Data in the Dumpster
By Stephanie Blanchard, Assistant Editor
It’s time for a new smartphone. According to a study by Recon Analytics, Americans replace their devices more often than any other country in the world, roughly once every 21 months. And with the pace of launch stepping up, the enterprise is likely to see an increase of devices in and out as well.
David Smith, senior director of customer solutions at GENCO, a 3PL says, “Today, consumers now have choices to dispose of their devices. Many big box stores and wireless carriers have implemented recycling programs where consumers can bring in their devices for companies to recycle precious metals and remove solid waste from hitting the landfills. Many nonprofit organizations also accept donated devices to redeploy to solders or victims of national disasters.”
He points out that these types of programs can lead to concerns or questions, the most obvious of which is what happens to the customer personal information (CPI) that maybe left on the device? “As of today, industry standards for the removal of customer personal information (CPI) do not exist,” he says.
A company with an MDM solution in place, either for its corporate-owned devices or as part of its BYOD polices, will have security measures that allow IT departments to remotely wipe corporate data and sever network connections before the devices are disposed. What happens when BYOD is not fully controlled or polices enforced? Does an employee think about the data that gets dumped?
On the Employee?
While some BYOD employees may remember to remove the SIM card before participating in these public programs, will they know that the internal memory must also be wiped? That's where the information is stored, from email to contacts and other sensitive data that could compromise any business. Even more data could be found on the removable SD card.
The many reported breaches from theft of laptops, flash drives and other mobile devices, show what a clear threat leftover data is and this risk can be extended to those that are dumped or irresponsibly recycled.
With the BlackBerry 10 launch, a number of older BlackBerries are expected to be recycled or resold in the secondary market by mid-spring. Marc M. Leff, chief operating officer of GRC Wireless, said his company currently processes 5,000 BlackBerry devices per month. He expects to triple that monthly amount as existing users upgrade to BlackBerry 10.
In general, millions of phones actually wind up in municipal landfills. According to the U.S. Environmental Protection Agency (EPA), more than 82% of electronic products are dumped annually, with only 18% collected for recycling. When those devices are recycled, they are either stripped for parts or re-sold.
Unfortunately, incompletely wiped smartphones routinely show up on ebay, Amazon and other national sellers which have hundreds of thousands of active listings daily. Robert Siciliano
, a personal security and identity theft expert, purchased 20 different devices from Craigslist users in early 2012 and found that three of the devices had never been wiped.
What's the Solution?
Lifecycle supply chain solutions providers, like GENCO, work with carriers who build "buy back" programs into their contracts with enterprise customers. When a solutions provider is contractually obligated to wipe the devices, there is a full guarantee that the data will be wiped. But not all resellers make such agreements and this also only works for corporate-owned devices, as BYOD is not usally covered under such contracts.
To address BYOD, enterprises should institute in-house recycle programs, by coordinating with IT departments and ensuring that employees know such programs exist.
IT must completely wipe data before donating phones to company-approved resellers and/or go through a reseller or recycler who offers a 100% guarantee the device is “clean.”
While this may seem obvious, according to Christopher Irion, CEO of e-Cycle LLC, 95% of the used enterprise mobile phones and devices his company receives still contain important data, even though the organizations claim that they took the necessary steps to delete all pertinent information.