eWaste safety hazards and information risks

A warning in the New Zealand Information Security Manual caught my beady eye yesterday:

“Electrical and electronic equipment contains a complex mix of materials, components and substances, many which can be poisonous, carcinogenic or toxic in particulate or dust form. Destruction and disposal of WEEE [Waste from Electrical and Electronic Equipment] needs to be managed carefully to avoid the potential of serious health risk or environmental hazard.”

Disposing of eWaste presents environmental and safety hazards arising from noxious/toxic/carcinogenic chemicals such as gallium arsenide (GaAs) and polychlorinated biphenyls (PCBs), plus the obvious dangers when handling sharp-edged metal or plastic chassis fragments, wires, printed circuit boards and CD/DVD discs plus leaky electrolytic capacitors and old batteries. While there may be money to be made by extracting and recycling valuable metals and reusable components, subsystems and modules, that's really a job for specialists with the requisite knowledge, tools, safety gear and market.

Oh, and the appropriate security controls. 

Surplus, redundant or broken electronic and electrical equipment includes assorted ICT equipment (e.g. computers, peripherals, IoT things), storage devices and media (e.g. hard drives, CDs and DVDs, tapes, USB memory sticks, paperwork such as system administration manuals, configuration printouts and contracts), components (e.g. integrated circuits, printed circuit boards and spare parts) and consumables (such as used laser printer transfer belts), all of which may contain sensitive information. Unless it is competently sanitised and checked before being sent for recycling/disposal, there is therefore a further information risk of inappropriate disclosure. 

Disposal may involve workers casually/carelessly/ignorantly throwing stuff into the ordinary office/building waste, selling equipment with or without management permission, and theft or casual pilfering from waste dumpsters, store rooms etc. As an IT auditor a long time ago, I recall a case involving a PC maintenance engineer pulling and replacing valuable, working circuit boards from company equipment at company expense, then quietly selling the used cards to supplement his income - a lucrative fraud.

As if that's not enough, there can be legal, regulatory and perhaps contractual obligations in this area. Privacy laws such as GDPR, for example, mandate several controls to ensure adequate confidentiality of personal data, plus 'the right to be forgotten' with implications on locating and destroying all copies.

Finally, there is always a possibility of someone inadvertently destroying or disposing of information or equipment that was not, in fact, redundant and worthless - something that makes me distinctly wary of shredding papers left in a pile near or on the office shredder just in case they were not left there for someone to shred. 

In short, disposal of eWaste poses several risks and requires appropriate mitigating controls such as:

• Comply with legal, regulatory and contractual obligations for information retention or deletion;
• Use information classification markings and common sense as a guide to the risk levels;
• Securely destroy storage devices or media containing sensitive content, even if it is encrypted;
• Presume that unknown or inaccessible information is probably sensitive and dispose of it accordingly;
• Discard general office paperwork in recycling bins for shredding and mulching;
• Contact IT or other experts for guidance on proper disposal of eWaste, including disposal of large volumes of sensitive information, IT equipment or media;
• Gain assurance of proper information disposal through certificates of destruction, independent observation, forensic data recovery attempts, and total physical destruction (e.g. incinerate shredded papers).

Taken in isolation, that policy manual warning for eWaste disposal to be 'managed carefully' is necessary but woefully insufficient, I feel. Perhaps I can persuade the NZ government - and you - to invest some pocket-change in a more comprehensive yet pragmatic 3-page policy template covering information disposal?