Financial Institutions Need Secure Data Destruction Policies to Comply With The Gramm-Leach-Bliley Act (GLBA)

What is the Gramm-Leach-Bliley Act?

Financial Institutions must comply with information security and privacy regulations when they retire end-of-life computers, networking devices, servers, phones, and tablets. This article explains one of those compliance standards, the Gramm-Leach-Bliley Act (GLBA). By working with the right IT Asset Disposition Partner, your company can reduce the risk of a breach like the one that occurred at Morgan Stanley and comply with GLBA and other compliance standards. The GLBA, enacted in 1999, primarily focuses on protecting consumer financial information held by financial institutions. It includes provisions to safeguard sensitive data and mandates specific requirements for data destruction as part of its broader privacy and security framework.

GBLA Gramm-Leach-Bliley Act

The GLBA, also known as the Financial Services Modernization Act, has three main components:

  1. The Financial Privacy Rule: Governs the collection and disclosure of consumers’ personal financial information by financial institutions.
  2. The Safeguards Rule: Requires financial institutions to implement security measures to protect customer information.
  3. The Pretexting Provisions: Protect consumers from individuals who obtain personal information under false pretenses.
information security

Data Destruction under the GLBA

While the GLBA does not have explicit data destruction requirements, its mandates imply the need for proper disposal of consumer information to prevent unauthorized access and ensure data security. The critical consideration here is the Safeguards Rule, which focuses on maintaining customer information’s confidentiality, integrity, and security.

The Safeguards Rule

The Safeguards Rule took effect in 2003, but after public comment, the FTC amended it in 2021 to make sure the Rule keeps pace with current technology. “According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).”1  The rule compels financial institutions to develop, implement, and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. Data destruction is an integral part of this security program. Here’s how the Safeguards Rule translates into data destruction requirements:

Safeguard rules

Key Points of the Safeguards Rule

  1. Comprehensive Security Program:
    • Financial institutions must develop, implement, and maintain a written comprehensive information security program that includes administrative, technical, and physical safeguards.
  2. Risk Assessment:
    • Institutions must conduct risk assessments to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of their customer information.
    • This includes risks in the storage, processing, and disposal of information.
  3. Design and Implementation of Safeguards:
    • Based on the risk assessment, institutions must design and implement safeguards to control the identified risks.
    • This includes developing policies and procedures to ensure secure data handling and disposal practices. Choosing the right data destruction partner can critically influence these safeguards. 
  4. Regular Testing and Monitoring:
    • Institutions must regularly test and monitor the effectiveness of their safeguards.
    • This includes periodic review and adjustment of data destruction practices to ensure they mitigate identified risks effectively.

Securis performed on-site shredding for a financial services company. They told us that all hard drives were removed and that we could recycle the 8 server cabinets. Upon inspection, we found 86 drives (72 SSDs and 14 Hard Drives). We shredded the 86 drives, saving the company from what could have been an expensive breach. The 86 drives represented 15% of the total drives that were missed.

Data disintegration protects sensitive information

Best Practices for Data Destruction under the GLBA

Policies and Procedures:

Institutions should develop clear policies and procedures for IT Asset Disposition (ITAD) and Data Destruction. This includes outlining methods for securely destroying differing data types (e.g., paper records and electronic data).

Secure Methods:

Ensure your ITAD service partner utilizes secure data destruction methods for digital data, such as shredding, incineration, degaussing, or NIST 800-88 and IEEE-compliant software-based overwriting techniques. The chosen method should render the data unreadable and irrecoverable.

Employee Training:

Train IT employees on the importance of data sanitization and the specific procedures they must follow. Employees should understand the risks associated with improper disposal and the legal obligations under GLBA.

Hard drive shredding

Third-Party Management:

Ensure third-party service providers handling data destruction can safeguard customer information by following GLBA requirements. This includes due diligence in selecting vendors, 3rd party risk assessments, and agreements specifying data destruction standards.

Documentation and Audit Trails:

Maintain documentation of data destruction activities, including the types of data destroyed or overwritten, methods used, and verification of destruction.  This information should be readily available for audit in your IT Asset Management system or the portal of your ITAD vendor.   This audit trail can be reviewed to ensure compliance with the Safeguards Rule. In addition to an audit, ensure you receive a Certificate of Destruction from a certified IT asset disposition vendor. 

Incident Response:

Develop an incident response plan for addressing and mitigating any breaches related to data destruction.  If an IT asset goes missing, it should be investigated.   IT Asset Management best practices allow organizations to understand where assets are at all times.  Ensuring all assets are logged and inventoried and that records are kept current will allow you to examine where an asset was lost if it cannot be accounted for later.  

Incident response should include procedures for investigating and remediating instances where your IT Department or ITAD vendor did not follow best practices for data sanitization or destruction.

Conclusion

The Gramm-Leach-Bliley Act’s emphasis on protecting consumer financial information inherently requires robust data destruction practices. Through the Safeguards Rule, the GLBA mandates financial institutions to establish or procure comprehensive security programs that include secure data disposal. Working with an experienced and certified ITAD partner like Securis, financial institutions can safeguard sensitive information, maintain consumer trust, protect shareholders, and ensure regulatory compliance. 

 

https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know

Balancing Data Security, Sustainability, and Disposal Costs for IT Asset Disposition (ITAD)

Finding Balance

Electronic waste disposal (e-waste) has become a pressing issue in today’s technology-driven world. E-waste, which includes discarded electronic devices like computers, smartphones, and other data-bearing equipment, presents significant sustainability, budgetary, and data security challenges.  According to the EPA, only 12.5 percent of U.S. E-waste is properly recycled. E-waste represents just 2 percent of America’s waste in landfills but makes up 70 percent of overall toxic waste.

Companies and government entities must balance the need to comply with data security regulations and dispose of e-waste in the least ecologically damaging way possible while managing their budgets by avoiding exorbitant disposal costs. Organizations that focus too much on information security will likely blow out their budgets and won’t meet their sustainability goals.   Organizations that focus too much on sustainability or cost could create a situation where they have a significant data breach.

An Information Technology Asset Disposition (ITAD) company that employs Certified Secure Data Destruction Specialists (CSDS) can ask you questions about your requirements and help you determine the most effective method of computer recycling.

Data Security

Data security is a paramount concern when disposing of e-waste. Electronic devices often contain sensitive personal and corporate information that, if improperly handled, can lead to data breaches and identity theft.   Technology is constantly changing, and our teams regularly find data on company devices that their IT teams miss.  Working with an expert service provider meets the best practice of separation of duty and provides a double check to your IT teams.

Data security is a paramount concern when disposing of e-waste

Ensuring that data is irretrievably destroyed before reuse or recycling is crucial. For example, Morgan Stanley was fined 100 Million dollars after hiring a company with no experience or expertise in data destruction to decommission thousands of hard drives and servers.   In addition a Healthcare Provider in Maine exposed the medical record of 100,000 citizens because of improper data sanitization practices. ITAD vendors that employ CSDS and are NAID AAA Certified can help your organization comply with security best practices.

Environmental Concerns

Improper disposal of e-waste can have severe environmental consequences. Electronic devices contain hazardous materials like lead, mercury, and cadmium, which can leach into soil and water, causing pollution and health risks and even fines.   If your ITAD vendor or their downstream recycling vendors don’t follow the law and go out of business your company could be at risk.

E-waste damages the environment

Strategies for Minimizing Environmental Impact:

1. Reuse: An ITAD service provider may be able to resell late-model computers, which is the best way to lower your carbon footprint. Before selling, your ITAD provider must follow NIST 800-88 or IEEE best practices to remove all data from storage devices.

2. Recycling: Older electronics and computers that must be shredded because they have classified information on them may have limited value. In these cases, recycling individual components ensures that valuable materials are recovered and reused, reducing the need for raw material extraction and minimizing environmental damage. Partnering with an IT disposal vendor with a robust recycling and reuse plan simplifies this process.

3. Responsible Disposal: Work with R2v3 certified e-waste recyclers who follow environmentally sound practices, including the safe handling and disposal of hazardous substances. Sending e-waste overseas could violate laws and create security risks.   A NAID AAA and R2v3 certification means your ITAD vendor is required to follow strict standards. R2v3 certification involves rigorous audits by an independent third party to evaluate recycling practices in over 50 areas of operational and environmental performance. R2v3 is the leading standard for the electronics recycling industry, ensuring practices that protect the environment, human health, safety, and the security of the recycling process.

Disposal Costs

The cost of e-waste disposal can be a significant barrier for many organizations. Balancing the financial aspect of e-waste management with the need for data security and environmental protection is a top priority for many organizations.   Organizations who evaluate price alone could risk fines, their reputation, and future stock valuation.

Cost-Effective Disposal Solutions:

1. Bulk Disposal Discounts: Organizations can negotiate bulk disposal agreements and long-term contracts with certified recyclers to reduce per-unit costs.

2. Resale: Thoroughly sanitized servers and drives can be resold, reducing the volume of e-waste and offsetting disposal costs through a value recovery program

Disposal costs

Conclusion:

In summary, balancing data security, environmental concerns, and disposal costs requires partnering with an industry leader that ensures secure and environmentally sound computer recycling processes while offering cost-effective solutions. Vendors with industry certifications in data destruction and environmentally friendly recycling and a robust value recovery program, are best positioned to help advise your organization on asset management best practices and effectively dispose of IT Assets.

Federal Tech Podcast with Securis’ Sal Salvetti

Moderator John Gilroy interviews Securis Director of Operations Sal Salvetti for the Federal Tech Podcast

Podcast link: https://podcasts.apple.com/us/podcast/ep-166-the-most-important-tech-question-that-nobody-asks/id1612819978?i=1000663400507

This conversation between host John Gilroy, moderator of the Federal Tech Podcast, and guest Sal Salvetti, of Securis, concerns the secure data destruction of electronic devices, specifically hard drives and solid state drives, used by federal agencies and organizations.

Key Points

  • Many organizations don’t properly dispose of old hard drives, which can lead to data breaches and hefty fines.
  • Securis offers various data sanitization methods depending on the information’s classification: degaussing, shredding, disintegration, and incineration.
  • Securis is certified by several organizations and follows strict guidelines to ensure secure data destruction.
  • They offer on-site and off-site data destruction services to meet the needs of different clients.
  • Securis also resells refurbished equipment and recycles materials from old electronics.

Here are some conversation highlights:

  • The importance of secure data destruction for federal agencies handling sensitive information.
  • Different data sanitization methods and when to use each one.
  • Options for secure disposal of various electronic devices, including cell phones and tablets.
  • How to avoid mistakes like throwing away hard drives without proper data erasure.
  • The environmental benefits of responsible IT asset disposition.

Sal in Fed Tech podcastTRANSCRIPT

John Gilroy: Hey, John Gilroy here.  Everybody knows there are an estimated 300 data centers in Northern Virginia. Very few people know what happens when they upgrade those servers in the data center. Today, we found out.

John Gilroy:    Hit the music, Manny.

<VOICE>  Welcome to the Federal Tech Podcast, where industry leaders share insights on innovation with a focus on reducing cost and improving security for federal technology. If you like the Federal Tech Podcast, please support us by giving us a rating and review on Apple Podcast.

John Gilroy:  Welcome to the Federal Tech Podcast, a podcast that connects you to federal technology leaders.  My name is John Gilroy, and I will be your moderator. Our guest today is John Salvetti.    He’s the executive vice president of a company called Securis, S-E-C-U-R-I-S.   I would be remiss if I didn’t tell our audience that we are recording this from Monk’s Barbecue in lovely downtown Percival, Virginia.  This is a high-class joint, Sal.

John Gilroy:    And so I’ve seen this thing from iSigma, and it says, here’s the headline.  Personally identifiable information was found on 40% of used devices in the largest study to date.  So my personal stuff on those servers in Ashburn can be recovered.   What happens in this whole transition and upgrading?

Sal Salvetti:  So one of the options you gave me, I could tell you if you’re out of your mind, right?  But yeah, you’re out of your mind, but nothing to do with that, okay?  No, it’s great to meet you, John. Great to be here as part of your Federal Tech Podcast.  And so yeah, that’s true.

Sal Salvetti:  There are organizations out there when they want to, they’re under the life cycle for their hard drives, or their solid-state drives, laptops, desktops, anything that’s data-bearing, you want to make sure you dispose of it properly.  And that’s what we do.  We are an ITAD company, IT Asset Disposition.

Sal in Fed Tech podcast

 

Sal Salvetti:  Some people use the D as in disposal, but we will bring that from, we’ll pick it up from you and bring it to our location and shred it as one of the ways of dealing with it.  Or we could actually take care of it at your location and we could either shred it or disintegrate it, depending on what type of equipment it is.

John Gilroy: Now, Sal, I’ve driven through Ashburn a million times.  In fact, I recorded a podcast a couple of times at Monks, at the Ford’s Fish Shack, right there.

Sal Salvetti:  I know what you’re talking about.

John Gilroy:    And I’ve never thought about what happens to those servers, but obviously, they’ve got servers in there. There’s new hard drives, new Nvidia drives and graphics chips, and so they take them out. So what kind of choices does a federal agency have when they’re upgrading some of their data centers?

Sal Salvetti:  So one of the things you want to look at is it an end of life piece of equipment.  As you look at it, if it’s end of life and there’s no reuse or recycling, no reuse that you can do to it. We will help you look at that. So here is a server.  We look at the server. If we think it can be resold, which should be good out there because that’s great of not having something end up in a landfill, we will take it off your hands.

We will bring it to our location.  We will refurbish and resell, for example, on either a wholesale or a eBay or Shopify type website.

Sal Salvetti:  So that’s if it can be resold.  If it’s end of life, we want to make sure that it does not end up in a landfill. In fact, only about 18% of e-waste, electronic waste out there gets properly disposed of. We are one of the ones who can dispose of it properly. We have so many certifications that are along with that.

Sal Salvetti:  So let’s talk about if we want to dispose of it.  We’ll bring it to our location. We will actually disassemble it.  We’ll take it down to its component parts because of the focus materials that are in there.  Gold, silver, platinum, palladium and copper.  And then we will go ahead and resell that for reuse out there on the open market. Some of them might have some plastic. We also take apart the plastic and we build a plastic and we resell that also for reuse.

John Gilroy:    So Sal, in doing my research for this interview, I came across an acronym that I’ve never heard before and maybe other listeners have, but it’s a Certified Data Destruction Specialist, a CSDS.  So that’s the certification we’re talking about here, huh?

Sal Salvetti:  Yes, we have them in our organization and really it’s just like any certifications out there, you don’t want to just operate off of what you think is right. There’s formal organizations that show you the proper processes to follow and also keep you updated on the rules, regulations and policies that are out there.

John Gilroy:    Let’s talk about commercial company in Chicago, say. If they do not dispose of hard drives properly, can they get fined?

Sal Salvetti:  They sure can. There’s been, in the news, there’s been people who have been fined.  Let me see, there was Morgan Stanley. That was the breach that I was trying to think of.  Morgan Stanley data breach, $35 million fine. Health Reach in Maine, 100,000 citizens had their information exposed just due to bad data sanitization. State of New Jersey, 79% of their laptops that they auctioned to the public had data on them. So besides thinking about getting fined with improper disposal of it, you’ll also get fined for actually not taking care of personally identified information on those hard drives.

John Gilroy:    Okay, fines are one thing.  Let’s go back and talk about the military and maybe some three-letter agencies and other organizations. And I’m gonna quote a movie, the movie is Forrest Gump.

Sal Salvetti:  Okay.

John Gilroy:    And Lieutenant Dan famously said, don’t do anything stupid. And I think when you have upgrading equipment, you have hard drives you’re replacing, you don’t wanna do anything stupid. So what kind of guidelines can you give our federal listeners for not doing anything stupid, replacing their existing hard drives?

Sal Salvetti:  What we found, it’s actually funny, but not in a laughing manner so much, is that, like I mentioned earlier, really about the 18% only disposing of properly, there’s no reason to just, once you upgrade, everybody goes through their life cycle replacement. Once they get the new stuff, they actually kind of forget about the old stuff.

John Gilroy:    Right, a typical human.

Sal Salvetti:  Yeah, and they’ll put it in, they’ll just stash it away, until somebody comes into the organization, opens up a closet and things are, old stuff is falling on top of them, and that’s when they call us.  So if you want to go ahead and dispose of that equipment properly, and we’re the ones, we can actually do it, we can shred your hard drives.

Sal Salvetti:  So once again, think of data bearing devices, and I’ll just talk about hard disk drives and solid state drives for right now, in addition to that, we can also shred laptops and desktops. But a hard disk drive, there’s different regulations out there.  It all falls under the umbrella of sanitizing the information. Depends on the classification of that information, of how far you want to go with sanitizing it.

Sal Salvetti:  And underneath that sanitize umbrella, there’s different classifications depending on the document that you’re looking at. So for example, the NSA uses degauss, disintegrate and incinerate, burning it, smelting it, all right.

Sal Salvetti:  Another degaussing, that renders the equipment, what it does, think about what degaussing does.  It destroys the magnets in there. So now you can ever use that again. Disintegration, that’s for a solid state drive. And there are machines out there and we have one of them that are certified to disintegrate down to the two-millimeter-size particle.

Sal in Fed Tech podcast

Sal Salvetti:  So when you think of two millimeter, just think of walking on the beach. That’s what it’s looking like, all right.  And then for incineration, that’s just thrown in a big furnace and nothing’s on that.

Sal Salvetti:  If you talk about the NIST special publication 800-88, revision one, because that’s important, you can clear, purge or destroy. And then, of course, and then you have the subcategories underneath that.  And I’ll just throw a little vignette out there. So I was on Wheel of Fortune.  When I was spinning the wheel on Wheel of Fortune, they have this thing called a mystery round. And it’s two wedges that are on the wheel.  Underneath one of the wedge, we’ve got to land on it. If you call the letter, it’s in the puzzle, you get to pick up the wedge.  One of them is going to have $10,000 underneath it.

One’s going to be bankrupt.  It’s a guess. You don’t want to turn your data sanitizing process into a guess. Calling us, we’re the experts, we can remove all the mystery from any mystery wedge that you have out there.

00:08:42.460 –> 00:08:51.320

John Gilroy:    The mystery for many of our listeners is the budget mystery of when do you use software to clear your old hard drives?  When do you have it shredded?  When’s it disintegrated? I guess smelt it or something. So what kind of guidelines do we have here? Is it just the type of information or there’s budget considerations here too, aren’t there Sal?

00:09:02.500 –> 00:09:02.960

Sal Salvetti:  There are.  So think of cost versus security versus sustainability.

Yeah, I always like to explain it as a thing of going into the car wash. You could do the basic level of service and that gets you a certain level.  Or you could say, okay, I want to wash it, but I want to dry it.  I want to wax it. I want to clear coat it. I want to get the tires worked on.

Sal Salvetti:  So we can work with you on what you actually need and what you want. And we’re going to make it so you don’t overpay for what you need based on the level of what the information is. Now, for example, there may be some information you don’t have a choice.  It’s because it was this.  You remember the classifications level out there are confidential, secret, and top secret. So if something falls in there, there is no choice.  You must either disintegrate or you must work this for your destruction.

Sal Salvetti:  But if there’s not, if it’s a lesser classification of information and you just want to make sure it’s not available to the public, we will take you through the various options.  Like I said earlier, the degauze, the shredding, disintegration and incineration.

John Gilroy:    Now, Sal, you company is very successful, very well known all over the world.  There’s questions I think people would ask of how.  Okay, so do I get in my little truck and drive my hard drives over to your office?  Do you come to me? Do I FedEx them to you?  I guess there’s gotta be, depending on the agency, a certain chain of command here, there’s certain security here.

Sal Salvetti:  So the answer to that is yes, yes and yes.  All right, that’s one thing that we differ from a lot of other organizations out there.  We run the whole gamut under the ITAD, once again, the IT asset disposition process.  All right, so let’s just go back to step one of what you asked about, John.

How can I, I’m an organization, I have my hard disk drive, I have it in my possession, what do I do? So it all depends on the classification of the information for one thing.  So we can go to your location, our trucks, our capability is mobile. We have a mobile capability that has the shredder, disintegrator, and the degausser inside of the truck.

Sal Salvetti:  What’s important about that when we go to your location to do it, is that we are self-sufficient.  The truck has its own power. So it’s not like we’re gonna be bothering you. Once we pick up whatever equipment we have to pick up, we’re not, hey, I need to plug in, where’s your plug here?  No, we can pull off of the, wherever we’re at by the office, by the, you know, the dock and move away and do whatever equipment we want.

Sal Salvetti:  Some people want to do it onsite because they want to just keep an eye on it. Now, if it’s a lesser level of classification, we’ll bring it back to our facility and we have all the same capabilities inside of our warehouse. And then, but if it’s incineration, that’s where we actually have to go third party.

John Gilroy:    And when you say shredding, I think paper. So nothing to do with paper, shredding hard drives.

Sal Salvetti:  There’s different capabilities out there. We have two different ones that meet industry standards. We will put a hard drive into a shredder and one of them gets it down to inch and a half strips. One of it gets it down to one inch strips. What I talked about for the solid state drives previously, we get it down to two millimeter, which is the one that is NSA certified.

John Gilroy:    Your company is Securis, S-E-C-U-R-I-S.  And what I’m going to do is in the show notes for this, I’m going to include a video testimonial from your customers.  Can explain a lot of these concepts you’re talking about because some are kind of interesting.

John Gilroy:    So look for that video and I’ll put it in the show notes.

John Gilroy:    When I lived in old town Alexandria, my next door neighbors worked for a three letter organization and they always had good stories and we were good friends.    And it would seem to me that an organization like that might have very, very sense of information in the hard drive and then what they might want to do is have armed guards physically take it to your location and observe it being shredded.

John Gilroy:    I mean, this happens in Washington DC, I’m sure.  I mean, yeah, I think that’s what happens, isn’t it?

Sal Salvetti:  So we have had, we’ve picked up equipment from a place that’s been escorted back to our facility.  And because of the capacity of it, they wanted to use the bigger shredder to, you know, it’s throughput. And they have sat there and watched us shred. They’ve, I’ll just say observed, observed us, take apart cell phones, remove the battery and put it through the shredder.  Yeah, they watched us take apart laptops, remove the battery, take out the, whatever the hard drive is, the regular SSD or not, and shred those too.

John Gilroy:    You know, I talked about Forrest Gump and don’t do anything stupid.  I never even thought of cell phones.   I mean, cell phones could have compromising information on them.  I mean, who thinks about that?

Sal in Fed Tech podcast
Sal Salvetti:  And we do.

John Gilroy:    Yeah, and tablets. Wait a minute, I’m thinking about tablets now, and of course laptops and desktops and servers, but it’s not just servers in Ashburn, huh?

Sal Salvetti:  Think about anything that has data on it and you don’t want it to end up in the wrong hands, right?  And I’ll go back.  There may be something on there where I want to give you this hard drive.  I want you to just, I’ll use the vernacular, wipe it, erase the data that’s on there, but if you resell it, I’d like to get a little kickback on what you resell.

Sal Salvetti:  So when you talk about the budget numbers, if there’s the ability to say at the level of classification, it doesn’t have to be shredded so it’s not used, doesn’t have to be degaussed so it can’t be used, we will sell it and we will give you a rebate according to the proceeds from that sale.

John Gilroy:    I was listening to a podcast with a person at NIH, joking all kinds of information.  It would seem to me that there would be medical studies that have personally identified information but have much more sensitive information.

John Gilroy:    So someone at HHS or NIH, they may say, no, no, no, we want a NSA certified shredder and that’s what you provide.  I mean, I never thought a NSA, of all the things NSA does, really they worry about hard drive shredding machines?

Sal Salvetti:  Yeah, the big one that they do this certification on are the SSDs because that’s where everybody’s going now, even though we still have quite a few hard drives out there, the solid state drive, more information, smaller, that type of thing and you want to get it down so any adversary out there, it could be because of where we are in DC, any adversary, you do not want them getting any information off of that.

Sal Salvetti:  And the NSA will say, if you use this piece of equipment, now they’ll certify different companies that are out there and we have then purchased that equipment from that company who makes those machines. We don’t make the machines, we use the machines, just like anything else.

So they will say, I want this done to that level of destruction so there’s nothing I have to worry about.

John Gilroy:    So as an individual, let’s say I buy a new iPhone.

Sal Salvetti:  Yep.

John Gilroy:    My old iPhone and I trade it in, is that doing something stupid or is that a reasonable thing for normal human beings or not worry about that?

Sal Salvetti:  You better take out the SIM card and anything else that can hold that on there.

John Gilroy:    Yeah.

Sal Salvetti:  So it’s, and to be on the safe side, give it to us and we’ll make sure there’s no data on it.  Maybe we resell it.  And now this is for big organizations. We don’t want you driving up to our door and say, here’s my cell phone.  No, we want a thousand of them at a time.

John Gilroy:    It makes sense.

Sal Salvetti:  And we can make sure that the information’s off and we can either resell, like I said, or we shred it.

John Gilroy:    I, maybe I’ve read, I have watched too many Jason Bourne movies, but I have this image. I’m looking at you taking notes going, okay, so let’s say an operative named Kurt.  So he goes out and he does some dumpster diving behind a company and pulls out some hard drives. I mean, has that even happened?

Sal Salvetti:  There’s no doubt in my mind that that has happened.  People, whether it’s incompetence or laziness or a combination of the two, right? Or just not knowing. Ignorance is one of them also. It’s like, hey, I can just toss this stuff. So, like I said, no mystery wedges, no gambling. Let us get the equipment and clear the information that needs to be cleared off of it.

John Gilroy:    Most of my interviews have been about newer systems, designing systems.  It seems like this is a checkbox that’s not checked on the life cycle of hardware.  It’s not on the list or maybe very few companies think.

I’m sure that the three other agents think about it, but look at NIH or HHS. They have information that’s just as sensitive and maybe there are people working there that don’t know about Securis.

Sal Salvetti:  That’s a great observation.  There’s been an evolution in people thinking about how easy it was or is for information to be pulled off of this stuff and those hard drives or SSDs that end up in the wrong hands.  It’s great to see the level of information and education that’s out there so then they know, hey, look us up.:  We already know. Hey, if you don’t remember anything about today’s podcast, remember four things, all right?

Sal Salvetti:  Remember our name, Securis, so our website’s securis.com, and remember if you want industry standard making it happen the right way, we are secure, we have great accountability and sustainability.

John Gilroy:    Okay, you were on Wheel of Fortune, is that right?

Sal Salvetti:  I was, yes.  Twice actually, John, twice.

John Gilroy:    So Wheel of Fortune, let’s say a topic comes up and it’s ESG.

Sal Salvetti:  So the topic would be Jeopardy, or yeah, Jeopardy, not Wheel of Fortune.

John Gilroy:    So what is ESG, and what’s it got to do with hard drives?

Sal Salvetti:  Yeah, the big thing we like to hone in on that one besides the E and the G is just the sustainability aspect.  And that goes back to, years and years, people just, remember, the landfills.You would just take it to the landfill, no matter what it was. Think about big TVs, the cathode ray tube TVs. Think about flat screen TVs, which we treat as somewhat disposable right now.

Sal Salvetti:  A lot of people will just chuck them into the landfill. Well, we’re getting better about that. We want to sustain the environment. It’s bad for the environment to have the plastics that don’t decay for hundreds of years, or the toxic metals that are in there. So bring it to us.  We’ll take it through its end of life, so that’s what we want to say.

Sal Salvetti:  We are the pros in making sure that you, as an organization, can say, I have done my part for the environment, and I am disposing of this equipment properly.  In fact, we will produce a sustainability report for you based off of, right now we’re looking at about 23 different factors as part of that report

John Gilroy:    Sal, several years ago, I had a podcast called Inside Data Centers, and I would literally go inside a data center and record it and talk about heating and cooling.  I mean, all kinds of issues that no one ever thinks about. You wouldn’t even want to guess that large organizations like, I’m gonna name names here, like Jerry Seinfeld, so I’m gonna name names like Google, Microsoft.  I imagine they have life cycle policies for this or are you part and parcel?  Do you contract with them or do you normally contract with federal agencies?  So what’s the typical relationship you have with one of these bigger companies?

Sal Salvetti:  So those hyperscalers out there, they’re doing their own stuff now because they like to keep it in house.  So the Amazon Web Services out there, they’re not gonna call us up.  Now they did about five years ago and we got until they figured out what they needed to do, and we actually got them through the process to clear and dispose of their equipment properly.

Sal Salvetti:  But the other ones out there, there may be an owner of a data center and they have tenants inside of that.:  So they want us to take care of their tenants because the tenants are going through life cycle replacement.

Okay, I got this stuff, who do you want me to call?  Hey, I know Securis.

Sal Salvetti:  Or it could be just the tenant itself says, hey, Securis is gonna be coming in here to take care of our life cycle replacement. We’ll go in there, we’ll take the server cabinets out, we’ll decommission to a level.  There’s a certain level that we want them to get to a point on the decommissioning.

Sal Salvetti:  And we’ll be, in one of our jobs, we actually rolled the stuff out a half a mile, because you’ve seen some of the size of those data centers. So from the cage in the data center to the truck, half a mile, and we did it about 25 trips that way.

John Gilroy:    Wow, that’s a trouble.  I know one thing about the data center people is that they don’t talk about who their customers are.  It’s like, who’s in here?  Well, we can’t say.  There could be sensitive organizations, not sensitive organizations. When you look at the future of this whole idea of making sure the swoles of your equipment, where do you see it had anything?  More and more people could be coming.  Or do you think there’s gonna be an incident where a dumpster diver grabs something and it compromises some organizations?  Some organizations, let’s say.

Sal Salvetti:  Yeah, so we like to use just to gauge trends right now.  We’re tracking the numbers that are coming in for hard drives and SSDs and see if, what I call it, the lines are crossing. Are we finally seeing the downhill spiral in hard drives and the uphill starting to go up in the quantity of SSDs? It hasn’t happened yet. There’s a lot of hard drives out there.  Another funny, flat screen TVs still going up.

Sal Salvetti:  You know, we’re not talking about the data and stuff like that, but think about other things that we do for the environment. We’re gonna have a flat screen TV and we’ll once again disassemble it and get it to the right location so it doesn’t end up in a landfill.

John Gilroy:    I’m asking a question about data centers. I was at Monks Barbecue two weeks ago. I was with my neighbors, walked down here, we had some lunch and he works for a large organization and he said, you know, John, all those data centers in Ashburn, they may have to get like a nuclear reactor to power them.

John Gilroy:    They don’t have power.  This is a problem that’s not going away.  I mean, artificial intelligence, it’s such a strain on so many data centers and they’re constantly buying new equipment and guess what that means is this existing equipment has to be replaced. So this isn’t a problem that’s going away.

John Gilroy:    It’s kind of like car repair.  That problem isn’t going away.  The whole idea of replenishing equipment and new technology and new servers, it’s just something we can’t get away from.

Sal Salvetti:  That’s exactly right and that’s one of the things that we’ve noticed now is we’re starting to get more servers. Obviously we’re in a great location.Northern Virginia, like you said, I think you said the number really got 358 or something like that of the data centers and yeah, they’re going through their life cycle replacement and by the way, it’s not a normal life cycle replacement anymore.

Sal Salvetti:  As technology advances to AI, that’s going to require more powerful servers.  So the old stuff, all right, now by the way, the old stuff to them, there are still some, we can still get that reused at the clients in other locations who may say, this is still good for me.  I’m going through my life cycle replacement, but I’m not up to AI yet.  So it is a constant revolving door right now of all the equipment that we’re getting, especially what you see in the data centers.

John Gilroy:    Yeah, what equipment brokers say is used is not a four letter word for certain businesses.

Sal Salvetti:  Exactly, and especially going overseas. We have clients that are overseas.

John Gilroy:    So I didn’t realize that. I mean, not just the United States, you go overseas as well.

Sal Salvetti:  So on our equipment, we have some buyers who then will move the equipment, whether it’s wholesale laptops, wholesale desktops, servers, switches, you know, think of anything you think can be reused.  Our country is so advanced compared to a lot of countries out there. They would love our older stuff and they are buying it.

John Gilroy:    It’s astounding to me.  I interviewed someone from the Navy and they were talking about a ship and they said, you know what, it’s kind of like a floating data center. The ships now are like floating data centers.  And so they have to worry about energy and guess what they have to worry about?   Upgrades.

John Gilroy:    And I’m sure there are ships coming in to Norfolk or somewhere where they’re going to have to replace the servers and then what do you do with that information? There’s a shredding application right there, isn’t it?

Sal Salvetti:  Exactly.  So as it is, we stand ready to support everybody and anyone out there who needs any kind of secure data destruction and or at least decommissioning of their equipment. And that’s what I say, if you don’t remember too much from this and me talking, securis.com, we are ready to support.

Sal Salvetti:  And by the way, and what you’re seeing, there’s always something in the news of somebody who has a data breach about something. I mentioned a few earlier, but it always seems to be happening and it doesn’t need to, just call us.

John Gilroy:    This has been a wonderful interview.  You have been listening to the Federal Tech Podcast with John Gilroy.  I’d like to thank my guest, John Salvetti, Executive Vice President at Securis, S-E-C-U-R-I-S.

<v SPEAKER_2>Thanks for listening to the Federal Tech Podcast.

<v SPEAKER_2>If you like the Federal Tech Podcast, please support us by giving us a rating and review on Apple Podcast.

Fairfax County launches solar panel recycling program with Securis

The county’s Department of Public Works and Environmental Services launched a solar panel recycling program last week, expanding upon its November 2022 pilot program.

Daniel Brooks, an environmental services specialist at the county’s Solid Waste Management Program, said this new program falls under their electronic recycling program, which focuses on prevention.

“Many of these devices contain toxic heavy metals,” Brooks said. “We want to keep that out of the waste stream … and going directly to the landfill to prevent groundwater contamination, amongst other things.”

Brooks said in addition to protecting the environment, this program enables people to repurpose and reuse the materials from solar panels. He also said this program is first of its kind in the region.

“[Recycling programs] started with the West Coast and they were years ahead of us, sometimes up to as much as 20 to 30 years in various areas,” Brooks said. “It’s a very growing service as a renewable energy source.”

Since solar panels are relatively new to the area, responsible disposal is too. Brooks said Fairfax County wanted to get ahead of environmental contamination and started the pilot program in November 2022.

According to a 2022 study by the Pew Research Center, 8% of American homeowners said they already installed solar panels within the past year, the majority of which were in the western part of the nation.

The county partnered with PC Recycler, Inc. dba Securis to to refine the recycling process; at the start of the program, 50 solar panels were taken in to figure out the exact process for responsible and reasonable recycling.

“Wanted to figure out the cost metrics, if it was viable to do in-house [recycling], or if we needed to outsource that, and if we outsource that, what measures did we have with those materials?” Brooks said.

Brooks also said this was one step further toward Fairfax County’s sustainability goals, specifically zero waste. He said he’s hoping the county’s work inspires neighboring counties and towns to do the same.

The program is now available to Fairfax County residents only and two drop-off sites are available: the Interstate 66 Transfer Station and the Interstate 95 Landfill.

This story appears in FFX Now 

Come Visit Securis at Data Center World

Join us at booth #748 at the upcoming Data Center World Event which is being held April 15-18 at the Walter E. Washington Convention Center in Washington D.C.

Data Center World is the only global industry event that combines real-world, practitioner, and thought leader expertise with in-depth research and data, and access to a full spectrum of solution providers driving the data center and digital infrastructure industry forward.

Considering attending? You can save $325 with Promo Code Securis325

Hope to see you there!

Why Inventory Matters in Electronics Recycling and Data Destruction Policy

In electronics recycling and data destruction, inventory reports plays a pivotal role in ensuring transparency, compliance, and peace of mind for both service providers and their clients. This article delves into the nuances of inventory management, exploring why meticulous record-keeping is indispensable for e-waste and data destruction policy

Filling the Void Left by Electronics Recycling and Data Destruction Services

When companies and government entities engage in electronics recycling and data destruction services, they are often left with a void. This void isn’t physical; rather, it’s the absence of the electronics and data that were once present. Post-service, a critical question often arises: What proof exists of how data was destroyed or where a recycled component ended up?  In scenarios like audits or unforeseen incidents the ability to peer into that void and get solid information can be crucial.

The Significance of  Audit and Inventory Reports Post-Service

The answer lies in the quality of the audit or inventory reports generated after the physical work of decommissioning is completed. This documentation becomes vital, serving as a record of exactly what was done, much like an insurance policy when you need it most, often under less-than-ideal circumstances, which is why we include it as an invaluable part of our e-waste and data destruction policy

What Constitutes Quality Inventory Management in Electronics Recycling?

Quality inventory reports in electronics recycling and data destruction must detail what was collected and what happened to each item. The most valuable data for tracking electronics are serial numbers or asset tags. These unique identifiers make it easy to account for individual items among thousands. Once an item can be identified details about what happened to that item and any associated data can be easily tracked. 

Tracking the Fate of Each Item: From Recycling to Destruction

Secure and comprehensive inventory management should clearly document the disposal process of each item. It’s crucial to record the method of data destruction for data-containing devices, whether it’s shredding, disintegration, or wiping. This information not only ensures compliance but also provides peace of mind to the client.

The Role of Recycled Weight in ESG Reporting

Environmental metrics, particularly recycled weight, are integral to inventory reports. They contribute to a company or agency’s Environmental, Social, and Governance (ESG) reporting. A good inventory report provides raw data that can be used to support environmental reporting without substituting it.

The Need for Speed: 3 Business Day Policy at Securis

At Securis, we understand the importance of timely inventory reports. Our e-waste and data destruction policy ensures that all inventory reports are completed within 48 hours. Lengthy delays, which are common in the industry, are inefficient and often lead to frustration.

Advantages of Using a Raw CSV File Format

We believe that a raw CSV file is the most effective format for inventory reports. This format allows clients to import the data into any system they choose, offering flexibility and ease of use. Fancy PDFs, while visually appealing, often prove impractical due to their non-manipulable nature.

Lessons Learned: What Works and What Doesn’t

Our two decades of experience in the field have taught us valuable lessons about what is helpful and what is not in the context of electronics recycling and data destruction. These insights, drawn from interactions with both large and small companies and agencies, have shaped our approach to inventory management. The industry standard for accuracy for ITAD vendors is about 85%.   Based on our 24 years of experience we have developed a system that is proven to have greater than 99% accuracy.

The Unwavering Importance of Inventory Reporting in Electronics Recycling and Data Destruction

Our experience has shown that the importance of inventory reports in electronics recycling and data destruction policy cannot be overstated. It’s the backbone of accountability, transparency, and compliance in this industry. As we move forward, we expect to see continued evolution and innovation in inventory practices, ensuring that they remain robust and reliable.



How to Recycle Batteries for IT Directors

Batteries are not only bad for the environment when we toss them in the trash, but they can be explosive. Varying types of batteries may need to be handled differently. Overall, if you’re an IT Director looking to dispose of batteries, be sure to know these five things about battery recycling.

  1. The risk of improperly disposed of batteries can be extremely dangerous. If lithium-ion batteries touch each other via their connectors, the risk of a fire is massive. Taping up the ends of these batteries is vital to keep them from touching one another. A swollen battery is most at risk of catching fire. This occurs because of excess gasses. Never throw these batteries away. Carefully place them in a container and take them to a specialized recycling facility to ensure proper disposal. 
  2. Batteries can be recycled. While each battery is recycled differently, it’s important to reuse the materials rather than mine for new ones. Surprisingly, when mixed correctly, chemicals like sulfuric acid can be turned into water.  Lead, cadmium, and mercury can negatively impact the environment if they aren’t recycled properly.
  3. Employees need to be educated on the proper disposal of batteries. An uninformed employee may try to release gas in a swollen battery, which could cause a fire or chemical burn. Additionally, by teaching employees how to recycle batteries, your company reduces its carbon footprint.
  4. Responsible recycling is vital. Reputable companies are so important when recycling batteries because non-certified companies may increase legal and/or environmental risks associated with improper disposal. Your existing ITAD company may be able to assist you. If not, it is likely that they will know of a company that they can refer you to!
  5. The legalities of recycling batteries tend to differ on a state-by-state basis. Arkansas, California, Connecticut, Hawaii, Indiana, Kentucky, Louisiana, Mississippi, New Mexico, North Carolina, New Hampshire, North Dakota, Pennsylvania, South Dakota, South Carolina, Texas, Utah, Virginia, Vermont, West Virginia, Wisconsin, and Wyoming, all have state-wide battery recycling requirements in effect. DC, Florida,  Iowa, Maine, Maryland, Minnesota, New Jersey, and New York require the producers of batteries to offer or fund recycling. 

If you have questions about how we can help you recycle batteries at Securis, please contact us here

What is the Circular Economy?

The circular economy is a sustainable way to reuse and regenerate materials often found in technology, which is not only environmentally friendly but can be an economical solution. As more technology enters the economy, we need to get the most from what is already in the cycle.

This system strives to keep materials, products, and services in circulation for as long as possible. The circular economy helps slow climate change by reducing the number of natural resources extracted (which contributes to nearly half of all greenhouse gas emissions). 

circular economy example

The 3 Principles of the Circular Economy

The circular economy has three basic principles: eliminate waste and pollution, circulate products and materials (at their highest value), and regenerate nature. These principles are fundamental when it comes to recycling your electronics.

Eliminate Waste and Pollution

There are many ways to eliminate waste from our everyday lives. Some companies have reduced or changed their packaging to reduce their carbon footprint. At Securis, we ensure equipment is recycled, repurposed, refurbished, or resold in compliance with our R2v3 certification. 

The circular economy’s purpose is to reduce the amount of pollution produced. Mining for natural resources uses lots of greenhouse gas emissions.

Circulate Products and Materials (at their highest value).

Circulating products and materials that have already entered the market reduces the need for new materials. Extracting materials from a product prevents the material from becoming waste. 

This occurs in two cycles: the technical cycle and the biological cycle. The technical cycle focuses on reusing, repairing, remanufacturing, and recycling products. Rather than focusing on how to keep using materials, the biological cycle focuses on returning biodegradable materials to the earth through composting and anaerobic digestion. 

When it comes to e-waste, the focus will heavily be on the technical cycle and retaining the value of products. An item that works is much more beneficial when reused than a pile of the materials that make it up.  Keeping it together helps keep the maximum value. However, when parts break, it may be more beneficial for the value to repair or refurbish. Eventually, technology gets to a place where it can no longer be repaired or used, so instead, it needs to be repurposed or recycled. Materials can be used in other various ways, be that in technology or other products. 

Regenerate Nature

By eliminating the need to mine for new materials, we can help the earth regenerate itself. This is extremely important when it comes to e-waste recycling. With new technology constantly being created, we need to consider how often we are extracting new materials from the earth rather than regenerating what we already have. By focusing on renewable resources and finding a way to use renewable energy, we can help reduce the impact of climate change. 

Why it’s Important for E-Waste Recycling

It’s crucial to keep the circular economy in mind when disposing of your end-of-life equipment. Rather than tossing it in the garbage, ensure you are getting the most out of your unwanted technology. 

For more information on properly disposing of your e-waste, contact us here

Reusing Decommissioned Data Center Equipment

Data centers seem to be popping up everywhere. As they close or upgrade, it’s important to reuse as possible in the data center decommissioning process.

inside a data center

The circular economy has become a critical aspect of the tech industry. This prioritizes things like reuse in data center decommissioning processes. 

What can be reused?

There are many parts of a data center that can be reused. For example, when a data center is shut down, the equipment doesn’t need to go to waste, other facilities can utilize it. 

  • Server hardware like CPUs, RAM, and network interface cards (NICs) do not hold sensitive information, so if they are in working order, they can be reused, refurbished, or resold.
  • Networking equipment like switches, routers, and firewalls can be reused in other data centers. Again, these pieces of equipment do not hold onto data, so they can safely be reused without risking your personal information or data. 
  • Power distribution units (PDUs) can be repurposed for other power distribution applications.
  • Uninterruptible power supplies (UPS) provide backup power to data centers and can be reused to provide the same type of power to other data centers. 
  • Cooling systems comprised of fans, air conditioners, and chillers can all be used in other cooling systems that may or may not be related to data centers. 
  • Racks and enclosures like server racks, cabinets, and cable management systems can be utilized in a different data center or other IT equipment. 
  • Copper and fiber optic cabling can be installed in other networks or communication installations. 
  • Security systems are transferable to pretty much any other security applications. 

working in a data center

Ensuring data destruction in EOL equipment

Because data centers hold physical versions of data on hard drives, as long as that information is adequately destroyed, your data is secure. Server hardware, networking equipment, and other various pieces of hardware do not hold information, so they do not need to be destroyed in your end-of-life equipment. 

Hard drives and other data-containing storage devices may need to be destroyed rather than reused. Various forms of data destruction services can provide total data erasure. Degaussing can provide magnetic destruction to hard drives, and shredding can provide physical destruction. 

Decommissioned equipment can hold sensitive data, and by working with a professional, like Securis, you can ensure proper recycling and data destruction protocols will be followed for your decommissioning project. If you or your business need a certificate of destruction for auditing purposes, we can provide that. If you need assistance with your data center decommissioning process, contact us here

Why Businesses Need R2 Certified E-Waste Recycling Companies

If your business is looking for an e-waste recycling company, knowing that not all are created equally is essential. The best practice would be to search for an R2 certified company. R2 certified electronics recycling companies need to follow strict guidelines. When a company is not R2 certified, there is a lack of accountability in the recycling process. This third-party certification process covers more than 50 areas of operational and environmental performance. Not only does this ensure e-waste recyclers protect our environment, but it also protects human health and safety. 

What does an R2 certification mean?

Sustainable Electronics Recycling International (SERI) established the R2 certification process. Part of SERI’s mission is to minimize the environmental and health risks posed by used and end-of-life electronics. This global certification addresses the entire supply chain and encompasses environmental, health and safety, quality, and data security standards. 

The idea to facilitate a genuinely circular lifecycle for electronics helps extend each device’s life and reuse any and all components, where possible, prior to recycling. Recycling the materials then reduces the need to mine for new materials, allowing the earth to keep those natural resources. 

Finding an R2 certified company

If you’re looking for an R2 certified company, you are in luck! There are nearly 1,000 facilities across 37 counties. Unfortunately, there has been at least one case of a company faking an R2 certification. 

To avoid this mishap, find or even double-check that your e-waste recycling vendor is R2 certified; you can refer to the SERI website. It’s easy to find a company based on region or name!

Why does it matter?

Uncertified recyclers lack accountability. Not only does an R2 certification protect the environment, but it also ensures data protection as well. An R2 certified company ensures that any data that comes via end-of-life technology is appropriately destroyed.

From start to finish, the R2 process takes on the circular economy and the issues many companies face, including environmental, human health, and social welfare impacts. We know how important it is to reuse. However, irresponsible and illegal transfers happen under the guise of reuse. With an R2 certified company, there is no need to worry about careless transfers. 

Responsible recycling is also a vital part of SERI’s mission. Recycling facilities are helping protect human health and the environment by keeping toxic materials out of landfills.

Overall, if a company is R2 certified, you can rest assured that your data and end-of-life technology will be safe in their hands and reach its complete end-of-life potential. As an R2 certified recycler at Securis, we understand how important this is for the global community. Contact us today to learn more. We’d love to help your company do its part in completing the cycle and staying green!