As a business owner, you can’t afford to overlook hard drive recycling. The drives store a ton of private data that you are legally obligated to protect.
When it comes time to recycle old electronics, you can’t just toss them out or give them away. You’re required to follow federal and state laws, and you need to be able to provide proof that data destruction took place before the electronics were given to someone else.
Data Protection Laws in the United States
Many U.S. businesses are governed by laws designed to protect data collected from consumers or patients.
- Driver’s Privacy Protection Act (DPPA)
- Fair and Accurate Credit Transactions Act (FACTA)
- Fair Credit Reporting Act (FCRA)
- Family Educational Rights and Privacy Act (FERPA)
- General Data Protection Regulation/Europe (GDPR)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
Federal data protection laws are part of the picture. Many states also have their own privacy and data security laws that businesses must comply with. Those states include:
- California
- Colorado
- Connecticut
- Delaware
- Florida
- Iowa
- Montana
- Nebraska
- New Hampshire
- New Jersey
- Oregon
- Texas
- Utah
- Virginia
Suppose your offices are purchasing brand-new equipment in every office. You have dozens of 10-year-old laptops, printers, tablets, cellphones, and other office equipment that contain customer names, credit card or bank account information, phone numbers, and addresses.
You put those items in your office storeroom and forget about them. A year later, they’re missing. If they’ve been donated or sold to someone else without first destroying all the data on them, you’re responsible for a potential breach or theft of personally identifiable information (PII) or sensitive personally identifiable information (SPII).
The fines are steep if you fail to follow data protection laws. To start, if you throw electronics into the trash instead of arranging for e-waste recycling, there are EPA penalties of up to $37,500. HIPAA violations range from $145 to $73,000 per violation.
FCRA fines are up to $1,000 per violation, per consumer. If you stored records for 50,000 customers and were hit with the maximum penalty, that’s $50 million in potential FCRA fines. Can you truly afford that? Few can, which is why hard drive recycling is so important.
Your Options for Data Destruction
The general guideline for most businesses is to partner with an ITAD provider that follows the gold standard for media sanitization, NIST SP 80-88 Rev. 2. This guideline doesn’t just involve wiping a hard drive; it sanitizes it to make data impossible to recover.
Deleting files from your hard drives isn’t enough. It removes the link to the content but doesn’t delete the actual data. It’s like taking away the stairs to your house. It’s a bit harder, but someone can still find a way inside.
Instead, you need a data destruction method that makes the data impossible to retrieve. That leaves you with the following options.
1. Data WipingBinary code is a series of 0s and 1s. When you wipe data using software, you overwrite every area of the drive repeatedly with random patterns. It’s the only way to destroy data while ensuring the drive can be reused, which is helpful if you want to refurbish a device.
It takes time, though. Depending on the size of the drive and the speed of your device, it can take two hours or more than a day.
Best for devices you plan to resell or donate.
2. DegaussingUsing strong magnets, degaussing is a process in which those magnets erase the data stored on the devices. Once the information is ruined, the hard drive is worthless and can never be used again.
Degaussing only works on data stored on magnetic media. With magnetic media, binary data is recovered from a disk or tape by magnetizing particles. While many of today’s laptops and computers use solid state drives (SSDs), they used to use hard disk drives (HDDs).
Best for devices containing magnetic media, such as HDDs or magnetic tape.
3. Physical Destruction/ShreddingGiant shredders chop hard drives into small particles. It’s like a giant paper shredder but for metal and plastic. The resulting fragments are no larger than 2 millimeters. Because the hard drive is destroyed, it can never be reused or accessed.
Best for damaged electronics and the highest level of data security.
The Risk of Taking the Easy Way Out
You could store your devices in a storeroom or closet and forget about them. You could hire the first affordable company you find. Or you might just drop your devices off at a local thrift shop and assume they’ll destroy the data for you. As you’re about to learn, these aren’t good ideas.
Staples Canada did not remove PII before refurbishing and selling returned laptops. The Privacy Commissioner of Canada collected many devices and found that 23% still contained emails, photos, names, and email addresses.
Washington State University stored a backup hard drive in a small safe placed in a self-service storage locker. Someone broke in and stole the safe. That hard drive contained SSNs and other SPII of over 1 million people.
One of the biggest penalties in history was imposed in 2022, when Morgan Stanley Smith Barney had to pay $35 million to the SEC. The company hired a moving firm for decommissioning, but they never properly vetted the downstream vendors or the moving company’s ITAD expertise.
In each situation, there are fines, along with increased costs for fraud insurance and postage to mail notifications to all affected customers, students, employees, or clients. Plus, there’s damage to your company’s or organization’s reputation.
Work With a Certified IT Asset Disposition (ITAD) Partner
Recycling hard drives requires expertise, and you must carefully vet the ITAD partner you select. Pay close attention to the company’s certifications.
An electronics recycling and ITAD provider that holds the following certificates undergoes rigorous inspections to ensure the staff and administration follow all protocols required by the certifying agency. The ITAD provider isn’t given advance notice of these inspections, so passing them ensures the company isn’t letting anything slip.
- e-Stewards – A guarantee that electronics are never sent to a developing nation or a landfill. They’re recycled responsibly and ethically.
- NAID AAA – A guarantee that data is properly destroyed and the Chain of Custody is tracked from the moment your electronic devices leave your office.
- R2 V3 – “Responsible Recycling” advocates reuse over recycling whenever possible. E-waste recycling companies must test all electronics before shredding them to determine if they can be refurbished.
Why Do We Recommend Partnering With ERI?
RecycleNation offers an online search tool to help you find places that accept your used electronics and recycle them responsibly. Make sure you research the facility first to ensure they destroy data properly.
We recommend our partner, ERI. It was the nation’s first dually certified e-Stewards and NAID e-waste recycler with multiple locations. In addition to the three certifications above, ERI holds several others that demonstrate we take our job in ITAD and electronics recycling seriously.
- ISO 9001 – Proves there is a system in place to ensure regulatory compliance and customer satisfaction.
- ISO 14001 – Proves that the ITAD and e-waste company abides by frameworks to handle hazardous materials that prevent pollution and lower its carbon footprint.
- ISO 45001 – Proves that the processes and facility safeguard the workers’ health and safety.
- AICPA SOC 2 Type II – Guarantees responsibility for the handling and security of PII and SPII.
One substantial reason we recommend ERI is that they’ll come to your office to destroy data and help you recycle electronics responsibly. You have documentation showing that you followed every requirement regarding data destruction. It’s the company RecycleNation trusts to destroy data, support the circular economy, and protect the environment.
