White Paper ITAD Misunderstandings

Don’t Build Your ITAD Program on Misunderstandings

ITAD is seldom budgeted, but can play an important role in meeting regulatory requirements and corporate compliance programs. Make sure your ITAD vendor can help you eliminate the data security and environmental risks associated with disposition of retired IT assets.

Misunderstanding #1 – My it asset disposition (ITAD) vendor assumes complete liability for data breaches and illegal e-waste disposal.

Did You Know?

It is your responsibility, as the equipment owner, to make sure your equipment is processed consistent with your data security standards and environmental regulatory requirements.

As work continues to move online and organizations are utilizing the cloud for storage, digital data can be found everywhere. This increased digitization of our lives has increased the risk of data breaches and at the same time, the introduction of more restrictive data privacy legislation.

Some of this legislation includes:

• The EU’s General Data Protection Regulation (GDPR)
• The U.S. patchwork of legislations which include the Californian Consumer Privacy Act (CCPA), Nevada’s Senate Bill 220, or “An Act relating to Internet privacy”, and the Maine Privacy Law—“An Act to Protect the Privacy of Online Customer Information”
• The U.S. industry specific regulations which include the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach Bliley Act (GLBA), the Fair and Accurate Credit Transactions Act (FACTA), the Payment Card Industry Data Security Standard (PCI DSS), and the Family Educational Rights and Privacy Act (FERPA)
• The Australian Privacy Act

In this new world, companies are taking a much more nuanced look at data protection and are seeking “unlimited liability” language in ITAD contracts.

Vendors who advertise unlimited liability may be the ones with the least to lose. In March 2019, Blancco published the results from a study demonstrating hard drives sold in the secondary market can many times still have personal identifiable information (PII). In addition abrupt bankruptcies, prison sentences and complete organizational withdrawals from business have plagued the electronics recycling industry over the last 10 years. Any representations of complete indemnification they have made disappear overnight. Besides the boom and bust nature of our industry, there are low barriers to entry in some segments of the ITAD and e-Recycling business. The trail of malfeasance left behind after closing their doors is much too common, leaving local governments communities and clients holding the bag.

Related Headlines:

• February 9, 2017 – Microsoft settles lawsuit with Arizona processor
• July 19, 2018 – Business owner charged with improper disposal of hazardous e-waste
• August 30, 2018 – Counties and landlord battle over e-scrap (CRT) liability
• November 29, 2018 – Total Reclaim owners enter guilty pleas for illegal export of LCD monitors
• December 6, 2018 – Former GES head receives prison sentence for improper hazardous waste disposal
• January 31, 2019 – Stone Castle CEO sentenced to prison for improper storing of hazardous CRT glass
• April 12, 2019 – Recycling executive sentenced to 3 years in prison for scheming to landfill and re-sell potentially hazardous waste

The common thread underlying all these headlines is a vendor cutting corners to save money, at the expense of a client or community. Client risks include bad press, data breaches, environmental disasters, disrupted chain of custody and lack of visibility as to how assets are ultimately disposed.

Larger ITAD companies will be much more rigorous in evaluating unlimited liability. On the one hand,a large company will have broad insurance coverage consistent with potential business risks. They will also be bound by corporate governance and if publicly traded, shareholder obligations.

At the same time, they will typically have more consistency and discipline to their operations and therefore be at a lower risk of loss or breach of personal information.

What is happening in the ITAD and e-Recycling industry?

Technology shifts and disruptions in our industry are the most common root causes for a vendor cutting corners. Adapting to new form factors of equipment, changes in data bearing devices and the adoption of internet of things requires continuous innovation in the ITAD and e-Recycling business. When LCD monitors displaced bulky CRT monitors, the recycling market was flooded with people getting rid of their outdated CRT monitors. These monitors contain leaded glass, a hazardous waste which is expensive to properly dispose of. Vendors stockpiled this leaded glass in warehouses and abandoned the material, leaving local communities and landlords saddled with the expense of disposing this waste. Most electronics contain precious metals including gold, silver, copper and palladium. The commodity pricing of these metals is cyclical. Fluctuations in commodity pricing and low barriers to entry invite short term players to enter the market.

Export bans – the next disruptor

Traditionally China has imported a large percentage of recyclable materials from e-waste. In 2018 China implemented their National Sword Policy which bans the import of certain types of solid waste, as well as sets strict contamination limits on recyclable materials. The amount of recyclables accepted by China decreased by about 90 percent.

In 2018, the recycling industry in Europe and North America diverted materials that previously went to China and Hong Kong, and sent to Malaysia, Taiwan, Thailand and Vietnam. This diversion is only a temporary solution as these countries are also evaluating the economic viability of accepting contaminated recyclables. This change in Chinese policy is dramatically impacting the recycling industry everywhere.

Misunderstanding #2 – Any vendor with multiple locations can service me globally.

Did You Know?

It’s harder than it looks. A global ITAD and electronics recycling program introduces complexities that do not exist with in-country programs. Regulatory issues need to be considered at the local, regional and country level. Resourceful problem solving from your ITAD vendor is needed to address tangled transboundary issues.

Global billing and value added taxes (VAT)

There are complexities associated with estimating and collecting duties, VAT and other taxes and managing varying payment methods. Expertise is needed in providing required shipping documentation and managing currency exchange rates. Your ITAD vendor will play an important role in how assets are priced and shipped and how invoices are formatted, distributed and approved. They should play a leading role in establishing workflow that is consistent with your business model.

Transboundary shipments of e-waste

Country-specific regulations govern handling and cross boundary transport of products and e-waste. If e-waste must be moved across country boundaries your vendor should be able to complete the process in compliance with country-specific legislation. This includes regulations governing transboundary movement and disposal of hazardous material and dangerous goods.

Audited handling of equipment across the globe

Your global ITAD and electronics recycling program will be supported directly by your chosen vendor and by subcontractors they select. Subcontractors are used to extend the vendor’s geographic reach, to handle transportation of assets, and to handle hazardous byproducts of electronics recycling. To ensure data security and environmental compliance through final disposition, it is important to understand how subcontractors are selected and audited, and how their performance is monitored over time. Your selected vendor should be able to demonstrate a reputable, standardized and rigorous program for subcontractor selection.

Systematic onboarding of new clients

Global ITAD providers will formalize agreements with new clients through standard legal and service documents. These formalized agreements enable vendors to support a consistent ITAD program globally. Documents will typically include:

• Master Service Agreement – a legal agreement outlining responsibilities of the vendor and the client.
• Statement of Work – detailing what type of equipment will be processed, data destruction, resale and recycling parameters, and reporting requirements.
• Service Level Agreements – parameters of services to be provided within specific timeframes.
• Onboarding Sequencing – a new program will be piloted at a single location and adjusted as necessary. Reporting requirements will be finalized during the pilot program.
• Country specific implementation plan – localized planning supports regional requirements and regulations while still maintaining a standardized program.

Misunderstanding #3 – ITAD and e-Recycling are typically handled by the same vendor.

Did You Know?

Most ITAD solutions end up being a two-tiered operation, where asset reuse is managed by one vendor and final recycling is done by a separate vendor.

Inherently, this model introduces disconnects in efficiencies, audit trails and traceability of assets, data and environmental metrics.

Working with a vendor who offers both ITAD and electronics recycling services can provide several benefits over a two-tiered approach. Accountability rests entirely with one company to ensure service levels, offering consolidated reporting, tighter environmental compliance and data security.

Often a single vendor solution is more cost effective and reduces carbon emissions from assets being shipped once to the ITAD vendor, and a second time to the electronics recycler. A two-tiered approach results in more handling and duplicate shipping, and introduces chain-of-custody complexities to your overall program.

Single-solution vendors are able to provide a more sustainable solution by improving the overall material recovery process because they have the ability to manage both reuse and recycling of the equipment. These companies are able to extract value at the product level, the component level (parts), and at the commodity level (precious metals, copper, aluminum and steel).

Misunderstanding #4 – I have selected a certified ITAD company, so my assets will be safely handled.

Did You Know?

Assets are most at risk during transport. Mistakes can be made as assets are moved, packaged and transported. This multi-step chain of custody introduces risks and vulnerabilities that need to be effectively managed.

Secure chain of custody

When the asset is resting at your facility or staged at the ITAD processing center, the security levels are highest. It is during transport that your assets are most vulnerable. You should work to ensure that your chain of custody is clearly defined, documented, secure, and as streamlined as possible. If a stray hard drive turns up during an audit, or worse yet, if it shows up years later in an unexpected place, your company’s ability to demonstrate sound and consistent processes and attention to detail will be critical to liability assessments.

Balancing security and cost

Achieving both secure and cost effective transportation can be conflicting goals, particularly with small shipments. Make sure you clarify with your ITAD vendor how your assets will be shipped. A first choice is using a TAPA certified carrier. These carriers cater to security conscious  companies and provide several above-and-beyond methods for transportation security  including GPS units, vehicle mounted cameras, and security cleared personnel.

Small shipments

UPS and FedEx offer trackable shipments with guaranteed delivery.

Pallet loads

These shipments, referred to as “less-than-truckload” (LTL) are most at risk as they will typically be shipped by a professional transportation company, but are not point to point shipments. The truck will make several pickups and may be routed to a dispatching center where some shipments are unloaded and reloaded onto a different truck. Obviously this can introduce risks in mishandling of shipments. Smaller loads can be placed in tote boxes and be sealed with numbered tamper evident seals for an additional layer of security.

Truckload shipments

A vetted transportation company will pick up a load and will seal the truck using a numbered tamper evident seal, witnessed by your employee. The truck will be driven directly from your location to the ITAD processing facility. The numbered seal is verified as matching and unbroken by the ITAD company when the truck arrives at their facility. If the truck shows visible signs of tampering (seals broken), the shipment is quarantined. Loads shipped as point to point are typically GPS tracked.

Shipping by company owned trucks

Some ITAD vendors own and operate their own fleet of trucks, typically smaller box trucks. The level of security offered greatly depends on the vendor and the processes they do or don’t have in place. Some important questions to ask include:

• Do they have background checked employees? To what level?
• Do they have defined processes for pick ups, shipoment verification and transfer of custody of assets?
• Are vehicles GPS tracked and secured at all times?
• Do they have documented contingency plans if the truck is involved in an accident?
• Are your assets co-mingled with assets from other companies?
• What insurance coverage do they maintain? Does it include cyber liability?

Direct shipment by client

Some ITAD vendors will allow a customer to use their own trucks and personnel to ship assets to the processing facility. In this case, the customer retains complete control of assets and handles direct transfer to the ITAD vendor. Note: Encrypted assets (depending upon the level and type of encryption) traditionally carry a lower risk of access by an average user. However, the nature of the data contained within the device warrants special care in line with the client’s requirements.

Options when transporting data bearing assets

Misunderstanding #5 – My Corporate Risk Management team is not worried about how we dispose of retired IT assets.

Assets are most at risk during transport. Mistakes can be made as assets are moved, packaged and transported. This multi-step chain of custody introduces risks and vulnerabilities that need to be effectively managed.

Demonstrability

Most companies talk about securing your data, ensuring equipment is handled in an environmentally responsible manner, and financial return on IT asset resale.

Beyond these immediate concerns, “demonstrability” is an underlying consideration that cuts across your entire program. At some point in time someone is going to want to take a closer look at how IT assets are retired. This may be a departmental audit or overhaul when you get a new boss. It may be your internal Accounting or Risk Management department. It may be an internal or external security audit. Industry regulations such as HIPAA, GLBA, FACTA or FERPA are driving companies to develop more structured and formalized ITAD programs. Privacy legislations, like the EU’s General Data Protection Regulation (GDPR) is forcing companies to revisit how data is managed internally.

For audit purposes, defined ITAD processes that enable you to demonstrate discipline, due diligence and best practices on how assets are handled and data destroyed are critical. Documentation (i.e. inventory reports and certificates of data destruction) provides proof that processes were followed and data was responsibly destroyed. Should you undergo an internal or external audit you can demonstrate that assets and data were disposed of in compliance, in a consistent, repeatable and predictable manner.

Standardized services across all facilities

ITAD and electronics recycling processing centers that operate to written standard operating procedures (SOPs) enable the vendor to provide a consistent and transparent service for their ITAD clients. Benefits include:

• Assurance that some offices are not shortcutting systems and bypassing protocols.
• Better accountability of how all assets are disposed of.
• Reduced logistics costs as handling is standardized and streamlined.
• Tracking and reporting systems to provide a clear audit trail from pickup to final disposition.
• Standardized invoicing and settlements.
• Guidance in laws and requirements that affect the transportation and processing of obsolete assets. This guidance protects clients from fines, fees and penalties and more importantly adverse publicity in the responsible disposition of assets.
• Defined roles and responsibilities to ensure repeatable processes and audit trails.