Analyzing and Avoiding ITAD Risks – Sixteen Steps to Proactive Protection for Final Disposition

By Jim Kegley

As technology evolves so must the commitment and responsibility of companies worldwide to make sure their IT asset disposition (ITAD) processes are up to date, secure and environmentally sound.

It takes diligence and research to understand the right questions to ask about your company’s ITAD process and your vendor’s methodology. But it’s no longer good enough to just ask the questions, you have to know the answers. A single data breach or environmental mishap can cost a company millions. The impact on reputation is immeasurable. Spending time upfront to optimize your ITAD process can significantly eliminate security risks and ensure the company’s adherence to environmental standards when retiring IT assets.

How do you know if your company is at risk? Analyze whether your organization:

  • Electronically tracks inventory at EACH step of the ITAD process to eliminate human risk including: an initial onsite inventory reconciliation; a real-time final report verifying data destruction and equipment inventory before shipment from your location; and a post shipment inventory check
  • Wipes all data onsite at your location before transporting equipment offsite
  • Destroys devices onsite when data cannot be properly wiped
  • Checks for data stored on not-so-obvious devices, e.g., copiers, smart phones, USB drives, etc.
  • Avoids vendors who use third party sub-contractors
  • Visits potential ITAD vendors’ facilities to vet their process
  • Requires audited financials to establish financial viability of the vendors you use
  • Understands what happens to your retired equipment downstream

If you answered NO to any of these questions, your company could become a data breach statistic.

The reality is that while companies spend millions establishing security when acquiring equipment, an alarming number of enterprises are uninformed about sensitive information at risk on computers, copiers, printers, smart phones, etc., when disposing of assets. Examples of real issues from the headlines include:

  • Blue Cross Blue Shield of Tennessee spent $7 million investigating the loss of 57 hard drives stolen while in storage awaiting destruction
  • CBS News purchased copy machines from a health insurer and found 300 pages of individual medical records on a hard drive
  • The State of New Jersey discovered that 80 percent of the PCs headed for public auction had significant data on them including tax returns and child welfare records

Additionally, responsible disposal of IT assets will increasingly be a top environmental priority for Fortune 500 companies, government entities and organizations. As technology continues to progress, huge numbers of assets need to be retired regularly and responsibly. A company must make sure that its disposal methodology aligns with its environmental commitment and that no old equipment ends up in a landfill or shipped to a foreign scrap market.

Most good IT managers do their homework and have a well-developed plan, but with the ever-changing technology, these plans are constantly evolving. How can proactive managers assure that retired IT equipment won’t land their organization in the headlines?

By following these sixteen steps, proactive managers can assure that their organization has a secure process for protecting their company and the environment.

 Sixteen Steps to Proactive Protection for Final Disposition
  1. Never allow equipment to leave your site before all data is destroyed
  2. Destroy devices onsite at your location when data cannot be properly wiped
  3. Include the not-so-obvious devices, e.g., copiers, smart phones, USB drives, etc.
  4. Wipe all hard drives before removing them from devices
  5. Electronically track inventory at EACH step of the ITAD process to eliminate human error
  6. Require a real-time final report verifying data destruction before shipment
  7. Negotiate an upfront purchase agreement with your vendor to reduce asset depreciation and fees associated with consignment, and immediately transfer ownership to eliminate risk
  8. Avoid vendors who use third party sub-contractors
  9. Refurbish or recycle all retired IT equipment
  10. Commit to a 100 percent no landfill policy
  11. Visit potential ITAD vendors’ facilities to vet vendor’s environmental safeguards and ITAD process; certifications don’t necessarily guarantee adequate controls
  12. Know what happens to equipment downstream and if it ends up in foreign scrap markets
  13. Verify vendor’s environmental commitment aligns with your own
  14. Require audited financials to ensure financial viability
  15. Use only adequately insured vendors with proven track records to cover risk
  16. Offer employee eco-events to encourage individual electronic recycling

Retired assets can be a serious liability. As the volume of e-waste skyrockets, the importance of environmental stewardship and rigorous data destruction cannot be minimized. Partnering with a trusted, experienced ITAD vendor who employs the highest level of security at your location and has the in-house infrastructure to responsibly process e-waste will ensure ITAD is safe, secure and sustainable.

About the Author

Jeff Kegley is the Chief Security Officer for U.S. Micro Corporation.