Have you heard over and over that you need to audit your ITAD vendor? Why should you do this? After all, it is expensive to travel to the vendor site. It takes up valuable time that could be better spent on your main job functions. And, in the grand scheme of things, the dollar value of the ITAD program can be small in comparison to costs of other programs, projects, etc.
Risk is the main reason. Certainly the costs mentioned above are nothing compared to the potential costs and losses associated with improper disposal and data security lapses. Many regulations and laws exist that relate to data security and privacy such as HIPAA, HITECH, PCI, GLB and the newest, European GDPR effective May 2018. Substantial fines can easily reach into the millions. The average cost of a breach in 2017 in the US was $7.35 million according to the Ponemon Institute. Fines for GDPR can reach up to 4% of annual revenue or $22 million.
Costs to consider include loss of business, trade secrets, personnel records, financial information, brand damage, and more.
Improper disposal leads to huge environmental risk and cost. Fines up to $28 million in the past several years have been assessed to e-recyclers, large retailers and other businesses. There have been many articles in the news about electronics recyclers and IT asset disposition vendors who have declared bankruptcy, been indicted or convicted for illegal export or storage of equipment, fraud and tax evasion. Sadly, this is still continuing today.
Since you have determined that there is a need to audit your vendor, how does one do that? As a baseline, look for R2 or e-Steward certification, certifications conducted by a third party for those companies that manage outdated or excess computer and other electronic equipment. This is no guarantee as some vendors with these certifications are guilty of the above.
Prep work prior to an onsite audit will save time, and we all know time is money. Be organized. Have a list of questions to ask, documents you want to view and processes you want to see during the onsite audit. For some companies, the Environmental Health and Safety manager conducts the audit. For others, it will be the ITAM personnel. Ask to see the certifications that the vendor holds. Some certifications are site specific while others are company-wide. Know where your equipment will be processed.
R2 and e-Steward certified companies must vet their downstream vendors. Ask to see this audit paperwork, and Bills of Lading confirming that appropriate equipment was sent to them.
Check the physical plant. Look for 24/7 surveillance, restricted access and metal detectors. How clean is the facility and is it well organized? One does not want to see pallets with equipment spilling onto the floor, creating a dangerous work environment and possible OSHA violations. Ask to see any accident reports. Processors will generate Universal Waste such as batteries. One should be able to see a clearly labelled container such as a drum labelled ‘Universal Waste’ with a description of the contents ‘Batteries’. All Button and Lithium Ion batteries must be taped. These are common batteries in IT equipment.
Depending upon the processing at the site, the vendor may hold various permits such as Air or Storm water permits. If they claim they are EPA certified, walk away. There is no such thing. Companies may have EPA permits, but the EPA does not certify companies. Know what types of equipment and materials the vendor accepts. Hazardous materials will require proper permits.
A great way to start your tour is at the receiving dock. Take a walk throughout the facility and view first-hand the processes, paying particular attention to data security. Find out who has access to data containing equipment, how is it stored and learn how the data is destroyed whether it be through an erasure process or physical destruction. The vendor should have written procedures for your review.
The audit is all about risk management. Make certain that your questions and concerns are addressed to your satisfaction.