In today’s world the world of cybersecurity, there is much attention focused on topics such as blockchain, machine learning and AI, improved penetration testing, application vulnerability testing, and more. Certainly, all of these are critically important issues in the effort to protect digital data. However, as governments, corporations and individuals struggle to do all they can to improve the fight against cyber thieves, it has become significantly more attractive -- and ultimately more productive -- to strike at another potential vulnerability – end-of-life hardware (ie: hardware that contains personal or private data). Without a comprehensive, individual review of every major law, regulation, and standard regarding data privacy and protection of sensitive information, it bears mentioning that all ultimately require policies and procedures (either directly or implied) for data destruction/sanitization of protected information to be compliant. With the acceleration of technology and larger on board non-volatile memory (NVRAM), data security requirements have expanded to an increasing number of devices, compounded by the growing number of legacy devices many organizations have stockpiled. Warehouse scanners, POS devices, printers, cameras, smartcards, network devices, and copying machines are all likely to contain data. Across the nation, many legacy storage devices such as CDs and backup data tapes still exist – in warehouses, storage rooms, and closets. Items such as televisions and monitors generally do not have NVRAM, but even screen “burn in” can be of concern for organizations with the highest security requirements. Even with a robust asset disposition policy, things can go horribly wrong. Assets will inevitably be processed by third-party service providers at some point in the disposition process, either relying on service providers with a core competency in data sanitization or further downstream for recycling. A PBS report (“Ghana: Digital Dumping Ground”) in 2009 highlighted the risk of failing to perform due diligence on service providers. A correspondent and several graduate journalism students from the University of British Columbia traveled to Ghana to document the mountains of e-waste shipped there from developed nations, including the United States.

ERIDIRECT.COM | 1-800-ERI-DIRECT (374-3473) | 7815 N. Palm Ave., Ste. 140 Fresno, CA 93711 In addition to the e-waste dumping grounds, salvaged hard drives were being sold in open-air markets. The locals acknowledged that cybercriminal syndicates would purchase them to retrieve any personal data they could find. A student purchased some of the hard drives for the equivalent of $35. As it turned out, one of these drives originated from a prominent U.S. government contractor. It contained sensitive contract data from the Defense Intelligence Agency, NASA, the Pentagon, and Homeland Security, including confidential TSA hiring procedures. No cyber-attack. No network breaches. No warning. $35 in an open-air market in Africa is all it took to obtain classified information. The exporting of e-waste to developing countries remains a serious problem. The fundamental issue is that it costs significantly less to ship electronic assets to developing countries than to process them securely and responsibly. Container ships from Asia to U.S. ports will typically return empty, so it is extremely cheap to transport e-scrap to Asia. From there it is disseminated to other countries, including Pakistan and Ghana. There is no current comprehensive U.S. law that prevents shipment of e-scrap to developing countries. There is an international treaty, the Basel Convention, that restricts the flow of e-waste to developing countries; however, the U.S. has not ratified that treaty. Regardless of legislation, the damage to brand and reputation for a retailer in particular can be severe due to consumer backlash. A 2018 study conducted by ERI identified 134 supplier sites of ITAD, e-recycling, or both that have been fined, de-certified, suspended, or have shipped e-scrap to developing nations. Unfortunately, the number of such incidents continues to increase. The important takeaway is how crucial and urgent it is to carefully select and audit any supplier that is a key partner in your asset disposition strategy, ensuring they are doing what they commit to do. The following spotlight on the situation with one printer emphasizes the point. Spotlight on the Lowly Printer Printers are a common device found in corporate headquarters, retail stores, distribution centers, and warehouses. Printer volatile memory will clear upon powering down. However, printer

ERIDIRECT.COM | 1-800-ERI-DIRECT (374-3473) | 7815 N. Palm Ave., Ste. 140 Fresno, CA 93711 NVRAM will retain sensitive data including embedded web server passwords, POP3/SMTP data, recently printed documents, and related data, depending on the printer. Post Script and PJL scripts, a generic printing language supported by many laser printers, are available on the Internet from both reputable and black hat sources to do a data dump from a printer’s NVRAM. All that is required is a USB cable to connect to the printer. Accordingly, the NVRAM must either be cleared, or the device destroyed in a responsible manner to safeguard the data. Unfortunately, the following scenario is all too common: A vendor describes itself as a “company with global presence in the electronics recycling industry. Our facility is certified with R2 and ISO certification.” Additionally, its environmental policy statement is: “With our zero-landfill policy, [Vendor] guarantees no single piece of electronic device will end up in a landfill anywhere in the world and thus, reducing the liability of our clients and the damage done to the environment.” Further, it also identifies on its website as being certified by the EPA and CalRecycle. However, the EPA does not certify e-recyclers and this company’s status with CalRecycle is inactive. They are not R2 certified, which, along with Basel Action Network’s e-stewards program, is one of the two recognized responsible recycling certifications. The Basel Action Network (www.ban.org) is a non-profit watchdog organization focused on bringing awareness as to where e-waste eventually ends up, publishing results from the use of GPS trackers on devices such as printers. One printer from the referenced vendor was tracked by BAN as follows:  July 6, 2017 Houston, Texas  July 21, 2017 Carson, California  Aug. 24, 2017 Port of Hong Kong  August 28, 2017 Hong Kong, New Territories  November 13, 2017 Port of Karachi  November 22, 2017 Lahore, Pakistan This sample case study is just used as one of many examples reported by BAN. No matter how it happened, or who was responsible, the printer (and all of its data) ended up in Pakistan. The bottom line question -- is it an acceptable risk that your organization’s and its customers’ sensitive data end up in Pakistan?

ERIDIRECT.COM | 1-800-ERI-DIRECT (374-3473) | 7815 N. Palm Ave., Ste. 140 Fresno, CA 93711 Recommendations Every organization must have robust policies and procedures for all potential data-bearing devices. More than just a “check box,” organizations need to actively review and audit third party service providers handling data destruction and recycling, including a review of chain of custody, downstream vendors of the primary service provider, and in-person observation of the service provider’s operations and processes. Due diligence should include verification that the service provider is National Association for Data Destruction (NAID) certified, not just a member of that organization. It is straightforward to become a member, but certification requires rigorous evaluation and submission to random, unannounced audits that many service providers are not willing to allow. Further, and as recommended by the EPA, service providers and potentially their downstream vendors should hold R2 or e-Stewards certification (preferably both) at all facilities. Both require service providers to adhere to rigorous standards and documented methodologies. This helps ensure responsible e-recycling and prevents improper disposal that not only could result in a data breach but is hazardous to the environment and could result in fines and penalties to the source organization as the “generator” under RCRA.

This article was provided by ERI, the largest fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company in the United States. ERI is certified to de-manufacture, recycle, and refurbish every type of electronic device in an environmentally responsible manner. ERI has the capacity to process more than a billion pounds of electronic waste annually at its eight certified locations, serving every zip code in the United States. ERI’s mission is to safeguard organizations, people and the environment.  For more information about e-waste recycling and ERI, call 1-800-ERI-DIRECT or visit https://eridirect.com.

---

Angie Ransom, Retail Division and David Brent, Vice President, Marketing and Business Developm
Angie Ransom leads the Retail Division of ERI, the largest fully integrated IT and Electronics Asset Disposition service provider in the United States. Angie has worked with ERI for over 13 years, helping safeguard organizations. Her expertise includes: retail products, program analysis, day-to-day operations, and compliance. David Brent is the Vice President, Marketing and Business Development of ERI. David has held executive level positions in two public companies, entrepreneurial ventures, and consulting to organizations in a wide range of industries including energy, financial services, automotive, electronics manufacturing, and pharmaceuticals