ninety-nine percent of the time I assume they will. But are you going to entrust your company’s or your personal data to [the manufacturer], or would you rather take care of it yourself?”
For companies that would rather take care of it themselves, shredding is becoming an increasingly popular way to get rid of company data along with the hardware.
For example, clients ship large security containers filled with electronics to be pulverized to data-shredding service Back Thru the Future (BTTF). Within days of removing the circuit boards, BTTF employees feed the drives into a large shredder. BTTF checks to make sure the pieces weigh the same as they did whole and sends the customer a photo of the shredded hardware. Then they put several tons of particles in a truck and drive to a smelting plant. The aluminum remnants are melted down and formed into bricks of aluminum bullion.
“[Shredding] is quick, and it is a final solution,” Pederson says. “We’re not going to be digging through shrapnel trying to recover data.”
It’s also environmentally sound. According to BTTF’s Web site, recycling aluminum is 95 percent more energy efficient than producing it from ore and results in 95 percent less air pollution.
Shredding hard drives is complicated by the fact that parts of circuit boards are toxic and must be separated from the rest of the drive. But companies like BTTF manually remove circuit boards before shredding or use a high-tech conveyor belt to separate the fragments after shredding large loads. BTTF also shreds cell phones and PDAs and recycles the plastic. By shredding outdated communication devices, companies avoid the possibility that e-mails, contacts and other proprietary information will be stolen.
Other options for destroying data while recycling the hardware include degaussing and overwriting.
A degausser exposes a hard drive to a strong electromagnetic field, frying the drive and rendering it useless. It takes only a few seconds, and after the process the device can be used for spare parts.
For less sensitive information, overwriting hard drives with layers upon layers of random binary code renders any existing data unreadable. Different levels of overwriting provide different levels of security–from one pass through the disk up to 35 passes.
“The drive remains useful,” says Nick Harris, marketing director at CyberScrub, which makes overwriting software. “You can sell the hard drive to someone else. You still have a usable machine.”
However, overwriting can take a long time if the drive is large or damaged because, to be effective, every nook and cranny of information on the device must be searched and overwritten. So overwriting would probably take too much time to be practical for a company disposing of a large number of computers.
Unfortunately, vendors say legal departments are often slow to respond to data destruction needs and more reactive than proactive in creating company policy.
“A lot of smaller companies have no clue,” says Richard Hild, the destruction manager at BTTF. “They stumble upon us. When the legal department is interested, it’s because they’ve put out a fire, and they don’t want it to happen again.”
Michele Lange, director of legal technology at Kroll Ontrack, says the legal department should always be involved in decisions about destroying data. She has seen many “pretty Neanderthal” policies.
“It’s not uncommon, at a first meeting, to have a client show up with a box of hard drives and say, ‘We’ve been saving this in a closet,’” Lange says.
In-house counsel involvement in developing a data destruction policy is crucial because improper destruction can lead to sanctions or losing a case. In Keithley v. Homestore.com Inc., a magistrate judge recommended monetary sanctions on the defendants, in part because they recklessly allowed the destruction of important information. The defendants challenged the ruling, but in December a federal district court in California upheld the magistrate judge’s recommendation.
Moreover, trying to figure out destruction policies in the midst of a big case leaves environmental consciousness out in the cold.
“If you’re in the middle of a crisis, you’re not thinking about the environment one bit,” Lange says. “That’s the great thing about being proactive and planning: You can build in a green component [to your information management policy].”