Leveraging IT asset disposition to strengthen data protection

In today’s environment, organisations cannot afford a weak link at any stage of their data management strategy. This applies not just to data creation and storage, but also data destruction. Many it and business leaders may be unaware of the myriad data protection risks that can occur at the end of the data lifecycle. This article discusses those risks and how to mitigate them through a best-practices approach to it asset disposition.

Business and IT leaders are under intense pressure to secure and protect data at every stage of its lifecycle. The average cost of a data breach has risen to $4 million, and the average cost of each lost or stolen record containing sensitive or confidential information is $158.¹

Beyond costs, a breach can inflict significant collateral damage to the business, resulting in fines or other penalties for failure to meet regulatory requirements. In addition, a breach can cause irreparable harm to brand reputation and customer goodwill, while creating potentially serious morale and productivity problems for employees.

To limit risk, organisations are embracing solutions and strategies that protect, preserve and manage data at every stage of its lifecycle. One of the biggest challenges comes at the end of an IT asset’s life, when organisations must ensure that specific actions are taken to prevent breaches as data-bearing equipment is retired.

Business and IT leaders are increasingly turning to IT asset disposition (ITAD) services as a way to ensure protection. The ITAD market is growing at a compound annual rate of nearly 10% and is expected to reach more than $20 billion by 2022.² While that growth is being fueled primarily by increased spending on data protection, companies that invest in ITAD are also able to achieve ancillary benefits such as value recovery and environmental compliance.

This paper discusses the importance of ITAD in protecting data and meeting compliance requirements. It also addresses ITAD’s positive impact on the environment and in generating value from the remarketing of retired IT assets. Finally, the paper describes the capabilities to look for in an ITAD service provider in order to maximise protection and minimise risk.

End-of-Lifecycle Risks

Organisations are generating more data than ever and using a wider range of devices to create, store and manage it. To satisfy regulatory compliance and business requirements, all organisations should adhere to a best-practices data management strategy that protects data throughout its lifecycle. This is especially crucial today, with the proliferation of email communications, social networking, cloud computing and mobile collaboration tools.

Data destruction is a particularly important aspect of data management that cannot be overlooked.

Organisations must ensure that practices and processes for data destruction are secure, reliable and compliant. If data is kept beyond its designated destruction date, it could impact compliance or e-discovery readiness. The same holds true if data is destroyed too soon.

One of the biggest end-of-lifecycle risks comes at the point of destruction, when physical equipment such as disk drives, personal computers, tape drives and laptops are retired. All of the data on those devices must be destroyed or sanitised, and the organisation may be required to provide evidence of a secure chain of custody for the entire process.

Without the proper processes and procedures in place, organisations run the risk of having things go wrong during the disposition phase. Even worse, IT teams may not be aware if a problem has occurred and thus would be more susceptible to a breach. Potential disposition challenges include:

• Negligence: It is costly and time consuming to destroy data, which provides an incentive for some ITAD providers to cut corners when disposing of or remarketing equipment.
• Human error: Employees at an ITAD service provider can’t tell if data has been sanitised simply by looking at the media on which it resides. Equipment could be remarketed with data still on it.
• Improper handling: If the chain of custody is not verifiable, there is no way of knowing for sure whether equipment has been diverted to a secondary market or landfill.
• Environmental damage: If the ITAD provider doesn’t handle disposal in an environmentally compliant manner, customers face incremental risk for fines, other penalties or reputational harm.
• Missed opportunities: The secondary market for used IT equipment has been estimated at $1 billion. If an ITAD provider does not possess extensive remarketing capabilities, customers won’t be able to generate revenue from their end-of-life assets.

Maximising Protection, Compliance and Value

Most organisations have neither the in-house expertise nor the resources to ensure that they are adhering to ITAD best practices. It is critical to work with a reputable third-party provider to ensure that all data-bearing devices are physically destroyed. Alternatively, all data must be fully sanitised before any assets are remarketed.

The following represent the important factors to consider in evaluating potential ITAD providers:

• Strict adherence to best practices in managing retired IT equipment. Disposition processes must be highly regimented and consistent, with secure and reliable service for all sites. Customers should also have access to alternative destruction methods and locations: bulk or serialised media destruction and on-site or off-site destruction capabilities. For example, some organisations, such as defense contractors or healthcare institutions, don’t want any data-bearing devices to leave the premises—thus requiring an on-site data destruction solution.
• Assurance of compliant, environmentally sensitive disposal. The provider should guarantee that all IT assets are disposed of in an environmentally friendly manner that meets local, state and federal requirements. The provider’s operations should adhere to widely recognised certification standards established by credible industry organisations, such as e-Stewards, R2 and RIOS. These standards not only protect the environment and minimise liability, they also generate goodwill in the community and among customers.
• Secure chain of custody—from asset collection to certificate of destruction. In order to ensure that all information is completely destroyed, an ITAD service provider should use proven logistics and asset tracking to identify and manage equipment at every stage of the disposition process. The provider should offer centralised reporting to verify that the chain of custody has been maintained and that all data on all equipment has been properly destroyed. This capability will be important in helping to meet compliance and e-discovery requirements.
• Revenue-generating opportunities through IT asset remarketing. Remarketing IT assets could be a significant revenue opportunity if handled properly. Many unwanted technology assets have remaining end-of-life value. Research indicates that remarketing and value recovery services represent the largest portion of the overall ITAD market.3 In order to take advantage of these vast potential opportunities, decision-makers should choose a provider that maximises value recovery by ensuring that each asset is tested, graded and refurbished. If there is material end-of-life value, the equipment should be remarketed; if not, it should be recycled using best practices.