How and Why E-cyclers are Becoming Data Security Experts

Electronics recyclers are increasingly taking on a new role, beyond that of sustainably managing wasted electronics. With heightened attention to cybersecurity and more rules around data protection in general, they are becoming information security experts.

To be on their game, electronics processors are investing in high-tech shredders, data wipers and equipment that tracks devices from their front to their back doors. And they are accruing multiple certifications to show customers their data will be completely destroyed.

“Data protection is on everyone’s radar,” says John Shegerian, co-founder and executive chairman of Electronic Recyclers International (ERI), headquartered in Fresno, Calif.

There is HIPAA (Health Insurance Portability and Accountability Act, a federal regulation) for the health industry. And there are multiple other industry-specific federal rules for publicly-traded companies for financial institutions, among others. And the latter will meet tighter demands to protect customers’ data if proposed revisions to two rules pass.

Besides industry-specific rules, many states have their own regulations, adding another layer of complexity.

Schupan Electronics Recycling’s physical location is Kalamazoo, Mich., but, like ERI and many large e-processors, it covers all 50 states.

“We have to know the law in each of them. For example, California has reporting requirements per county and per device. We have a corporate client with 150 locations, so we have to segregate their California material to provide them with information for their reporting,” says Cory Pyscher, vice president of Schupan Electronics Recycling.

Among security measures, Schupan deploys GPS trackers that follow electronics as they move through the processing line or if the commodities leave the building for further processing. In addition to this internal tool for staff, the company leverages tracking software for the customer’s reference.  

With the latter, “If corporation ‘X’ calls, we can say when their device is scheduled to be shredded and exactly where on the floor it is at any given time,” says Pyscher.

ERI has proprietary software that, like Schupan’s, is intended to provide transparency to clients, tracking their data-containing devices. It can track details per client’s requirements.

“Publicly-traded companies especially want this, so they can report to their C-Suite or when they have to answer to cyber insurance carriers, their board of directors and Wall Street analysts,” says Shegerian.

ERI also has a flat screen shredding system with a robot that recognizes debris and picks it for sorting.

Even with all the technology and attention to data protection, many companies are not very focused on securing data once they decommission their information technology assets, says Steve Chafitz, president of e-End in Frederick, Md.

“They are focused on the frontend with firewalls, anti-phishing software, infiltration, exfiltration monitoring and other applications. The same data-containing media they spent millions of dollars protecting is, in many cases, moved to an unsecure storage area when taken out of service,” he says.

E-End spends a fair amount of time educating clients on safeguarding their electronics with data. The company creates policies and procedures for clients to provide protection for personally identifiable information (PII) and other confidential data, for example identifying and labeling every device.

Among the company’s diverse clients are government agencies, nongovernmental organizations, healthcare providers, law firms and banks. The level of security varies by client.

“For example, when we destroy top secret information, the media must stay in possession of the authorized person witnessing the destruction. We only handle it to place it in the degausser [that removes magnetic properties, destroying data and rendering the drive unusable],” says Chafitz. The company can degauss more than 2,000 hard drives per hour and often runs at capacity.

And e-End, like ERI, has NAID certification for data destruction.

As security breaches happen, such as a recent potentially costly privacy violation by Facebook, crackdowns continue.

Still, says Pyscher, “We as an industry would like to see tighter legislation, particularly federal legislation. But there is a lot of pushback, including from waste haulers who are responsible for recycling illegally dumped [electronics]. And OEMs are pushing back because of what it would cost for them to recycle. Legislative changes such as landfill bans would call for changes in recycling infrastructure we as a country are not ready for but need.”

Shegerian projects a lot of movement around the bend for the industry.

“Cybersecurity will keep growing. On top of that, a new trend is coming on us, and that is the 4G to 5G switchover with cell phones, which will create high volumes of end-of-life devices. Then, there is the growing need to comply with circular economy standards. Due to these three converging trends, we feel we can double the size of our company in the next 36 months,” he says.