Kick ACE Blog
Hi! I'm Bob McCarthy
I write things
May 20, 2021
How To: Implement A Process for Secure Data Destruction
Another day, another data breach. Data protection and privacy concerns are putting organizations under extreme pressure.
While network administrators often feel comfortable with their strategies protecting their IT hardware connected to their network, it is their decommissioned hardware which they remove from their network they are not so sure about. And when the average cost of a data breach in 2020 exceeds $3 million, I start getting asked many questions on how to protect their unused IT assets.
So here are a few simple steps an organization can do to help minimize risk and prevent any financial or reputational damage resulting from reckless handling of their decommissioned hardware.
Implement a Data Destruction Policy Procedure. This can be done by creating a document that contains the necessary steps to perform secure and compliant data destruction. The procedure should include the different types of storage media at risk and how these data devices will be destroyed to NIST 800-88 specifications. It should also list the individuals responsible for carrying out
Perform Due Diligence on all 3rd Party Vendors. Third-party breaches account for over half of all data breaches in the US, according to the Ponemon Institute.
- Verify they offer a secure chain of custody throughout the process.
- Verify they have documented data destruction procedures in place.
- Verify they maintain all records and evidence of data destruction, including recording serial numbers of data containing devices.
- Verify the third-party vendor meets NIST 800-88 specifications.
- Verify they are certified to R2, e-Stewards, or NAID and are audited yearly.
- Verify they maintain insurance in case of a data breach.
Have Contacts in Place for Third-Party Vendors. Insure clauses are in place for verifiable data destruction on all data-containing devices. At the completion of a project, the vendor should supply a Certificate of Destruction / Sanitization and a serialization report of the devices of which the data was destroyed.
Maintain Records. This is best accomplished by creating a “Records Retention Table or Calendar.” Evidence of data destruction often needs to be kept for a specific period to comply with regulatory statutes. A records retention table will ensure you have kept the documented evidence of data destruction for regulatory purposes.
At Adams Cable Equipment, we take pride in ensuring our clients have the peace of mind they deserve when it comes to data security. Our safe, certified approach is vetted by third-party auditors and covered by our million-dollar insurance policy. We have your back!
April 22, 2021
Earth Day & Proper Battery Disposal
It’s an absolute privilege working with our customers to make our Earth a better place to live.
In the consumer electronics sector, smartphones need long-lasting batteries and electronic wearables need cost-effective battery solutions. Consumerism, especially digital consumerism, is driving increased use of digital technology. This emerging opportunity brings batteries into the spotlight as a key enabler of the age of portable electronics and smart mobile computing.
The question is, what are we to do with all of the batteries after we have used them? Did you know that the US Environmental Protection Agency (EPA) recently created some helpful guidance on managing end-of-life batteries properly?
This information can be found at the following links:
https://lnkd.in/eMRfv-U - “Used Household Batteries”
https://lnkd.in/eckqZ5B - “Used Lithium-Ion Batteries”
https://lnkd.in/eQHV6SX - “Frequent Questions on Lithium-ion Batteries”
March 25, 2021
The Impacts of Electronics on the Circular Economy
In the past few years, the move towards a more circular economy has gained traction. As the world’s population continues to grow and deplete the earth’s limited resources, it has become increasingly important to replace the Take/Make/Dispose practices of the past century with more sustainable alternatives.
A circular economy focuses on resource management vs. waste management. It requires the extraction of maximum value and use from all products and materials. This maximization helps bridge the digital divide by providing people with access to affordable used electronics in developing regions of the world. Not only that, but it also improves the environment by keeping potentially harmful materials out of the waste stream.
In the circular economy, reuse takes center stage because it has the most environmental and economic benefits. Almost 75% of the total energy used during a laptop’s lifecycle (3 years) is used during its manufacturing. Think about that for a moment. 75% of the total energy used during its entire life span occurs before the laptop is even turned on!!! Extending the life of a laptop to 7 years reduces environmental impacts more than 40%. So simply extending the life of electronics, head-end equipment, or IT hardware through responsible reuse significantly reduces a products’ environmental footprint. Simply stated, Reuse is the BEST form of Recycling.
That is why here at Adams Cable Equipment (ACE), we invested so heavily in our state-of-the-art refurbishment lab and our quartet of certifications. At ACE, 90% of all material we receive into our building is tested, refurbished, and repaired for reuse. If your company is looking to participate in the circular economy, give us a call. Your best deal begins with ACE.
February 18, 2021
Looking for a New Sustainability Objective?
Is your organization looking for a way to meet your 2021 sustainability objectives? After years of coming up with programs such as recyclable trash cans in the lunchroom, recyclable paper bins in the front office, or upgrading light fixtures to LED lighting to reduce power consumption, many companies are on the search for their next sustainability initiative.
Imagine incorporating a plan in 2021 that would lead to protecting workers' health both domestically and abroad, reducing your organizations' carbon footprint, and showing a commitment to environmental stewardship. Imagine being able to look at your shareholders and tell them because of this new initiative, you are also reducing significant risk from a legal compliance and branding perspective for the organization. What one initiative can make such an impact you ask? Simple. Verifiable responsible recycling of your old electronic equipment.
Did you know that the earth's annual e-waste could grow to 75 million metric tons by 2030? That is a pretty large pile of discarded electronics!! Unfortunately, this amount of e-scrap can also have a significant negative impact on the environment and human health and safety. An example of this can be found in Guiyu, China, commonly known as the world's largest e-waste dumping site. Here, the blood lead levels in children are significantly higher than the children in neighboring communities. Why you ask? The answer lies in the primitive e-waste recycling activities found in many developing countries. These primitive practices destroy the environment and, in turn, harms human health. Unfortunately, most companies in the United States today do not understand what impact their discarded electronics can have on the world today.
Creating a sustainability plan would require your organization to document your old electronics' process flow. This plan would include having documented evidence of where products are refurbished for reuse or destroyed for commodity recovery. Whether you are a manufacturer, a cable provider, or a fortune 500 company, using a R2 certified vendor such as Adams Cable Equipment will allow you to follow the complete process flow of your old electronics all the way to the end. In addition, here at Adams Cable, we are even able to provide a sustainability report to show the impact of your organization’s electronic recycling activities carbon footprint.
Have 2021 be the year your organization decides to take control and truly understand the impact their discarded electronics can have on the world.
February 2, 2021
Save Yourself the Headache: Use an Authorized Arris Refurbisher
Imagine, a consumer sitting at home, trying to do their work online, when suddenly, they have no access to the internet. They try all the of tricks they have learned over the years by unplugging their router and modem, restarting their computer, and even waiting 30 minutes to see if the problem fixes itself. But to no avail, they still do not have internet service and they have a zoom meeting with their boss in
Now imagine this happening to thousands of consumers, on the same day. Can you imagine the chaos it would create for the cable provider? The number of incoming calls to customer service and technical support would be staggering! And worse yet, the number of lost customers a system could potentially see would be devastating to the bottom line.
The reality is that come May 2021, this is exactly how things could play out if Cable Systems are using Arris and Motorola legacy product from a non-authorized refurbisher or distributor. You see, legacy Arris and Motorola DOCSIS 3.0 modems will begin going out-of-service in May 2021 unless action is taken to load renewed CableLabs issued DOCSIS Manufacturers CA certificates prior to that date. Without this action, modems with the expired certificates, simply will not be able to come on-line and will become effectively nonoperational.
Using an authorized Refurbisher of Arris and Motorola product, such as Adams Cable Equipment, allows the refurbisher to legally download the updated firmware and renewed Manufacturers CA certificates to the DOCSIS 3.0 modems to keep them fully functional. Firmware updates of renewed DOCSIS is subject to licensing and there lies the risk of using a non-authorized refurbisher.
A non-authorized refurbisher are simply not licensed to upgrade the firmware.
Now more than ever, purchasing product, or having clean and screen services performed, needs to be from an authorized Arris / Motorola refurbisher. The consequences of the alternative are real…do not let it happen to you this May.
January 26, 2021
Due Diligence & Data Security
Today, every business has to deal with protecting their sensitive data. Whether organizations are protecting themselves from hackers online or their own recently decommissioned IT hardware, data threat is a growing risk. Most companies have cybersecurity practices in place, but an alarming number of organizations do not have a plan to deal with their decommissioned computers. Having a data security strategy covering both digital (cyber) and physical (decommissioned IT hardware) theft is critical to any organization’s risk
Data privacy laws continue to grow stricter, as illustrated by over a dozen new privacy and security laws that have been enacted over the past few months by both state and federal agencies. The absence of a data security plan could lead to more significant risks and increased fines in the event of a data breach. One of these new regulations is an Amendment to the HITECH Act.
The HITECH Act Amendment offers new incentives to reduce fines and other remedies in the event of a data breach. While the amendment does not include specific language, it does make clear the incentives for covered entities having “certain recognized security practices.” Section 13412(b) of the act defines the term “recognized security practices” as the “standards, guidelines, best practices, methodologies, procedures, and processes developed” under section 2(c)(15) of the National Institute of Standards and Technology (NIST) Act.
Adams Cable Equipment is a R2 certified facility and can help companies meet “certain recognized security practices” regardless of the industry an organization is in. The R2 Standard requires a certified facility, such as Adams Cable Equipment, to meet NIST requirements for data destruction. The R2 certified facility must maintain documented data destruction procedures and maintain records for a specified period of time. An independent third-party auditor then audits these procedures and records yearly to ensure the facility meets R2 and NIST guidelines.
Laws, such as the HITECH Amendment, protect organizations by merely having them able to demonstrate, to some unspecified degree, the existence of recognized security practices. One form of a security practice would be to utilize an R2 certified vendor, such as Adams Cable Equipment, to manage their unneeded electronics. This would allow the organization to show the federal authorities that they were using a vetted and certified company establishing a form of “security practices.” Using a non-certified vendor for your old IT hardware is simply not worth the risk.
December 14, 2020
The Word "E-Waste" – Overused & Inaccurate
I have been in the ITAD industry for over 20 years, and my single biggest pet peeve is the use of the word “e-waste” to describe decommissioned IT hardware and other unneeded or unwanted electronics. Unfortunately, the term has become so synonymous within the electronics recycling industry, that several companies even place the word in their name.
And it is wrong.
Waste is defined as “material that is not wanted; the unusable remains or byproducts of something.” The last time I checked, that is NOT an accurate description of electronics. Can someone explain to me why this term is still so common?
Electronics simply is not “ewaste”. Whether they are whole units or parted out, many electronics can be refurbished and reused. Reuse is the best form of recycling and is by far the best way to extend a product’s lifespan. Electronics are so easily and often replaced that always buying new, and discarding the old, is not a sustainable practice and certainly not in the best interest of our planet or economy.
Nearly all the materials that make up end-of-life electronics can be recycled safely. Commodities that can be recovered from electronics include gold, silver, copper, lithium, palladium, aluminum, steel, mercury, and plastic, just to name a few.
There is enough demand for both refurbished electronics and recycled commodities to make a sound economic case for the value of so-called e-waste. Using recycled materials reduces the production cost of new goods, lowers C02 emissions and puts less strain on the planet’s natural resources, compared to sourcing virgin material.
It’s simple: Electronics that are being reused on the secondary market or properly recycled for their commodities are not going to waste! The only true “e-waste” are the electronics that are still ending up landfills or e-waste “graveyards” around the world because of irresponsible and often illegal handling of those electronics. No one benefits from the space they take up or the pollution they cause when they are left to decompose – a process that can take thousands of years.
Refurbishing, reusing, and recovering precious commodities are the opposite of wasteful. Any recycling company that treats old hardware as simply “waste” or call it “ewaste” should raise flags for anyone looking to retire their assets.
Your image and brand are too valuable to risk.
October 12, 2020
5 Tips for Verifying Secure Destruction
I am often asked, "How can a company verify with confidence that their product sent for secure destruction was actually destroyed?"
In lieu of Apple's lawsuit announcement against a third party vendor for selling product that was supposed to be destroyed, I thought it would be necessary to delve into this incredibly important topic. (See article below for full story)
So, why would a business demand secure destruction of their product? The most common reason is that said company is extremely concerned with data security and has decided to destroy their data-containing devices to eliminate their risk. Obsolete R&D and proprietary devices are some other categories that could pose a threat to an organization if not properly destroyed. On the other hand, there are also types of risk more closely related to sales. A company may have excess inventories of new product that they would rather destroy and recycle than have them resold on the open market. This way, they won't be competing against their own products in the marketplace. Lastly, we have seen unsafe products make their way back into the market after the manufacturer contracted with a vendor intending to have them destroyed, ultimately putting the public at risk.
Unfortunately, companies are often misled by their downstream vendors only to find their products deemed for destruction, not destroyed. Shocker, right?! Over the course of my 20 years in the industry, I have seen time and time again, companies getting screwed.
So what steps can a company take to ensure proper destruction?
Use only a vendor that will not subcontract out the destruction services, and they themselves are a certified facility (R2, NAID, eStewards, ISO9001, etc.). Facility certifications require detailed written processes, documentation to verify that those processes are followed, and are required to maintain all records.
Require a signed certificate of destruction detailing the serial numbers of the devices destroyed.
Request pre and post-destruction photos or video footage of the product being destroyed.
Have the vendor verify a mass balance by measuring the weight of product going into the shredder versus the weight of the commodities coming out (plastic, steel, circuit boards, aluminum, etc.).
Witness the destruction first-hand, or send an independent third-party witness to observe and document destruction.
September 18, 2020
Data Security & HIPAA
As healthcare networks across the country have allowed employees to work from home, it is essential to remember this equipment needs to be handled appropriately as people come back to work. We at ACE understand the risks and returns this equipment can provide to an entity.
45 CFR 164.310(d)(2)(i) and (ii) covers the disposal of electronic equipment, which requires policies and procedures to be developed and implemented to address the final disposition of ePHI (Electronic Protected Health Information), and the media on which it is stored. ePHI must be removed from electronic devices before they are re-used, scrapped, or recycled.
Prior to disposing of electronic media, all ePHI on the devices must be rendered unreadable, indecipherable, and incapable of being reconstructed. OCR suggests clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (physical destruction) the information from the electronic media.
If a covered entity is unable to perform these actions, a vendor can be used. That vendor would naturally be a business associate, and a HIPAA-compliant business associate agreement would need to be signed by both parties before any devices are handed over.
The failure to remove ePHI prior to disposal is a violation of HIPAA Rules, and one that could potentially result in an impermissible disclosure of protected health information. It could also lead to a financial penalty for noncompliance with HIPAA Rules.