The headlines say it all – more and more companies are getting penalized for improper disposal of IT equipment and electronic assets, exposing private data and files for potential bad actors to exploit. Here are a few recent cases that illustrate the trouble companies find themselves in:
- A leading healthcare company was hit with $4.9 billion suit following a data breach – they failed to respond to “recurring, systemic, and fundamental deficiencies in its information security.”
- A leading retailer had to pay a $7.4 million fine for throwing e-waste in dumpsters – anybody could pick through the trash for potential theft of information.
- A leading financial institution had to pay a $60M fine for not properly tracking and providing valid chain of custody documentation for retired data center assets.
These are huge fines that damage corporate bottom lines as well as reputations. Of course, the news captures the big companies and their mismanagement. But it’s not just large enterprise companies that are getting caught for poor electronic waste management processes. Every company that mishandles private information can run afoul of strictly enforced legal regulations.
No matter what size your company is, if data assets are improperly handled, you are at risk of being fined with large and damaging fines. You should know why this happens and how to avoid fines, and the associated news headlines.
Skyrocketing Data Breach Fines
Penalties are way up for companies that improperly dispose of IT assets with confidential data. This is often because the company takes the easier and “cheaper” ways of getting rid of old equipment. They can easily miss the necessary precautions that ensure private information is safely secured.
One hospital lost patient tapes and was fined $750,000. In another case, a hospital employee stole surplus computers that still contained patient health information. The employee tried to clean the hard drives and resell them at local computer store.
In another case, a school employee stole 10 laptops and sold them to different pawn shops. These instances expose the original companies that owned those devices to big-time penalties and bad publicity exposure. Yet, on the surface these offences seem relatively innocuous.
It’s not just computers. Copy machines are culprits as well. CBS News revealed that most copy machines built since 2002 contain hard drives that store an image of documents copied, scanned or e-mailed. Their investigation also revealed how retired copiers are prime target for hackers and identity thieves to exploit.
Major Offline Security Breaches
In an astounding and concerning case, military data was found to be at risk. “Highly sensitive details of a key US missile defense system have been found on the hard drive of a computer that was disposed of in California.” In another case, a New Jersey state employee pleaded guilty to official misconduct for his role in a scheme in which he and co-workers stole and sold computer equipment. Officials found that the employee was taking illegal payments from a recycling company in return for helping the company acquire more valuable merchandise for resale in auctions of surplus state computer equipment.
These kinds of cases are everywhere. If your company is lax in managing its private data, it could be next to be penalized by federal and state regulatory authorities.
Whether or not you’re exposed to the public, bad players could possibly steal information and it is your company’s responsibility to keep private information in your care from getting into the wrong hands. This requires understanding and following compliance rules and regulations.
Unfortunately, complying with the growing number of regulations regarding IT Asset Disposition (ITAD) is a difficult task. It requires knowledge of the regulations and the requirements, and showing proof that your company is complying with these rules. Documentation accompanying your activities is crucial. Typically, this is where companies find trouble in the electronics recycling requirements.
Nobody wants to pay these penalties. That’s why it’s urgent for you to assess your own ITAD practices, data destruction, server decommissioning, and device disposal or recycling. Proper tracking of chains of custody along with accurate documentation are crucial steps for avoiding huge fines and damaged PR.
Beware of Inherent Risks
Be aware that purposeful intent is not the only reason to be subject to fines. Ignorance and mistakes also put you at risk for penalties. It is the ignorance aspect of compliance that can create the most exposure for your company and its employees.
Common mistakes include using the wrong containers, not organizing different e-waste, throwing away e-waste on your own without appropriate documentation, and throwing away protected data when storage devices are improperly wiped. For any business in any industry, e-waste is a threat to their brand. If your company has no management plan for ITAD, or doesn’t know the requirements, it could only be a matter of time before you get caught and face consequences.
Consider the case of Walmart, which had been tossing all kinds of e-scrap into dumpsters for years. In 2013, they got caught by the State of California and vowed they would make significant changes to address the problem and would be compliant with the regulations. The company plead guilty to criminal charges of mishandling hazardous waste at its retail stores and was hit with $110 million in U.S. federal and state fines. In 2021, random audits found they did little or nothing to remedy the previous practices and continued tossing regulated e-waste in the trash. Now they’re being sued again! See the story: Walmart sued over disposal of e-scrap and other materials – E-Scrap News (resource-recycling.com)
How to Keep Safe & Compliant
Let’s face it, compliance can be burdensome. Most companies have difficulty allocating resources and training personnel to properly manage the IT equipment disposal, which is an ongoing requirement throughout the year.
Cutting corners is never a wise approach. Fortunately, your company doesn’t have to manage all this crucial information alone. The best way to mitigate this risk is to work with a National Association for Information Destruction (NAID) AAA Certified® ITAD specialist like Castaway to advise and assist you with your electronics end-of-life program.
For further information about how you can properly manage your IT assets and avoid penalties, give us a call at (978) 208-4730.