The Risks of Returned Data-Bearing Devices

Following Black Friday, Christmas, and seasonal sales, we enter the peak period for product returns and trade-ins as customers gain new technology. Old, used or unwanted, incorrect, faulty technology begins working back up the supply chain.

Handlers must take precautions to ensure that residual data on those devices is protected, as falling foul of a breach can lead to numerous repercussions.

Ingram Micro Lifecycle operates returns management programs for various customers who provide high-end consumer electronics. Through decades of experience, we have leading industry insight and stringent processes to mitigate the risks of data breaches daily.

In this article, you’ll understand the risks associated with data breaches from returned products and what the best practices are to minimize these risks.

Understanding data-bearing devices and their return journey

A data-bearing device is an electronic product that stores data physically inside it. Common examples are smartphones, laptops, and tablets. Their data typically contains Personally Identifiable Information (PII), which, if in the wrong hands, can enable fraudulent activity.

These can be returned to the supply chain for several reasons. Insurers, retailers, manufacturers, and technology leasing companies are examples of touchpoints where data-bearing devices may be received. The user of the device, the source of the personal data, may need to return the product for reasons such as faults, upgrades, dissatisfaction, or, increasingly, trading in for value recovery or e-waste reduction.

These can also be business-use devices that store company information. This data could be about the private operations of the company, or even about their customers and transactions.

Can you think of a single business that doesn't use technology in some way to process data? The importance of data security is growing as it touches so many industries.

Key associated risks

Data breaches

If data has not been fully wiped from the product then there may be personal or corporate data remaining. Due to the sensitive nature of the data that may be accessible on returned electronic devices, a breach is one of the highest risks.

Returned products are likely to move onwards in two directions; either for reuse or processed as waste. Residual data may be accessible if efficient data wiping is not conducted. If in the wrong hands, this information can be misused, perhaps sold for nefarious purposes.

Data breaches divert time and resources into investigations rather than allowing your business to continue as normal or focusing on forward-looking growth and strategies.

Breaking regulations and laws

Going hand in hand with the point above, one of the consequences of a breach of sensitive information is that it breaks laws and regulations.

Examples of data protection regulations include the General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA). These both mandate that consumers should control how and why their information is used by companies, giving them increased protection over their data being accessed without their consent.

Financial ramifications

There are penalties for non-compliance where businesses don’t protect customer data through stringent processes to wipe residual data. Failure to prove this in the event of a data breach can lead to penalties on different levels.

Under the CCPA, businesses can be sued for monetary damages incurred due to the breach or statutory damages of up to $750 per incident.

Depending on the severity of a GDPR violation, businesses can be fined up to 20 million Euros or up to 4% of global turnover.

There are not only financial penalties to consider, but legal representation and investigating causes also add to the associated costs of a data breach. You would need to invest in additional resources to prevent future breaches. Business insurance costs will inflate as a breach indicates insufficient risk mitigation and data handling. News of the breach will also lower the value of your business overall, impacting investor relations.

Certain sectors, such as healthcare, finance, and retail, have additional regulations to protect customers, increasing financial damages for a company that fails to adhere. Examples of these include:

Payment Card Industry Data Security Standard (PCI DSS) - regulates the handling of payment card information. Non-compliance can result in card networks, such as Visa and Mastercard, issuing penalties.
Family Educational Rights and Privacy Act (FERPA) – ensures that schools and education service providers adequately protect student education records.

Reputational impacts

Following a breach, brand loyalty may diminish as customers, stakeholders, and suppliers will be less likely to trust you with their data. They may become skeptical about the precautions you have in place and wary about a future repeat. This will have a knock-on effect on your bottom line and you may find barriers to doing business.

Typical oversights

There are two typical ways residual data may be left on returned devices. The first is where processing is not robust enough to identify and separate products that require data wiping. These therefore risk missing the data erasure step and may continue along the supply chain housing residual data. The second is using insufficient software to perform data wiping. Without fully compliant tools, data may still linger on products, even after running a wipe program. An adequate wipe must be performed to ensure that data from the device cannot be accessed.

Best practices

Whether insourcing or outsourcing your returns management, here are six key ingredients that create a robust process for protecting data on returned electronics.

Develop and enact processes that isolate data-bearing devices from non-data-bearing devices. Consider using automation for efficiency and consistency.
Invest in industry-recognized and trusted data-wiping software, such as Blancco. All units that are processed will be provided with an auditable trail and certification to prove that they’ve been data-wiped to a high industry standard.
Where data is highly sensitive, consider shredding SSDs and hard drives. For certain data types, shredding is the only means of disposal.
Provide full staff training and regular refreshers for compliant handling practices. Stay abreast of the latest industry developments and regulations to tailor your training so it provides a suitable level of education for your teams. Invest in accreditations and certifications for your premises, processes, and software, for example, ISO 27001 and TAPA.
Give the customer visibility of the device processing. Keep them informed of what processing stage the returned product is in so they can trust in your transparency.
Use partners with appropriate certifications, accreditations, financial backing, and appropriate insurance cover that will mitigate potential data breaches. Do your research when looking to find a partner and ensure they can meet the high standards you and your customers need.

Improve data security for returns today

It is always better to be proactive rather than reactive. Adopt best practices, stay innovative, and keep ahead of data security initiatives. Work with trusted partners to share the risk and mitigation responsibilities.

Ingram Micro Lifecycle handles thousands of returned products every week, including data-bearing devices, from a variety of businesses, including insurers, retailers, leasing companies, and businesses operating trade-in schemes. We are audited to industry-recognized standards, including ISO 27001, and by Original Equipment Manufacturers to demonstrate we’re committed to the highest data security practices.

Get in touch with our team today to discuss how we can mitigate your risks of data breaches on returned data-bearing devices.