March 2013

ITAD Certifications Insufficient

ITAD Certifications Important but Insufficient Tests of a Vendor’s Disposition Process

By: Jim Kegley, U.S. Micro Corporation

IT asset disposition (ITAD) is a young field relative to others in the broader IT industry, but it will need to grow up fast to keep up with the ever-increasing quantity of devices making their way into the workplace and home. This challenge should not be underestimated. According to the U.S. Environmental Protection Agency (EPA), 2.37 million tons of electronics were retired in 2009, an increase of more than 120 percent over a decade earlier. BCC Research, a market forecasting organization focused on science and technology trends, expects e-waste will continue growing indefinitely at 8 percent annually.

Statistics like these are causing notice from news organizations, regulators and special interest groups who are increasingly interested in how various industry players, from original equipment manufacturers (OEMs) to large companies, are protecting human health and the environment through their disposition practices.

Data breaches making headlines more often
While the environmental impact of e-waste gains attention as a recognized global challenge, data security breaches are already a common news story and concern among the general public. In 2012, for example, a NASA employee’s laptop containing personal information on over 10,000 employees was stolen from a car. This past January, Global Payments Inc. announced that a data breach in April 2012, which affected an estimated 1.5 million payment cards in North America, cost the company $93.9 million. The list of high-profile organizations impacted seems to grow longer each week.

Such statistics and data breach examples are likely not surprising to executives tasked with making decisions about their company’s disposition vendor. They know that data breaches can be devastating to a company’s bottom line and reputation, and that good corporate citizenship requires environmentally sensitive disposition. What is often less clear to them, however, is whether their company has the right process in place to protect against unsafe industry practices. What is the best method of destroying data on hard drives? Is it okay if an ITAD vendor uses downstream vendors to process e-waste? The answers to these questions are more controversial than they should be.

What the industry lacks are standardized practices to ensure that the environment is protected and data breaches do not occur. The two main certifications governing IT asset disposition, R2 and e-Stewards, have made crucial steps in that direction, but the industry still has a long way to go. In order to identify areas that need improvement and measure future progress, it is helpful to understand how certifications came into existence and why their requirements are different.

The R2 and e-Stewards split
The R2 Standard, or R2, began in 2006 as an effort to create best practices in the electronics recycling industry. Various stakeholder groups, including regulators, electronics recyclers, refurbishers, trade associations and OEMs, developed the standards, which were the first of their kind. The EPA provided funding to facilitate the development of R2, and in 2010 R2 Solutions was formed to officially administer the certification, the most widely accepted accreditation among IT recyclers.

In 2010, e-Stewards came into existence after the Basel Action Network (BAN), an environmental justice organization focused on protecting developing countries from e-waste, decided not to participate in the final development stages of the R2 standards. They withdrew after two years over disagreements about export rules. BAN wanted to prohibit the export of e-waste to other countries, regardless of whether it was processed in accordance with R2 standards. BAN would go on to form e-Stewards.

In an industry that lacked adequate standards, the certifications were a critical step forward. Both have the support of different recyclers and are accredited by the ANSI-ASQ National Accreditation Board (ANAB).

Where R2 and e-Stewards diverge

The main difference between the two certifications is e-Stewards’ ban on the export of e-waste to developing countries. R2 does not support this ban, instead requiring due diligence to verify that downstream vendors handle e-waste according to R2 standards.

Under e-Stewards, sending equipment to an audited and responsible overseas recycling facility for processing would not be allowed. Critics argue that through this policy e-Stewards is actually harming the development of proper recycling in developing countries. This argument is a serious one. According to reporting in The Economist, a quarter of the world’s e-waste is produced by developing countries. As early as 2018, developing countries could overtake wealthier nations in the amount of e-waste they produce. These countries need to be building the infrastructure and developing the expertise to refurbish or recycle their own retired electronics.

Certifications’ data security standards inadequate
Although both certifications address data security, they primarily recommend adherence to other national standards, such as the National Institute of Standards and Technology (NIST) guidelines for data sanitization. Because R2 and e-Stewards began primarily as an effort to deal with e-waste, neither has produced best practices stringent enough to keep a breach from happening. Yet, by requiring adherence to the NIST guidelines, they seem to suggest that doing so is sufficient to safeguard data; it is not.

Vet your ITAD vendor
The old adage “buyer beware” applies to shopping for an ITAD vendor. R2 and e-Stewards set minimum standards for disposition, but companies should perform their own due diligence to ensure their retired assets are processed according to the highest standards.

Organizations do not generally set out to find an adequate ITAD vendor that meets minimum regulatory and certification standards. They want excellent disposition partners with the processes in place to protect their bottom line and reputation. Doing that, however, requires vetting a vendor thoroughly.

The solution is to know a potential ITAD vendor’s processes before entrusting them with your assets. When evaluating a vendor, ask questions that go beyond whether they adhere to a particular certification. For example, certifications do not address whether companies can use subcontractors to pick up equipment, engage third parties to actually recycle the e-waste, or ship unencrypted data-bearing devices without first sanitizing them. Below are three important areas for consideration:

  • Data security: Know your vendor, visit the facility and ask if subcontractors are used. Understand how data is destroyed. The risk of data ending up in the wrong hands is reduced when data is destroyed before shipping devices offsite. A vendor should provide verification that all unencrypted data has been wiped prior to shipment.
  • Safeguarding the environment: Technology assets contain pounds of toxic materials and chemicals. If companies do not have the capability to recycle assets internally, they must rely on third parties that may not have adequate controls to ensure proper recycling. To retain control and eliminate reliance on multiple vendors, look for a partner that has the infrastructure in-house to refurbish or process e-waste. Schedule a visit to see their facilities firsthand.
  • Third party audits: Consider other third party audits besides those required by e-Stewards and R2. For example, in addition to R2 certification, U.S. Micro Corporation recently achieved the American Institute of Certified Public Accountants’ (AICPA) Service Organization Controls (SOC) 2, Type II designation. As part of this review, independent auditors evaluated and tested various controls at U.S. Micro, including processes related to data elimination; information security; disposition; electronic inventory counts; human resources; IT change management; and other controls.

The proper role of certifications
In the absence of more stringent industry standards, it is up to individual organizations to thoroughly evaluate and vet potential ITAD vendors. R2 and e-Stewards set baseline standards that the industry needs, but they are not sufficient tests of a vendor’s disposition process.

Executives entrusted with disposition decisions should verify that vendors have an audited, established process to prevent breaches and dispose of e-waste responsibly. By doing this, they can be a driving force behind higher de facto standards across the industry, whether the certifying bodies require them or not.

Jim Kegley is the founder, president and CEO of U.S. Micro Corporation, a major innovator and leader in enterprise IT data security. Headquartered in Las Vegas and with additional disposition centers in Atlanta and Dallas, U.S. Micro serves Fortune 500 companies and other organizations that demand the highest levels of data security and environmental stewardship.