How to Audit your ITAD & Recycling Service Providers by Jade Lee, MBA President/CEO Corporate e-Waste Disposal Summit 7/31/2012

Auditing – 4 Critical Areas Data Security Asset Recovery Environmental Value-Add Service Capabilities and Strategic Vision for the Future

Why Audit your Vendor? You can not afford to have fuzzy feeling on what your service provider do with your data & equip. R2 and e-Stewards: Baseline only, they are simply not enough to tell you what goes on inside a facility on daily basis, not to mention integrity.  Auditors only have a few days to check a facility  Auditors check paperwork most of the time  Auditors do not know all the tricks that recyclers play  Auditors may not be well-trained. They even do not know all the standard details (ex. Per R2, before shredding, you need to remove lithium batteries from circuit boards, and remove lamps from laptops, LCD display, etc.)

Why Audit your Vendor? Environmental certifications are great, but what about data security that could have huge financial and legal impact?  According to The Ponemon Institute, the average cost of a data breach in the US in 2011:  $194 per customer record  $5.5 million per breach! You will feel better after a first hand look at where your equipment will be managed!

Data Security Audit What certifications?  NAID offers different certifications. You should be aware of this before you perform the audit 1) “Hard Drive Destruction” (physical destruction only.) Recyclers usually only pursue this certification so they can claim holding a NAID certification. Punch a hole on HD can be qualified. However, it is not sufficient for ITAD/asset recovery program. 2) “Hard Drive Sanitization” (must for ITAD/asset recovery) 3) “Solid State Storage Devices/Media Destruction 4) “Solid State Storage Devices/Media Sanitization Unannounced Audit

Data Security Audit Chain-of-Custody Management  On-site packing protocols  Shipping security protocols  Auditing of white glove service & transportation companies Facility Security  Where is sanitization performed? a secured area?  Do they have door access control? video surveillance and motion sensor/light control at night time?  Employee background check & drug test – which employees have access to your equipment? SSI’s Dedicated Data Sanitization Room (one and only in the industry)

Data Security Audit Sanitization Process  How many passes? Most recyclers’ default is one (1) wipe (low level format) DoD M & NIST Special Publication specs: minimum 3 wipes  Do they have a well-defined verification procedure in place to verify that drives are totally wiped?  How often do they calibrate the software (for both Sanitization and Verification software)?  How will they manage data destruction on solid state hard drives – new software needed

Data Security Audit

Physical Destruction Process  If they shred, how small are the pieces?  Are circuit boards (focus materials) removed from hard drives?  How are solid state storage devices (flash drive, SIM card, etc.) handled as they are too small to be shredded by large shredders?  If they degauss, double check the maker and model to make sure that is NIST approved model.

Asset Recovery Audit Receiving  What information they record at receiving: BOL #, Receiving Date, Shipper company name, Shipper facility name/location  Do they have barcoded pallet ID # that can track all the way throughout the process?  Do they verify your inventory list and note what were not received and what received not on the list?  Do they record serial/asset # and ties it with the pallet ID# to track all the way throughout the process?  Do they just power on the unit or wait for at least hours  How do they track the sold units?  Do they provide warranty services?  See a sample of settlement report details

Asset Recovery Audit

Environmental Audit Before you visit  Have the recycler fill out a detailed questionnaire. The level of detailed answer is the first indication of their practices  Read and consult with consultants on key R2 and e- Steward Standards  Will they disclose their focus material downstream vendors to you?  Check their downstream vendors’ background and EPA ECHO database: echo.gov/echo/compliance_report.html

Environmental Audit  Ask their downstream vendors if they actually ship to them and the volume. How is their packaging and level of packing list details?  Check their environmental compliance record with Federal and State EPA’s  Check with their peers of the vendor’s reputation  Will they allow unannounced audit?

Environmental Audit Sample of Public Information: News published in The Sacramento Bee (California Newspaper) on recyclers submitted fraudulent reports to CA government to collect payments on residential e-waste never collected and processed.

Environmental Audit On-site audit:  Verify recycler’s questionnaire response against what you actually see on-site.  If the facility clean and well-organized? Are they cluttered with whole warehouse full of non-processed materials?  How many workstations do they have in view of the volume they process? Are the workstations well designed and organized? Do they use air tool or just battery powered screw drivers? Are they fast (productivity)?  Check their steel roll-offs – how many, how big and how often they switch? Check shipping records  Check their plastic bales – volume, how they bale them? Separate by type and color? Check shipping records.

Environmental Audit On-site audit (cont’d)  How do they manage focus materials as per R2 and e- Steward standards? For example: before shredding, batteries on processing circuit boards and lamps from laptop/LCD display have to be removed. Do they have in-depth knowledge on the proper management of these materials – check procedures? Focus Materials: CRT glass, Circuit board, Batteries, PCB’s, Mercury containing devices (such as lamps)  How do they manage other special waste such as toner (do they have procedures in handling toners taken out from printer/copier and place them in gaylord boxes with lid?)

Environmental Audit On-site audit (cont’d)  Observe if they have attention to details  What is the true attitude of their top management toward certifications – just for getting a pass to pursue customers or wanting to lay the foundation for continual enhancement and transformation? Is their President/CEO familiar with standards and did he/she sit through the standard audit process? Do they have a dedicated QEHS/EHS Manager?  Check their annual training schedules on environmental, quality, health/safety and data security standards. Check their training records. Are they in database tracked by subject and Staff name?

Export Control Management  Focus Materials: CRT glass, circuit boards, battery, mercury containing devices, PCB’s.  All the top smelters are in international countries, such as Europe and Japan.  Remarketing of Asset Recovery Items such as computer, network equipment, etc. is global market. The key is only selling fully tested and functional equip with warranty. Data in hard drives must be totally destroyed. It is hard for auditors to discern recycler’s true practices.

Pricing Alert  If the recycler offers no cost or below industry prices, be alert  If they pay you for incomplete IT units, be alert  Many of our OEM customers were hurt by dishonest recyclers selling their products on e-Bay  For ITAD/asset recovery program, ask them the true formula of revenue share. Do not be disguised by comparing the percentage of share (i.e. 80% vs 60%). Many recyclers use high % to disguise high deductions -- the end result of high % could be much lower share value.

Questions? Phone: (630) , x22 or x10 Cell: (630)