Rethinking IT asset disposition: pitfalls to avoid
While acquiring IT assets is usually the big focus in any technology-enabled business strategy, what happens when those IT assets reach end-of-life, but still contain information about the life of the business and its customers, has often been treated more as an afterthought.
BY: Brooks Hoffman
Perhaps your business has procured used phones or laptops only to find them filled with personal information from their previous owners.
Or you’ve read about global business giants being fined millions for mishandling disposition of their IT assets.
Or you’ve seen very disturbing news reports about landfills in developing countries that are piled high with discarded electronics — devastating the regions they’re in and providing inviting targets for cyber-criminals who know that amidst the trash there’s valuable information available for easy picking.
While acquiring IT assets is usually the big focus in any technology-enabled business strategy, what happens when those IT assets reach end-of-life, but still contain information about the life of the business and its customers, has often been treated more as an afterthought.
Rethinking IT Asset Disposition (ITAD) and making it more top of mind is critical as product cycles shorten, technology evolves at a faster pace, and more companies turn to cloud services. You’ll need to deal with a growing amount of IT assets at their end-of-life, and making the right choices around your ITAD strategy will limit business risk and protect the environment.
E-waste: The fastest growing waste stream
Globally, we generate some 53 million tons of electronic waste (e-waste) every year, an amount that is projected to more than double by 2050 according to the United Nations. That makes e-waste the fastest growing waste stream in the world. IT — not just the energy consumption but the hardware itself — is now a major part of our environmental footprint. And a toxic one at that: heavy metals (mercury, lead, cadmium and more) can leach out of these devices and into the ecosystem, causing a wide range of issues. It’s no surprise that more countries are refusing to accept any more electronic waste. Thailand is the latest as of September 2020.
Security and legal challenges
E-waste also poses immediate security and legal issues. Some 25 states plus the District of Columbia have adopted laws requiring some level of electronics recycling, and have established penalties for when the process is mismanaged. Ontario, Canada has started enforcing new e-waste regulations, with a goal to achieve a 70% recycling rate. And there are many data privacy and protection laws and regulations that have wide reaching effects on IT asset disposition — including international law. For instance, companies within the scope of the General Data Protection Regulation (GDPR) face severe fines for noncompliance, potentially up to €20 million or 4% of annual global revenue, depending on the severity and circumstances of the violation.
Typical ITAD missteps
Clear procedures for safe, secure ITAD are essential, but it’s easy to make missteps. Here are some common pitfalls to avoid.
Oversimplifying.
Many businesses see getting rid of outdated IT hardware as a no-brainer — just wipe the devices clean and get them hauled away. Unfortunately, it’s not that simple. The intricacies of wiping, shredding, and degaussing require proven procedures and operational efficiency. Just deleting, reformatting or resetting may not actually remove the data. If data is not properly sanitised or if the media is not properly destroyed, then the risk of a data breach still exists.
Leaving ITAD to it.
While assigning the responsibility for ITAD to your IT staff may seem logical, if not intuitive, that’s not necessarily the case. The process of safely and securely disposing of IT equipment has technical, legal, logistical and administrative aspects for which your IT department may or may not have the requisite skills sets, including:
- Coordinating with the people and departments that rely on that data and the devices that have reached end-of-life
- Implementing the specific procedures needed to fully erase any existing data
- Assessing whether chain of custody (tracking who had access to the devices and when) is being accurately captured
- Evaluating the environmental and data security credentials of a third-party provider
Clearly, IT has a role to play, but so do other administrators, departments and senior management.
Underestimating your legal liability.
As the amount of e-waste grows, so do the laws and regulations governing it, as well as fines for noncompliance. One financial services provider was recently fined $60 million for mishandling the decommissioning of two data centres. And it’s far from the only one that has paid a price.
And it’s not only laws and regulations governing e-waste specifically that you need to be concerned with. As noted above, e-waste also comes under the purview of GDPR, industry standards such as PCI-DSS, state privacy laws such as the California Consumer Privacy Act (CCPA) and broader regulations such as HIPAA, the MEGABYTE Act, and Sarbanes-Oxley (SOX).
Relying on a free service.
There are companies that will offer ITAD services for free or at a very low price, typically claiming that they cover their costs through the resale of your devices. As in all things, you get what you pay for. Relying on a free or very low cost ITAD provider is no exception and is likely to entail the provider of the service doing one or more of the following:
- Holding onto significant revenue gained from recycling your equipment, so the service is not free at all
- Skimping on things like secure chain of custody or fully verifying that data was destroyed on all devices Disposing of your equipment in ways that are environmentally irresponsible (i.e., shipping overseas or dumping in landfills here at home)
In short, you may be saving money in the very short term, but you are putting your business at risk and contributing to the very negative environmental impacts that recycling is meant to avoid.
Ignoring chain of custody.
You may not intuitively associate a legal concept like chain of custody with ITAD, but it’s really the key to getting it done right. Whether you accomplish ITAD on your own or rely on a third-party, you will need a complete record of where and to whom your IT assets went in order to establish that your ITAD process was in fact responsible and compliant — both environmentally and from a data security standpoint. Also, there is an added benefit to secure chain of custody practices — they deter theft. Theft of devices during ITAD can be a serious problem. The smaller and more valuable an item, the more likely it is to disappear and thieves are less likely to attempt to steal an asset they know is being tracked.
These are all pitfalls that can trip up even the most well-intentioned organisation. But the biggest pitfall of all is making the end-of-life disposition of IT assets an afterthought.
Instead, think of it as a critical part of your ongoing lifecycle of information management, essential to protecting your sensitive information and the environment.
Brooks Hoffman is a member of the Product Management team for Iron Mountain’s Secure IT Asset Disposition (“SITAD”) service. Prior to joining Iron Mountain, he was co-founder and CFO of LifeSpan, an IT Asset Disposition firm headquartered in Denver, Colorado.