Records Management and End of Life Electronics, a Happy Ending?

It weighs less than a pound and can fit in the palm of an adult hand. It's made up of aluminum, stainless steel, plastic, and a host of other things. It can hold many secrets. What is it? A hard drive.

Most records managers know that the control and management of the information contained on a hard drive is one of their primary concerns. In every profession, it's what you don't know that can hurt
you. In the case of obsolete computer equipment, which is generally loaded with data, ignorance is not bliss.

Records management responsibilities traverse along many avenues: corporate, moral, historical and of course the practical day to day needs of simply locating proper information for internal clients and others in a secure fashion. But external forces are always hovering over every decision and every action a good Records Manager makes. Those external forces include the dynamic and ever changing trio of compliance, legal and regulatory issues.

Managing data includes managing media containing devices, i.e., all the electronics involved in your organization, from their birth till their death. Dealing with end of life electronics should not be the ugly stepchild of records management. It should be a premier part of the whole life cycle. Why? Because the trio of compliance, legal and regulatory issues can hit a brick wall when old electronics are kept too long and for the wrong reasons.

Here are 10 questions that should convey the collision that can occur when improper disposal and spotty data destruction are employed:
What happens if opposing counsel requests discovery material that should have been eliminated?

Does storing more than 4 computers or over 220 pounds of old electronics for more than a month mean you’re holding on to toxic waste?
Who in your company established the required e-waste conformance procedures so you comply with federal requirements such as HIPAA, SOX, GLB, FACTA and RCRA?

Is it a good idea to let your IT department handle hard drive destruction?

Will driving a nail through a platter, reformatting or up chopping the hard drive with an axe solve your privacy law obligations?
Which legal regulations govern your industry regarding the proper disposal of electronic media?
Do you have management support and a line item in your budget that enables your organization to comply with disposal and environmental regulations?

Do you really know what your company does with the computers that are replaced with new units—outside of, “Gee, I think our property management or IT folks handle it?”

Are you familiar with the 'Disposal Rule' of 2005?
Lastly, are you aware that board members, directors, owners, or CEOs can be held personally responsible for a failure to protect private information (especially on old electronics), which could result in civil penalties of up to $10,000?
"End of Life" electronics are security and compliance hotspots. Sixty-five of all organizations today have no practical approach to handling the proper disposal and destruction of confidential electronic data. So let's explore some facts and then look at a couple of proactive steps you can take towards establishing a judicious, planned approach that eliminates risk.
e-Waste is simply electronics that are obsolete, broken, or unwanted, and present an environmental hazard if not handled properly. When it comes to e-waste, probably the biggest danger for records management professionals is doing nothing. Hoarding old computers is a rampant practice and a dangerous one. What can be dangerous about letting old computers sit? Outside of the R.M. standard of trying to maintain “fresh and live” information so it can be accessed at a later time, there are two types of dangers inherent in keeping old media containing devices. The first failure is not recognizing you have an environmental hazard on your hands. The second is much more onerous, the failure to eradicate improper data handling can cause embarrassing incidents and exposure to data leaks.

Approximately 4 or more stored, obsolete computers can comprise a compliance issue. By ignoring any one of the environmental and data privacy regulations, a company can find itself at risk. According to the Resource Conservation and Recovery Act (RCRA) used electronics are hazardous waste if: 1) the used electronic equipment is no longer useable and has been determined to be a waste; 2) the material exhibits the characteristic of toxicity; and 3) the used electronic equipment originated from non-residential sources such as businesses, academic institutions, or government agencies. (While in some states disposal of personal electronics is not governed by law, everyone should be aware of the true dangers of toxic waste resident in a computer, and dispose of their used electronic equipment responsibly.)

Conditionally Exempt Small Quantity Generators - those producing less than 220 pounds (100 kilograms) of hazardous waste per month may prefer to manage it as hazardous waste due to the minimal requirements associated with the smaller waste volumes. For specific RCRA generator requirements, refer to 40 CFR 261, 262 and 273. One computer system usually weighs about 28 pounds. Since most computers and monitors are full of toxic elements it's best to conform to RCRA's basic compliance requirements (and legally it may be best to manage even small amounts of waste as "universal waste" and recycle responsibly). To view the full Resource Conservation and Recovery Act you can go to: http://www.eendusa.com/industry_overview.htm#rcra . You can also find this same information in EPA circular EPA530-N-007. Other laws probably apply to your organization, you can find an easy to read chart for your industry at http://www.eendusa.com/compliancechart.pdf .

It’s sobering to realize that you cannot bury your old computers and media containing devices. You must plan for their retirement and eventually make sure that there are adequate funeral arrangements, especially in the case of data. Assuming that an internal IT staff is "handling it" is like asking the bookkeeper to perform an audit. Retiring information technology assets is a demanding and full time job. An inadvertent release of sensitive data can send a blaze of bad PR your company’s way!

Stockpiled e-waste increases risk. Big risks include compliance fines of up to $10,000 for senior officers. Need more reasons? Employees are the Number One cause of security breaches which could spell ruin for a company. A Ponemon Data Breach Study “contends that each company surveyed in the study sacrificed roughly $2.5 million in lost business, based on their incidents” (Cost of Data Breaches Rises Sharply by Matt Hines, eWeek.com, October 20, 2006). Additionally, sitting equipment encourages theft and a potential loss of data. There are many ways to handle data destruction including the what, when and how it needs to be done. You may determine that on site verifiable destruction is your best option. However, it’s best to work with an independent electronic recycling firm that can give you options and advice depending on your type of media and security levels you require. Another risk factor is not having a proper data destruction policy and using it. Proper destruction can prevent your company from needless and harmful legal discovery.

There are many concerns, issues and challenges surrounding electronic waste and data destruction, so acknowledge that computer obsolescence is here to stay and start taking steps. Establish a solid e-cycling program, do research, attend conferences, ask questions and work with a reputable, local electronic recycler and data destruction company, one that can, for your peace of mind, provide traceable, documented and responsible materials disposition. Still wondering about the answers to some of those 10 questions? You can test your knowledge by taking an e-cycling quiz at http://www.eendusa.com/ecycling_quiz.htm
Here are six simple reasons that should compel all Records Management professionals to e-cycle: 1) Safeguard your data, 2) Prevent legal problems, 3) Improve the environment, 4) Green your company’s image, 5) Free up costly office space, 6) Reduce landfill usage.

Ignoring your e-waste problem is like wishing your garbage would take itself out, after a while it stinks. According to a Gartner IT Asset Management Conference 2006 Survey, "Ultimately, the most expensive cost associated with PC disposal is the cost for failure to dispose of PCs (and the data residing on the drives) appropriately,” As Records Management executives, you must start handling your end of life electronics properly, because the consequences of doing nothing or it wrong are severe.