world is an ecosystem teeming with life and supporting an
abundance of trade, commerce, and culture. Petabytes of data
stream continuously over public and private networks, with
content ranging from instant messaging chatter to highly sensitive
financial records. People with bad intent sometimes attack
networks. Whether they are professional thieves prowling for
account numbers or bored teenagers intent on mischief, these
parasites disrupt commerce, steal information, and do billions
of dollars worth of damage every year. Their actions can have
devastating long-term consequences for an unwary individual
Federal Trade Commission estimates that identity theft alone
has cost American businesses and consumers more than $48
billion over the past five years. Once a thief assumes another
person’s identity, clearing up credit records and
restoring one’s good name can take years of hard work.
And while juggling calls from collection agencies and resolving
problems with banks and credit bureaus, the victim will
still likely be denied access to basic financial tools and
services such as home mortgages and small business loans.
source of digital pollution is outdated computer equipment.
The U.S. Environmental Protection Agency (EPA) estimates
that a quarter billion personal computers will be made obsolete
by 2005. The International Association of Electronics Recyclers
predicts that by 2010 the mountain of scrapped computers
will quadruple to one billion units.
physical disposal of information technology presents formidable
challenges. A typical CRT monitor, for example, contains
three to nine pounds of lead. Printed circuit boards contain
beryllium, cadmium, flame retardants, and other toxic compounds
that can seep into groundwater or escape into the air when
incinerated. The problem is so daunting that the EPA has
identified e-waste as the nation’s fastest-growing
waste stream, and many states and municipalities now ban
the disposal of monitors and other equipment into the nation’s
example, California Civil Code section 1789.82 (formerly
known as SB 1386), California’s Mandatory Disclosure
Statutes, requires all entities that do business in California
to disclose information security breaches to every California
resident whose data was acquired by an unauthorized person.
Other states that are considering similar statues include
New York, New Jersey, Idaho, and Indiana.
in the Machines
the danger is not limited to the physical realm. Ghosts
in those machines—unerased information left on hard
drives and other storage devices—represent a digital
disaster waiting to happen. Consider
these recent examples:
The Bank of Montreal sold two high-powered computers containing
hundreds, possibly thousands, of customer records, including
names, addresses, telephone numbers, and account numbers
and balances, to a reseller, who put them up for sale
on a popular online auction site. Fortunately for the
bank and its customers, the reseller immediately pulled
the servers off the market when he turned on one of the
machines and noticed that the hard drives had not been
erased. While a disaster was averted, the bank was forced
to spend considerable time and effort investigating the
incident and reassuring customers that their confidential
financial information was safe.
The Commonwealth of Kentucky nearly sold surplus computers
containing confidential files naming thousands of people
with AIDS and other sexually transmitted diseases, as
well as the number of sexual partners.
former Morgan Stanley executive sold an outdated handheld
device, not realizing that it still contained thousands
of names, account numbers, and passwords.
of these digital dangers, forward-thinking IT managers are
looking to prevent digital disasters along with the accompanying
liability and loss of reputation. When dealing with e-waste,
follow these precautions:
Have assets collected by certified vendors that adhere
to strict shipping and security guidelines.
all data and software erased from hard drives and other
Ensure stringent adherence to data destruction protocols
such as the U.S. Department of Defense’s 5220.2-M
standard, which requires the triple overwriting of each
disk sector and ensures that hard drives do not enter
the secondary market with proprietary software, corporate
data, or customer information still resident.
Subject inoperable hard drives to a certified degausser,
which demagnetizes the hard drive and renders all of the
Strip all equipment of asset tags and identifiers.
Recycle all assets not destined for resale or charitable
donation in strict compliance with relevant state and
federal environmental rules, with formal indemnification
from environmental liability or risk.
Corbin is president and CEO of RetroBox Inc. (www.retrobox.com),
an information technology disposal company. This article was
adapted from a version published in CyberDefense (www.cyberdefensemag.com).