Site Search Site Search

Loading Results

Device Data Sanitisation Framework for Industry
hero image

Download the full report

Executive Summary

In the digital age, the disposal of Information and Communication Technology (ICT) devices, often referred to as e-waste, is not merely an environmental concern but also a significant cybersecurity threat. Australian industry organisations dispose of millions of ICT devices annually, many of which still contain sensitive data. Improperly sanitised devices can be and are exploited by malicious actors, leading to catastrophic breaches of security and data privacy.

  1. Data Security Threats: Unsanitised devices can expose sensitive information, including intellectual property, personally identifying information (PII), and network credentials, to cyber criminals.

  2. Environmental Impact: E-waste contributes to environmental degradation, but its cyber implications are equally pressing.

  3. Legislative Gaps: Current frameworks such as the Privacy Act 1988 and Security of Critical Infrastructure Act 2018 focus on live data security, leaving a gap in guidance, and mandates, for secure e-waste disposal.

  • Essential 8, NIST CSF, AESCSF, and CPS234: Provide controls for managing live data but lack specific directives for end-of-life data destruction.

  • ISM and PSPF: Offer detailed guidelines for government entities but leave private industry without clear mandates.

  • Privacy Act 1988: Imposes heavy fines for data breaches but lacks explicit requirements for secure disposal of data-bearing devices.

  • It is estimated that 1 in every 250 devices is incorrectly disposed and contain data. 

  • Known data breaches from incorrect disposals aren’t publicly known, but include multinational lawyers and retailers, Federal and State Government, Defence contractors, educational institutions, professional services firms, telecommunication providers among many others. 

  • Data breaches are increasing, with reports to the Australian Cyber Security Centre (ACSC) now made every seven minutes.

  • The average cost of a data breach has risen significantly, making the financial and reputational risks of insecure disposal substantial.

  • Data Sanitisation: Requires comprehensive procedures beyond just wiping hard drives. All data bearing points must be first checked, and all media  sanitised or physically destroyed.

  • Destruction Methods: Include degaussing, incineration, and disintegration/shredding. The method depends on the data sensitivity and device type.

  • Professional Services: Utilising NAID AAA certified providers ensures compliance with rigorous standards for data destruction and handling.

A robust framework for secure ICT disposal is essential. This framework recommends:

  1. Data Management Plans: Identifying and managing data-bearing devices.

  2. Policy Development: Ensuring only managed devices store data.

  3. Device Muster: Keeping a comprehensive record of data-bearing devices.

  4. Certified Disposal Providers: Using NAID AAA certified providers for sanitisation and destruction.

  5. Documentation: Maintaining records of destruction for all data-bearing media.

The secure disposal of e-waste is a critical cybersecurity issue. Given the increasing penalties for data breaches, organisations must adopt rigorous disposal practices. By following a structured framework, entities can mitigate risks, comply with regulations, and protect sensitive information effectively. This approach aligns private sector practices with government standards, enhancing Australia's overall cybersecurity posture.

Why be concerned about ICT disposals?

Every year, Australian industry organisations dispose of millions of ICT devices, most often referred to as e-waste. However, the term e-waste confines the issue to waste, when the problem is both a cyber security and environmental issue. The data stored on these devices and their components often contain sensitive information related to an organisation’s operations and intellectual property, as well as personally identifying information (PII) and in the case of networking devices may provide access to credentials for entire networks. It is estimated that approximately 1 in every 250 devices disposed of are not properly sanitised.

The insecure disposal of ICT devices, which remains a peripheral issue in the cybersecurity space, presents serious cyber and data security threats to Australian organisations and citizens. Notably, in the context of Australia's critical infrastructure regime, which has undergone significant reforms, there exists no explicit obligation for captured industry entities to securely dispose of e-waste.

Currently, frameworks or industry requirements discuss data destruction broadly, intending to cover both digital and physical assets. Paper based asset destruction have very specific requirements and controls. Digital Data that is “live” in systems is the focus of security focussed legislation such as the Privacy Act 1988 and the Security of Critical Infrastructure Act 2018 which impose heavy fines and penalties for entities that suffer data breaches and there is extensive advice available as to how to manage security of data in existing ‘live’ systems. Digital data doesn’t disappear from hardware at the end of its lifecycle, however Australia doesn’t currently have legislation or frameworks to guide a best practice approach to guide industry and individuals to manage hardware and the data it contains at the end of its life. 

Current cybersecurity frameworks such as the Essential 8, NIST CSF, AESCSF and CPS234 speak to the cyber practices required to keep ‘live’ data safe and provide controls for management of devices. For example APRA-regulated entities which hold sensitive PII and protected health information (PHI), are required to follow the CPS 234 information security policy framework to ensure that information security is considered at each stage of the lifecycle of an asset (from acquisition through to decommissioning and destruction). However, for scenarios where entities have data stored on devices that are no longer in use, there is a gap in specific advice on how to manage an appropriate destruction level. Whilst the Government has specific controls within the Information Security Manual (ISM), and the Protective Security Framework (PSPF) that guide the required destruction procedures for various classifications of data, private industry and individuals have no such specific mandates. This report analyses the controls provided in the ISM, PSPF, AESCSF and CPS234 amongst others to propose a framework for industry and individuals to apply when deciding how and when to destroy a device that has held sensitive data. It is important to note that this report specifically addresses digital data (e-waste) destruction and does not encompass the disposal of paper-based assets, which may entail separate and specific requirements for the secure destruction of information.

This fills a significant gap in guidance for industry and supports an ‘all-hazards’ approach to cybersecurity risks and further bolster the cybersecurity of Australia - particularly critical infrastructure entities. It would also align the cybersecurity requirements of captured entities with the provisions that Australian Government entities are required to adhere to under the Protective Security Policy Framework (PSPF), Information Security Manual (ISM) and Australian Prudential Regulation Authority (APRA). More broadly, with the introduction of significant fines for serious or repeated privacy breaches now in force under the Privacy Act 1988 (Cth) (Privacy Act), captured entities must also be aware of this looming data security threat and take steps to ensure the secure disposal of e-waste to better protect PII.

What is e-waste?

As defined by The Global E-waste Statistics Partnership, e-waste is: “All items of electrical and electronic equipment and its parts that have been discarded by its owner as waste without the intent of re-use”. Increasingly, sensitive data and credentials are stored on E-waste which poses a threat if not properly treated prior to disposal or re-use.  “E-waste includes a wide range of products – almost any household or business item with circuitry or electrical components with power or battery supply”.1 The most recent figures available indicate that in Australia and New Zealand about 650 kilotons of e-waste is produced annually and, of this, only 59 kilotons is formally collected - about 10 per cent.2

While the detrimental environmental implications of e-waste have been widely explored, the serious cybersecurity risks associated with data retained on discarded devices have not. This is an area that needs urgent attention given predicted future trends - it is estimated by 2030 the volume of global e-waste will exceed 70 million tonnes per year.3 This increase is largely due to the rapid proliferation and turnover of Internet of Things (IoT) devices. It is estimated by 2030 there will be more than 25 billion IoT devices connected globally4 - and these devices continue to expand the amounts of valuable sensitive data they store.

What is secure disposal?

Secure disposal of e-waste is complex – as IT devices continue to advance, it is increasingly about much more than just wiping hard drives. Internal policies and guidance may over-simplify or overlook the detail and complexity required in appropriately disposing of a device. A simple check on IT Security Policy for device disposal may be a good first step for technology leaders seeking to assess whether poor data sanitisation may be a threat. A policy that states “appropriate” disposal considerations be made without further specifying the use of a provider and/or a specific owner to manage device destruction may leave staff in the unenviable position of being responsible for data sanitisation but absent the mechanisms to perform it effectively. 

If there is an intention to re-sell used devices, then organisations should ensure that all data bearing media in the device has been properly sanitised. Requirements vary from device to device and depend on the sensitivity level of the data. Where complete certainty of effective sanitisation cannot be verified, then data bearing media must be destroyed using an approved method of destruction. Again, this will depend on the media type and the risk/sensitivity level of the data held on the device or storage media.

Our Data Sanitisation Framework

There is no doubt that amid an increasingly complex regulatory and legislative cybersecurity backdrop, organisations are making big changes to the way they protect data during its lifecycle. But, as our report explores, there are significant risks posed by unsanitized e-waste and, anecdotally, there is clear evidence poor sanitisation and destruction practices are widespread. Hence, there is an urgent need to, as a first step, ensure that Australia’s critical infrastructure and other high-risk entities and their supply chains are required to securely dispose of redundant IT devices.

To this end, we have developed a framework to support responsible, accountable, and auditable decision making for the secure disposal of redundant devices for organisations captured by the Privacy Act 1988, the Security of Critical Infrastructure Act 2018 or other legislation. This framework supports companies to show due diligence and responsible destruction of devices designed to support both large firms and small and medium enterprises, which have more limited resources and expertise to support secure disposal practices.

Device Data Sanitisation Framework for Industry

Download the full report and access the framework

Download

1 Global E-waste Statistics Partnership
2 Country Sheets: Australia and New Zealand
3 E-waste surges in 2021 as world sends goldmine to landfill - ABC News
4 Internet of Things statistics for 2022 - Taking Things Apart

Follow PwC Australia