Maximize EOL Return – IT Treasure, not Trash Without Sacrificing Compliance

By Bill Markley

Times have changed. Traditional ways of handling IT assets for end of life as well as how data is destroyed should be revisited. The time is right for realizing significant savings – in time, money or both. ITAD vendors, certified to destroy data, are now working closely with clients to realize value on certain equipment while providing secure solutions.

Full disclosure: Yes, I will confess to being an ITAD vendor. I have had the experience of working with clients to help them through the pains of finding a secure solution to obsolete computer equipment and data, while helping to minimize related expenses. I have experienced discussions with clients who have a current disposal program (sometimes even at no cost – “free”) that upon further review, are leaving a lot of money on the table.

My hope is to share some of the points of savings that have been realized upon reviewing solutions with clients.

First, let us take a brief step back. The assumptions of this article are that your disposal and data destructions processes and your vendor have been vetted and approved through your legal department, with 3rd party agreements in place. If not, the roll of the dice in your computer/data destruction gambling game can result in a downstream, large loss. Just search “16 CFR 682” on the internet for a brief review.

There are a few key areas to consider that will help to maximize your ITAM program for efficiency and for overall savings, including the residual value left in your EOL (end of life) equipment. These areas are having a trusted ITAD partner and combining data destruction with recycling.

Find a Trustworthy ITAD Partner

Taking a closer look at the process of how IT equipment and data are handled will have a significant impact on your business, helping turn concerns into opportunities. Finding a partner who can provide the combined services of computer disposal and certified data destruction, who is vetted and whom you can trust, is paramount and may prove to be profitable. Trusted vendors – who can assess your equipment for value, have appropriate certifications and procedures for both computer recycling and data destruction – do exist.

“Start with the end in mind”. Putting your ITAD solution into your ROI calculation and PC refresh decision can help to optimize the total cost. Knowing the possible return on equipment value can help to determine type and frequency of gear to be purchased. Many disposal vendors now build in the client’s return value as part of an agreement to do business. This can provide budget numbers and a vested interest to both parties.

You should perform due diligence on your vendor. Credentials to verify and document include:

  • Written procedures for their processes
  • Certified IT disposal
  • Certified data destruction reporting, including serial numbers
  • Pertinent and sufficient insurance coverage
  • Bonded employees
  • Secure chain of custody
  • Valid Industry related certification for Data destruction
  • Subcontractors

Recycling vendors should provide both pollution liability coverage and professional liability/errors & omissions coverage of at least $1 million each. A vendor without both coverage types leaves their clients at serious risk should a data breach or environmental incident occur.

Resist Separating IT Asset Disposal and Data Destruction

Due to the increasing concerns of data breach risk, many institutions consider a separate process for removing hard drives from equipment. This leads to a separate process involving removal of drives, separate inventory tracking, storage of drives and a destruction solution. There is risk inherent in this system.

The process of separating the hard drive from the device itself should be given full consideration. There are continued examples of breach of data by loss or theft of a hard drive. This concern is amplified by the process of removing the drive from the system. In addition, there is more internal time and cost associated with adding another ITAM process, now that the drive and device must be tracked separately. The serial number relationship between device and hard drive has now been severed, unless the program is well controlled and audited, with robust internal quality control.

The best ITAD vendors audit devices for hard drives. Even the most stringent client processes for the removal of their own drives, upon audit, may have between 10-20% of devices still with hard drives that were missed. These devices may have been stored in a non-secure area, mistakenly considered as not containing data.

Limited Value at End of Life

Removing a hard drive from a device limits the value associated with your asset at the end-of-life – like trading in your car without an engine.

ITAD vendors who are NAID (National Association of Information Destruction) certified for hard drive destruction and sanitization are equipped to provide assurances and secure processes. These vendors should be given additional consideration. Take note: NAID certifications for paper destruction are different than hard drive sanitation and destruction, and should be verified with your vendor and confirmed with the NAID website.

The options of digital destruction versus physical destruction should be explored to look at maximizing the value associated with your equipment, while addressing security requirements within your organization.

Trusted ITAD vendors can provide additional value to functional, intact machines. They can digitally destroy these drives with a process that meets or exceeds DOD, NIST and other requirements. Their processes for digital destruction should include quality control checks and a two technician validation process. Further, recovery techniques to ensure erasure with a default to physical destruction will eliminate any concerns, while providing a cost effective option. Aftermarket equipment with a digitally destroyed drive can provide value back to your organization more than double that of a device without a hard drive.

Reconsidering digital data destruction and repurposing of drives will be stressed even further through 2013, as noted by research firm IDC and reported by ComputerWorld in their December 9th, 2011 report. The shortage of hard drives due to flooding in Thailand will drive up the cost of hard drives dramatically, while increasing the demand for aftermarket drives. There is no better time to revisit options of drive repurposing, remarketed gear purchasing and securely managing your computer “donation” programs.

Bear in mind that even though obsolete IT assets can have value, there always will be residual waste. This waste must be handled correctly and not simply “brokered.”

Consider the following questions in order to maximize the value of IT assets:

  • Is your organization keeping assets too long before retiring them? Being aware of optimal refresh cycles will maximize internal efficiency as well as ROI at the time of disposition. Newer equipment improves efficiencies, lowers total operational cost, is more secure and also turns out equipment with a higher resale value.
  • Are free solutions for recycling/disposal/destruction being used? “Free” is ambiguous, problematic and full of risk. Ensure that your “free” solution avoids downstream liability. Trusted and proven solutions should assess appropriate value, address appropriate costs, and can be better than “free.”
  • Is the inventory poor or incomplete? If you can provide an accurate inventory list to your ITAD vendor and they can fully assess your equipment, you are going to get a higher value return.
  • Are power supplies, cords and batteries kept with the appropriate equipment? With more and more mobile equipment coming out of the organization, having power supplies included can maximize residual value.
  • Is the amount of damaged equipment unknown? Knowing how much equipment is still functional and intact can help in finding appropriate solutions for remarketable gear versus that which needs to be appropriately recycled.

Looking at ways to make your ITAM more efficient will continue to be a key area of focus in the next year. Revisiting how your disposal and destruction program can be updated will be a key area of savings.

About the Author

Bill Markley is the Data Security Consultant for Reclamere, Inc.