The secondary device market is essential to a circular economy. It provides people with a way to sell or trade used or refurbished tech. Used devices have a lower price tag, making them affordable for those who cannot buy new ones. However, used tech may contain private information that poses incredible harm to an individual or organization.
The world’s average cost of a data breach dropped by 9% to $4.4 million. While this is positive news, there’s still a downside. Data leaks from secondary device markets are increasing, especially in the medical field, where smart health tech and wearable devices are surging in popularity.
The Damage of Data Leaks From Secondary Device Markets
Moving files to the trash and then emptying it isn’t enough to protect your company, organization, or yourself from data leaks. If you’re convinced that deletions or factory resets are enough, you’re mistaken.
1. The Problem With Factory Resets
Factory resets don’t do everything you think they do. Think of them this way. You have an interstate, on-ramps, and the main road. Getting to the interstate is as simple as taking that on-ramp.
A factory reset deletes the on-ramp. The interstate is still there, but the path from the main road to the interstate has been removed. It doesn’t prevent you from creating a new route to the interstate.
The same is true of a factory reset. All your private information is still on the hard drive, but the path to it has been erased. Someone with skill, or with help from AI, could find a way to access that information. You don’t want that happening.
2. Problems Individuals Face From Data Leaks
If you haven’t properly deleted all data from devices before selling or donating them, the consequences are:
Blackmail and Social Engineering: Photos and messages left behind on your devices could be used to blackmail you for money. They could also be used to fool your family members into believing you’re in trouble and falling for scams.
Identity Theft: The use of any personally identifiable information (PII) or sensitive personally identifiable information (SPII), such as birth dates, driver’s license numbers, addresses, phone numbers, email addresses, bank account numbers, photos, and SSNs, makes it easy for a bad actor to take out loans in your name or create a fake ID using your credentials.
3. Problems Organizations or Businesses Face From Data Leaks
Access to Networks: If there are any saved credentials on discarded tech, it gives a bad actor a way to access secure networks. This opens the door to the theft of your patients’, clients’, workers’, or customers’ personal information. Trade secrets and business plans are also at risk of theft.
Corporate Espionage: If any of your sold or donated tech contained client lists, proprietary software, or trade secrets, you risk losing that confidential data. Your competitor could gain access to all your upcoming projects, research, and unique tools and software.
Fines and Legal Fees: Under current state and federal laws, data security is a bank’s, hospital’s, store’s, or other organization’s or business’s responsibility. If you allow data to be stolen or breached because you didn’t follow required data destruction protocols, you face fines and legal fees. You’re also subject to costly class-action lawsuits.
Reputational Damage: People get angry when there’s a breach. It damages your reputation. When news broke that Equifax had been breached because it used “admin” for both the username and password, what did you think of the company? The breach left many people angry and frustrated that a financial company would be so sloppy. Equifax’s stock fell 31%. The company’s public YouGov Buzz Score fell 33 points in just 10 days.
Understanding Data Privacy Laws in the U.S.
The U.S. has several laws that protect your data across different industries. As a business owner or an organization’s leader, it’s your responsibility to ensure you comply with applicable regulations.
- Children’s Online Privacy Protection Act (COPPA): Website owners must obtain verifiable parental consent before collecting data from any child under 13.
- Fair Credit Reporting Act (FCRA): The collection and use of consumer credit information must be accurate, and privacy must be ensured.
- Gramm-Leach-Bliley Act (GLBA): Financial institutions must explain their information-sharing practices to clients and customers and ensure that data is protected.
- Health Insurance Portability and Accountability Act (HIPAA): Any protected health information must be handled correctly and safeguarded by healthcare and health insurance employees, including but not limited to doctors, nurses, and billing agents.
- The Privacy Act of 1974: This regulation requires federal agents, such as the IRS or SSA, to properly manage and use a person’s private information.
Many states have added other laws to ensure consumer privacy and data protection. Here are some of them.
- California: California residents have the right to know what data is being collected and how to delete it or prevent its sale.
- Colorado: The CPA requires companies and organizations to allow users to opt out of tracking and the collection of sensitive information.
- Connecticut: Residents must provide permission for their data to be sold or used for targeted advertising.
- Delaware: Sensitive information cannot be processed without a person’s, parent’s, or guardian’s permission.
- New Hampshire: New Hampshire residents have the right to know if businesses are obtaining or processing their personal information, how to delete it, and how to opt out of some kinds of automated profiling.
- Utah: Residents have the right to access, correct, and delete information collected on them. They can also opt out of targeted ads or the sale of their data.
- Virginia: Companies must perform data protection assessments to minimize the data being collected and the risk of data theft.
Laws are continually being added. It’s important to stay up to date on changing state and federal laws to ensure you comply with current requirements.
Best Practices to Protect Your Company or Organization
Whether you’re a hospital CEO, company owner, school superintendent, or business professional working from a home office, data protection is essential. Never sell an item online, donate your old tech, or send items for recycling without first wiping all personal data.
Factory resets aren’t enough. Use a data destruction tool such as Active KillDisk, Blancco Drive Eraser, or WipeDrive. Take out the hard drive and destroy it with a hammer. Even better, work with an ITAD expert who is e-Stewards, NAID AAA, and R2 certified.
ERI offers data destruction services at your place of business or at one of our secure facilities. Once data is destroyed, we can salvage parts for repairs, refurbish and sell items for maximum profit, or recycle them into materials for new items. Reach us online or by phone to learn more.