CPR Tools Analysis Reveals Resale Channels As Source for Unwiped PII

According to the latest research from CPR-Tools, 40% of hard drives, mobile devices and tablets sold on the re-use markets contain personally identifiable information (PII).  The Ft. Meyers, FL-based data recovery and security firm used downloadable shareware to recover PII on 250 randomly selected storage devices. The company used unsophisticated methods to recover the data and notes that no forensic training was required to access the information.

In the course of the analysis CPR-Tools recovered credit card information, contact information, usernames and passwords, company and personal data, tax details, and more.

Mobile phones gave up about 13% recoverable data, while tablets topped the list at 50%. PII was also locaed on 44% of the hard drives.. The devices involved in the study were “working” units that had been previously used in both commercial and personal environments.

“As data storage is included in nearly every aspect of technology today, so is the likelihood of unauthorized or unintended access to that data. Auction, resell, and recycling sites have created a convenient revenue stream in used devices; however, the real value is in the data that the public unintentionally leaves behind,” said John Benkert, CEO at CPR Tools.

Summary of e-Stewards V3.0 Standard

Due to the need to incorporate the new global ISO 14001 standard for environmental management systems, and the need to incorporate past amendments and add improvements, the third formal revision of the e-Stewards Standard V 3.0 has been created and is now published.

The most significant change from V 2.0 has been the restructuring of requirements to fully reflect the new ISO structure. This enables ease of use for e-Stewards recyclers/refurbishers and certification bodies. The e-Stewards requirements imbedded into the appropriate sections of the new 14001 standard bring greater clarity and ease of use for recyclers and auditors alike.

The following are some highlights of changes found in V3 compared to V2 (including Sanctioned Interpretations), followed by numbers citing where the new language can be found in the V3 document

V3 Changes Highlighted:

• Verbatim incorporation of ISO 14001:2015 standard and requirements, removing ISO 14001:2004 language, resulting changes to the management system (see this link for redlined comparison of the two 14001 standards from ANSI’s web store: https://ansidotorg.blogspot.com/2015/10/redline-versions-of-standards.html) [throughout standard]

• New structure of e-Stewards Standard fully adopts new ISO structure, including section titles [throughout standard];

• All footnotes have been removed. Guidance footnotes will be placed in guidance document, while requirements have been added into the body of the standard. This provides greater readability and clarity. [throughout standard]

• Incorporation of sanctioned interpretations (V 2.0 amendments) to date [found throughout) • Modification of Requirement for top management to assign responsibility and authority for: o Evaluating adequacy and achievement of organization’s objectives [5.3 e) 2]; and o Evaluating performance of managers in ensuring the effectiveness and continual improvement of the environmental, health & safety management system (EHSMS) in their areas of responsibility [5.3 c];

• Modification of Requirement to create and document a schedule for evaluating compliance obligations [6.1.3 e];

• New requirement to apply export restrictions to Problematic Components & Materials (PCMs) wherever there are legal prohibitions on transboundary movement of Hazardous e-Waste (HEWs) [6.1.3.1, f)];

• Modification of Requirement to create a Plan for Responsible Downstream Management of HEWs and PCMs [6.2.4];

• Modification of Requirement to establish & maintain a written Plan for Emergency Preparedness & Response [8.2];

• In new 14001 section for internal communication, list of specific types of internal communication required, resulting in a better functioning EHSMS [7.4.2];

• Addition of asbestos-containing electronic equipment to list of items not generally allowed to be shredded [8.4.1, Table 4, Row 1];

• Removal of requirement to take back exported Hazardous Electronic Equipment if misrepresented or damaged during shipping [no longer in reuse section, which is now 8.6];

• Modified requirements if seeking to send Hazardous Electronic Equipment (HEE) into new products or processes, in order to prevent toxics from being put back into commerce under the guise of ‘recycling’ [8.7.2];

• Clarified language to assist in operational controls needed for export, transit, and import of HEWs and PCMs throughout Recycling Chain [8.8];

• New exemption from export/import requirements for new parts & new devices under warranty if they are defective upon initial use by original purchaser and are being returned to manufacturer for failure analysis and/or repair [8.8.2.1 c)];

• Revised, recombined, streamlined, and clarified requirements pertaining to downstream accountability, including requirements for transport companies [8.9];

• Requirement to establish and implement a schedule for monitoring & measuring operations that can have a significant environmental and stewardship impact [9.1.1 d)];

• Modified requirement to track non-conformities found in multiple areas, e.g. audit results, regulatory violations, (facility) security breaches, and data security breaches [9.1.4];

• Clarified language in requirements for material balance accounting (MBA) [9.1.7 b)];

• Requirements to better define internal auditor qualifications, and create & retain specific internal audit records [9.2.2];

• Expanding on the new ISO requirements for top management, requirements for them to review results of risk assessments, facility inspections, and Industrial Hygiene monitoring [9.3]; and

• Clarified language in both Appendix B (Administrative requirements for recyclers) and Appendix C (Administrative requirements for certification and accreditation bodies).

Restoration of V2/14001:2004 elements into FD V3: The new ISO 14001 standard has omitted or reduced certain elements of a management system that were included in the earlier (2004) version of 14001 and are considered by many to be important elements of an effective management system. V3.0 has restored some of these elements, as follows:

• Restored requirements for written procedures & records in many sections of the standard [throughout standard]; and

• Restored explicit requirements for taking preventive actions as a critical part of an effective management system [10.2].

Implementational Changes:

• In future, revisions will be published directly into a new version of the complete standard at no additional cost to the initial purchaser. These new Versions will be designated as V 3.1, V 3.2 etc. This will be far easier for recyclers and auditors alike.

• Performance Verification Program of e-Stewards now includes both truly unannounced inspections as well as use of GPS tracking devices inserted into the e-Stewards stream.

DEEP DISCOUNTS ON OUR VALIDATOR TOOL

DestructData has nine [9] Validator data erasure verification units from its rental inventory that are now available for purchase at a deep discount. Please let us know right away if you or any of your customers or affiliates are interested in an aggressive discount on a lightly used Validator that is covered with an as-new warranty. These units are available at 40% off list price, and are sold on a first-come, first-served basis.

The VALIDATOR is a single-purpose device designed to verify drive erasure in a simple PASS/FAIL process.

To place your order: please call 800-781-4799 or info@destructdata.com