What Exactly Gets Recycled when you Recycle Your Computer?

As electronics play an increasingly important role in our lives, electronic waste is growing. Effective management is the key to a sustainable future, and recycling is the best option for keeping toxic electronics out of landfill. So, what inside those machines is reusable?

A lot. Recyclable and reusable materials are found in significant amounts in every computer, as well as in peripherals.

Recyclable substances in your company’s computers

Throughout the country, batteries for some laptops and cell phones are required to be recycled in accordance with the Battery Act, signed into law into 1996. The batteries are often nickel metal hydride, nickel-cadmium or lithium-ion. Metal oxide can be extracted from these batteries for reuse.

Valuable metals including gold and copper are found in high volume in computers. Both are prized for their conductivity and resistance to corrosion, with gold being almost entirely corrosion-resistant. With so much of these metals appearing in circuit boards, a large quantity of circuit boards is a goldmine (pun intended): one metric ton of circuit boards contains between 40 and 800 times the concentration of gold ore, and 30 to 40 times the concentration of copper ore typically mined in the United States. Power cords also contain plenty of reusable copper.

Plastic is reusable too. High-impact polystyrene is often used in computer and external drive casings, and often makes up most of your mice and keyboards. This useful material can be recycled as a great many items, such as insulation, packaging, casings, and even plastic eating utensils. Recycling polystyrene makes good financial sense for manufacturers too; with oil prices rising, used polystyrene is a less-expensive resource for making new plastic parts.

So when your company recycles its computers, you’re contributing both to environmental protection, and to industry in equal measure. It’s a clear win-win.

When you recycle your electronics, you already know that you’re helping the environment. But you’re doing more too: You’re contributing to the growth of a young industry that is creating jobs all over the country at a fast pace.

In October 2011, International Data Corporation (IDC), a reputable global IT and consumer technology market research and advisory company, published a study indicating that the U.S. electronics recycling market has grown a great deal in the past decade.

Last year, the e-cycling industry in the U.S.:

• Contributed $5.2 billion to the U.S. economy (up from less than $1 billion in 2002)

• Employed more than 30,000 full-time employees (up from 6,000 in 2002)

• Collected and processed domestically more than 3.5 million tons of used and end-of-life electronics

With emerging e-cycling policies covering a large percentage of e-waste in the state of Minnesota, and 30 other states today, a great deal is happening to close the e-waste gap. But a gap remains nevertheless. RenovoData Services is working to close it by providing low-cost electronics recycling to homes and businesses, while also expanding economic opportunity in the Twin Cities metro area.

We know that these days, jobs matter. Our valuable staff includes management, sales, drivers and a hardworking team of people who break down the equipment by hand. We are proud to hire and train local staff members who make our important work happen. And we are equally proud to be part of a growing movement to help out our environment, and as we do so, the economy.

How much would a data security breach cost your company? The answer is difficult to predict, and almost as difficult to determine after the fact because of the soft-number impact arising from damage to reputation, stock value and product sales. And the problem of data loss is on the rise, hitting high-profile corporations with alarming frequency and making headlines on a regular basis. Major U.S. defense contractor Lockheed Martin is just the latest big name in a string of malicious cyberattacks. Their breach is rumored to be linked to their use of RSA’s SecurID, a two-part authentication system provider that was infiltrated in March 2011.

Lockheed Martin is a salient example of the increasing overlaps between firms and the inherent risks involved with such close technological relationships. When one company employs technologies owned by others (often many) just to perform daily operations, security risks appear in countless areas, and are impossible to control outside the boundaries of each firm’s distinct system. Despite this built-in risk, it is the case with virtually every business today. In fact, because of the use of de rigueur innovations like externally controlled record management systems, and the current advent of cloud computing on the horizon, the lines between one firm’s system and another are getting fuzzier. One company’s security problem easily becomes another’s in short order, so adopting strong security measures in-house is becoming more crucial all the time. But many companies are lagging in integrating effective security structures into their systems and practices, or even to finding up-to-date information about them, so there is no end in sight to the recent rash of attacks on data security.

Yet, the results are serious and the costs very steep. Detection, investigation, containment, and the many aspects of recovery and changes in operation after the attack all add up to a heavy expense burden for each victim organization. Add to that the effects on public relations and stock market value, and the long-range cost of a data security breach is virtually impossible to determine, even in approximate dollar amounts.

No one can budget for a breach. But being able to make a useful estimate may make or break a corporation’s future. A recent Forrester survey found that 25% of respondents did not know the cost of data security breaches, or did not know how to calculate it. According to Forrester Senior Analyst Khalid Kark, however, most firms would be forced to absorb a variety of costs, some high enough to put them out of business. So even if the precise dollar amount cannot be planned for, a critical element of business planning involves determining an approximate cost of data loss.

As a starting point, consider the costliest kind of attacks. Numbers taken from the Ponemon Institute show that the attacks carrying the highest price tag come from malicious insiders, malicious code and web-based attacks. These also comprise 90 percent of all cybercrime in a given year. Consider also the different areas of work involved on the victim’s side of a cybercrime. Legal fees, call center costs, marketing and PR, notification costs and discounted product offers, lost employee productivity and contractor pay all comprise expenses a company can expect to incur in the case of a single data breach. Some of these risks and their attendant costs can be avoided through end-of-life plans including hard drive shredding. Companies such as RenovoData Services in Eden Prairie, Minn., provide this service for a fee. It may be an additional expense, but the costs of keeping intact drives for malicious insiders to find and exploit is far higher.

Is there a way to calculate an estimated cost?

A helpful estimate can be determined with the right tools. In 2007, Darwin Professional Underwriters, Inc. created the Tech//404© Data Loss Cost Calculator to determine the approximate total expense associated with most data breaches. Its proprietary algorithm calculates potential costs across three categories: internal investigation, customer notification/crisis management and regulatory/compliance expenses. Through inputting the number of records lost, a business can get instant estimated numbers appropriate to the scope of an actual breach or a hypothetical one. It will not include soft-number costs related to potential lawsuits or those arising from changes in reputation or stock price.

What it will do for your business is offer a way to arrange your thinking about the realistic cost of data security breach and offer a worst-case scenario in terms of dollar amount. What it cannot do is offer protection against future cyberattacks. In this increasingly technological world, the best protection is vigilance in security, sound system integration and self-education about the best, most current security methods. In other words, human vigilance and ingenuity.

Will your company upgrade any of its computers this year? If so, you will have hard drives on your hands requiring secure retirement. Destruction is the only truly secure way to retire data, so tracking down a destruction contractor will be your first step. But you need to know more than whether or not they do their job properly. You also need to know if they do so securely.

Who are the most secure data destruction companies, and where can you find them?

One reliable place to start is the NAID website (www.naidonline.com). NAID (National Association for Information Destruction) is the recognized international trade association for companies providing data destruction services, serving the U.S., Australasia, Europe and Canada.

Not just a trade organization

NAID asks much more than fees for membership. Its requirements call for a systemic approach to establishing data security on the part of its member organizations. All aspects of data handling are covered, from pickup and delivery to the moment of destruction, all the way down to disposal.

To join NAID, a comprehensive audit must be taken by a Certified Protection Professional (CPP) auditor, designated through ASIS International, another international security standard-bearer. ASIS provides training and education for security professionals around the world. Its auditors are considered the most reliably prepared for the job.

In the qualification process, NAID’s CPP auditor performs an on-site evaluation of the member candidate’s business location, examining all aspects of data destruction that may lead to accidental exposure, such as transportation, storage, destruction, and final disposal. Two kinds of certification are considered—plant-based (for destruction on-site at the contractor’s facility) and mobile (for truck units performing destruction services at customer locations). Some examples of what NAID requires for membership include:

-Assurance that all media for destruction will be either attended by an employee OR physically secured from unauthorized access while in the custody of the destruction contractor

-Signed confidentiality agreements from all employees and contractors prior to accessing “Confidential Customer Media,” such as paper documents, hard drives and CDs/DVDs

-Drug testing for employees, or drug abuse awareness training for the employer, and seven-year criminal background checks for all employees—ongoing criminal checks, too

-Closed-caption video and adequate lighting for surveillance; tapes must be kept on the premises for 90 days

-Required customer notification in case of potential release of sensitive data that may threaten the security of confidentiality of that data

-For mobile certification, all destruction must be performed at the customer’s site. For plant-based destruction, unauthorized access to the designated secure destruction area and client records must be effectively prevented.

This list was taken from the extensive inventory of procedures and checks to ensure conscientious and thorough data protection—and there are many more. This brief sampling shows that NAID-certified businesses—such as RenovoData Services in Edina, Minn.—create secure environments to give their customers the highest recognized standard of protection around data destruction.

Without NAID’s researched and thoughtfully designed system of protections in place, the risk of data breach can increase in the process of destruction. Data loss has been widely documented in recent years as a significant risk to sensitive customer information as well as important corporate data. These breaches always result in costly cleanup efforts and loss of reputation for the victim companies.

Since no other standard exists that provides NAID’s level of protection during destruction, checking for certification should come first as you research data destruction providers in your area. Simply put, it is the best thing you can do for your customers, and for your company’s bottom line.

For this lengthy section of the law, we’ll provide here a simplified primer on all subparts, boiling them down to points we believe will be most useful to you.

Principles for Achieving Compliance
This subpart says to cooperate with the Secretary of HHS in embarking on compliance and assist them. That’s about it.

Complaints to the Secretary
A patient has the right to complain to the HHS if they choose, but civil suits must be filed through state laws rather than HIPAA.

Compliance Reviews
HHS can conduct compliance audits on your business assuming you’re a covered entity.

Responsibilities of Covered Entities
If you’re a covered entity, you have to achieve compliance. To achieve compliance, you have to:

- Provide records and compliance reports.
- Cooperate with complaint investigations and compliance reviews.
- Permit access to information.

Basically, it’s in your best interest to keep good documentation to protect yourself from liability to the extent that you can. Also, it will help you to act in a helpful and cooperative manner if HHS arrives at your business to conduct an audit. These are the people we play nice with. No matter what.

Investigational Subpoenas and Inquiries
HHS can subpoena. If they want, they can make things very difficult for you. So, see above re: playing nice.

Refraining from Intimidation or Retaliation
If a patient files a complaint against you, go with it and do not strike back against them in any respect, or even do anything that could be construed as retaliation. Because, it’s not cool, plus, it’s illegal.

In a couple weeks watch for Part 4: Imposition of Civil Money Penalties. Because we all want to avoid hefty fines.

HIPAA impacts state laws covering patient record security by preempting these laws in some cases. In others, existing state laws interact with HIPAA by applying where HIPAA may not specifically reach. Where there are questions about these interactions, RDS recommends seeking legal counsel to ensure compliance.

The General Rule of HIPAA as it Interacts with State Laws

At its foundation, this rule states that any time HIPPA is in conflict with a state law, HIPAA will preempt and control. An allowance has been made however for cases when the state law is stricter (“more stringent”), in which case those laws apply in concert with HIPAA. Usually, these stricter laws cover reporting requirements pertaining to public health information, including laws on communicable diseases, child abuse, controlled substances, birth records and death records, and more.

Demonstration of Compliance and Protection from Liability (Sort of)

A useful rule of thumb in protecting yourself from liability, as much as possible, goes like this: Documentation. Then, more documentation.

First, document the processes, training and safeguards that you and your legal representation can point to, to make a strong argument on your good faith efforts to comply with HIPAA and other applicable laws. Next, document evidence that your company has carried out these safeguards. No, this will not protect you from liability altogether. But it may be helpful in showing your thoroughness, thus mitigating some liability. Any protection is helpful here.

Next up: Compliance and Enforcement.

On Wednesday September 7, Frank will be representing RDS at the Main Street Chamber Expo! The Chamber is a national organization of small businesses that become members for networking (and therefore growth) benefits, as well as information about the latest news in business.

Frank will be there, educating hundreds of other local small businesses about RDS’s services in data security and e-waste recycling. Admission is free to members, so if you are one, click here to register to attend. Frank will be thrilled to see you in person!

A wide range of regulations apply to data security in this country today, and new ones are even now in the works as our government recognizes the increasing urgency of protecting records within business. The burden of responsibility for understanding and applying data security law rests on companies’ shoulders, so it’s up to us to get familiar with them.

RDS wants to help you. This is the first of a series of blog posts to offer informative links and general overviews of data security laws and the ways that RDS can support you in addressing them though our services. Let’s start with one dear to all of our hearts.

Part 1

HIPAA’s Purpose and Definitions

HIPAA (Health Insurance Portability and Accountability Act) is a far-reaching set of regulations that became federal law in 1996. It is directed at health care providers for guiding the security of medical records. It was designed to improve the portability of patient records while protecting their privacy at the same time. Another stated purpose was to improve access to long-term care, as well as to simplify health insurance administration.

The law is long and complex, addressing Covered Entities, being medical providers, health insurers and “business associates” –basically anyone who would have cause to access PHI (Protected Health Information). For a guide to definitions of Covered Entities, PHI and many more HIPAA terms, click here.

With a law this long, we’ll be taking it in little digestible bites from here.

In a couple weeks, watch for Part 2: HIPAA’s Impact on State Laws and Compliance Requirements.

When RDS President and CEO Frank Gustafson watched a TV exposé on e-waste, he couldn’t believe what he saw: toxic towns and residential areas made unfit for, well, residence, by the mass importation of junk e-waste in developing nations.

His response? Opening RenovoData Services, our local resource for computer recycling and permanent data destruction in Edina.

After two years of service to the community, RDS’s exposure is growing. Just recently, RDS was profiled on the recently created iammnnice.com, a site highlighting local businesses and retailers that offer new solutions to old problems, or to particularly modern ones: e-waste and data remanence, for example.

Watch the 9-minute video below for an interview with Frank including a discussion about computer recycling as a value and a business, the services RDS offers to protect data, the legal liabilities surrounding data security, and a tour of the facility.

Join RenovoData Services in Edina between noon and 7 pm this Friday, August 12, as we cohost a celebration of summer with our friends and neighbors. Bring your kids, bring your dogs, bring your car and even your dancing shoes.

There will be dance lessons and performances, prize drawings, food for sale prepared by Backstreet Kitchen, balloons for the little ones and outdoor washes for your dog or your car. Or both, if you need it. And of course, a computer and cell phone recycling drive by RDS.

Here are the details and the day’s schedule:

-Old computer and cell phone recycling as well as hard drive shredding at RenovoData Services

-Hot dogs, chips and pop for sale by Backstreet Kitchen

-DanceXchange prize drawings and performances:
12:00, 1:00 & 2:00

-Free trial dance classes:
12:30, 1:30 & 2:30

-Ruff House and Zoom Groom prize drawings:
1:00, 3:00, 5:00 & 7:00

-Secondhand Hounds dog wash is open from 4:00-7:00

-Car wash anytime from noon-7:00

Grab your family and an old computer or cell phone to recycle, and join us on Friday!