What should you do with your old computers? It’s not always clear. Federal regulations on recycling electronics have been historically lax, but new state laws are cropping up across the country. At least 25 states have enacted their own regulations regarding the disposal of computer hardware containing potentially lethal amounts of lead and mercury, and several more are considering e-waste recycling bills.
But recycling is not simply a compliance issue. When computers are discarded, the data they contain is often inadequately wiped (simply deleting a file does not remove it from the hard drive), which can lead to data theft. Altogether, the risks inherent in getting rid of computers may encourage CFOs to simply set aside a room in the office, lock up the old electronics, and throw away the key. Considering the alternatives, that may not be such a bad idea.
It certainly would have been better for Mail Source, a data-processing company used by several banks, to have locked up one old computer rather than selling it on eBay in 2008, thereby exposing the bank account numbers and personally identifiable information of millions of Royal Bank of Scotland, NatWest, and American Express customers. There are several laws that could hold companies liable for such breaches — the Health Insurance Portability and Accountability Act, Sarbanes-Oxley, and Gramm-Leach-Bliley, to name a few — but perhaps equally important is the reputational risk associated with such a data blunder.
Environmental Protection Agency (EPA) regulations only govern products that contain cathode-ray tubes or mercury (leaving out many electronics), but state laws vary. Most require manufacturers to have programs in place to take back many of the electronics sold to individual consumers, and sometimes to small businesses. But larger companies typically have to pay for recycling. Some manufacturers, like Dell, offer fee-based asset-recovery services. Dell collects depreciated electronics, wipes them of data, and determines whether they still have value. It then either recycles or resells the products. If it resells, it returns part of the revenue to the companies. Other organizations offer similar fee-based recycling services.
However, under federal regulations, companies that own electronics are liable for the impact their disposal has on the environment even if the process is outsourced to a recycler. In other words, a company does not free itself from liability when it outsources, says Susan Cooke, partner and head of the safety, health & environment group at McDermott Will & Emery. Outsourcing to a recycler “doesn’t mean that you can say, ‘Well, it’s not our problem anymore,’” she says. “What many companies found in the past was somebody might have a license, but that didn’t protect you if things went bad.”
For this reason, companies should be careful about the recyclers they use. In recent years, a number of licensed recycling companies have been shown to have been negligent. For example, when agents of the federal Government Accountability Office pretended several years ago to be foreign buyers, 43 licensed recyclers agreed to sell them old computer monitors (which contain government-regulated cathode-ray tubes) for export. All 43 were properly licensed; all had environmental policies; all acted illegally. And if a real company had outsourced its recycling to one of the 43, that company could have been liable for the illegal resale, says Cooke.
While companies can mitigate their liability by selling or donating their old computers, thereby passing the responsibility of disposing of them properly to the new owners, they have to be careful how they go about it. Should a problem arise down the road, says Cooke, “a regulatory authority is going to see whether what the company was really trying to do was to get rid of the materials without having to pay for disposal.” The condition and age of the equipment, the cost of recycling electronics versus donating them, and other factors will tip off an agency if a company is trying to pull a fast one, she says.
Businesses hunting for responsible recyclers can look for two certifications, according to the EPA. The e-Stewards certification, created by the nonprofit Basel Action Network, has higher standards than its counterparts and only recognizes recyclers that, among other requirements, do not export hazardous e-waste to developing countries or enlist prison employees or prisoners in work details to take the devices apart, often under unsafe conditions. The second, an R2 certification, is less strict, but it has been backed by the EPA, along with the e-Stewards standard.
Companies can also hire a consultant to perform external audits of a recycler or contact trade associations to get information on the recycler’s reputation, Cooke says. Depending on their size and resources, companies may do due diligence differently, says Steve Skurnac, president of Sims Recycling Solutions, an international recycler with an R2 certification. Companies may send an environmental compliance expert, a member of their IT or procurement department, or an independent auditor to vet the recycler, but, Skurnac says, whatever they do, all companies should invest time in checking out recyclers and resellers.
If they don’t, things could get messy.