Retiring IT Assets – No Need to Choose Between Sustaining the Environment and Protecting Data

By Jim Kegley

In November 2008, CBS’s 60 Minutes shocked the international community with its scathing report “Following the Trail of Toxic E-Waste.” In this expose, correspondent Scott Pelly, guided by Jim Puckett, founder of the Basel Action network, followed the e-waste trail of one Colorado-based recycling company to review its promise of IT asset disposition “right here in the U.S.” The problem they discovered was that the worst e-waste was illegally shipped overseas. Thus, they uncovered one of the most disastrous by-products of the electronic age – acres and acres of retired IT equipment waiting to be burned and a town in China so polluted that it was hazardous to breathe the air or drink the water.

It was an international scandal on a huge scale made worse for the U.S. since much of the toxic waste was coming from America. Corporations, schools, and communities pledged to be more ecologically responsible while watch dog groups weighed in on the best methods for environmentally sound management of American e-waste.

Flash forward to July 2011. In the U.S., no longer are corporate sustainability initiatives a “nice to have” add-on. The general public expects this to be a fundamental part of any corporate culture. And while the responsible disposal of IT assets is a top environmental priority for Fortune 500 companies, government entities and a myriad of organizations, e-waste remains the fastest-growing segment of the municipal waste stream worldwide.

According to the EPA, 20 million computers in the U.S. became obsolete in 1998. That number has since increased astronomically, with the marked proliferation of portable and disposable devices such as laptops, tablets, smartphones, etc., that can retain large amounts of sensitive data. The International Data Corporation (IDC) estimated an installed base of 338.3 million PCs in the U.S. in 2010, with a 20.5 percent annual retirement rate.

Understanding Threats to the Environment and your Company

The environmental implications of improper disposal of IT assets are significant. These assets contain pounds of toxic chemicals, from lead to mercury and harmful plastics. If not disposed of properly, this e-waste often makes its way to third world countries that have less stringent recycling guidelines, or worse, to the black market for dismantling. The equipment is then mined in a destructive manner to reclaim small amounts of precious metals; the rest ends up in landfills or incinerated with chemical toxins leaching into the environment.

While there is evidence that the attitude of the business community has shifted in the U.S. and environmental stewardship is top of mind when disposing of retired IT equipment, standards for proper disposal have been fragmented with little oversight of procedures and ethics.

Complicating a company’s focus on sustainability issues are the crucial security concerns surrounding data destruction. To highlight these risks, U.S. Micro Corporation recently issued a national alert underscoring the importance for organizations to properly dispose of IT equipment to prevent costly data breaches and reputation damage. While companies spend millions establishing security when acquiring and maintaining equipment, an alarming number of enterprises are unprepared to deal with sensitive information at risk on data bearing devices when disposing of assets including computers/laptops, copiers, printers, smart phones and more.

A single incident can cost a company millions in disaster recovery and liabilities. In the past 12 months:

  • Blue Cross Blue Shield of Tennessee spent $7 million investigating the loss of 57 hard drives stolen while in storage awaiting destruction
  • CBS News purchased copy machines from a health insurer and found 300 pages of individual medical records on a hard drive
  • The State of New Jersey discovered that 80 percent of the PCs headed for public auction had significant data on them including tax returns and child welfare records

But vigilance is important in both areas. From an environmental standpoint, improper IT end of life management can damage an organization’s reputation, just as data breaches can. If a computer is traced back to the originating company, the company may be subject to fines in all intermediate jurisdictions, not to mention the negative media attention. Numerous headlines and high profile incidents have raised awareness of the shortcuts many companies take in computer disposal.

Closing the Loop from Pickup to Disposal

So how should an IT manager resolve the dilemma of disposing of retired IT equipment?

Spending time up front to optimize your IT asset disposition process can ensure both security and environmental responsibility. When considering an ITAD vendor, research the company’s process for data destruction as well as its recycling efforts and sustainability initiatives.

Pitfalls to Avoid

To ensure proper data destruction, solutions vary, but self-cleaning, without rigorous training and a well-defined process, and long-term storage, are poor options. These situations create additional vulnerabilities that no risk manager would allow if he or she understood the increased exposure for breaches.

Having internal staff instead of ITAD specialists wipe equipment requires numerous touch points by employees without a primary focus on ITAD. In this case, the investment necessary for proper training and process management can be significant.

Alternatively, hiring an outside vendor can help provide a secure process but requires thorough care in selection. The marketplace is flooded with companies that hire subcontractors who aren’t vigilant about data destruction and its verification. Often, they are cleaning retired equipment off-site, which introduces countless opportunities for breaches and loss of control over data. Onsite programs with data wipe technology that is 100 percent effective and verifiable every time are critical.

Long-term storage creates an additional layer of risk. Case in point is the Blue Cross data breach. No matter how secure you think stored equipment is, it’s very vulnerable.

Best Practices to Safeguard Asset Disposition

When establishing security ITAD protocols, consider these five best practices:

Step 1: Never allow equipment to leave your site before all data is destroyed. If data remains on hard drives or other devices that are shipped offsite, you lose control of the process and risk loss or theft during transport. A drive can fall behind a desk before it is packed in the moving truck. A USB drive may fall into a laptop pouch during a move. Pallets are stolen from docks and trucks have been hijacked. These risks highlight the necessity of removing and destroying all data before assets leave the physical site. Your ITAD vendor should provide verification that all data has been wiped prior to shipment.

Step 2: Data wiping is for trained professionals. While current employees who are adequately trained can be effective, outside specialists who concentrate solely on ITAD can help establish failsafe procedures and controls – and stay up to date on the latest techniques and issues.

Teaming with a vendor reduces the cost of training employees, managing the ITAD process and minimizing risks. However, take precautions when selecting a partner. Forty-four percent of data security breaches in 2008 were the fault of third parties. Avoid these problems by selecting bonded, insured vendors with proven track records. Request a site visit to vet the vendor’s facility and professional staff. Research the company’s financial health and longevity, and ask for client testimonials.

Step 3: Establish a tracking system to account for assets as they move through the ITAD process. Tracking IT assets is not as simple as counting them before and after they are wiped and shipped. Each piece of equipment should be tracked individually in real time, at each step of the ITAD process. An electronic verification system should be used to confirm each hard drive has been wiped and to capture the firmware hard drive serial numbers, thereby eliminating human error.

Step 4: Remember the not-so-obvious devices. While most people are mindful of destroying data from hard drives in computers and laptops, drives in photocopiers, smartphones, fax machines, scanners, printers and USB drives are often overlooked. Many of these carry sensitive information.

Step 5: Make your ITAD operation a profit center. Many IT managers don’t realize they can negotiate an upfront purchase deal with a qualified vendor. This ensures a guaranteed price for the equipment and the transfer of ownership eliminates risks associated with consignment pricing models.

Vet your Vendor’s Environmental Track Record

It is difficult to reduce a company’s environmental impact when disposing of retired IT equipment. Just recently, a story surfaced that millions of pounds of CRT leaded glass was being stockpiled in the Arizona desert instead of being properly deconstructed and recycled. Unfortunately, these stories will become more commonplace as the $5 billion U.S. ITAD industry continues its rapid expansion.

Companies will have to be especially vigilant when vetting the vendors they select. It’s no longer “good enough” to just ask the questions. Companies should ensure that their ITAD vendor’s environmental commitment aligns with their own and that no old equipment ends up in a landfill or shipped to a foreign scrap market – that can be traced back to them as the source via serial numbers. To retain control and eliminate reliance on downstream processing vendors, look for an ITAD partner that has the infrastructure in-house to process e-waste. In today’s environment, a good IT manager should require a complete understanding of the recycling methodology used by the vendor and visit the facility to verify processes.

Encouragingly, however, progress is evident as federal, state and local governments are beginning to implement standards. Electronic recycling companies are expanding their services and new technologies are coming on line. For instance, U.S. Micro Corporation recently opened a $15 million, 130,000 square-foot data destruction and IT recycling center in Las Vegas, Nevada with the infrastructure to guarantee that equipment will be recycled according to EPA guidelines – and never buried in a landfill. In this case, e-waste includes plastics, base metals and CRT glass and is turned into non-volatile materials for construction and finished products such as outdoor lumber, bicycle racks and parking curbs.

What Happens in a Next Generation Facility

Upon arrival, assets go through a grading process to determine the appropriate disposition method. Experience shows that 90 percent of IT equipment received can be refurbished and sold or donated for extended use. Refurbishing and remarketing is the number one sustainable solution.

The remaining 10 percent of equipment is earmarked for ultimate destruction. The equipment is sorted by like assets and sent to the demanufacturing line. In the case of PCs, each component is stripped down to the core pieces and separated into steel, aluminum, plastic and wiring. These commodity pieces are then further sorted by non-ferrous metals, ferrous metals, plastics, wiring, processor chips, circuit boards and more. Multiple demanufacturing lines are utilized until separation is complete.

The overall goal with all equipment is to break down the components completely so they can either be sold into the commodities market or used in remanufacturing processes.

Add accountability and transparency to your ITAD process

One of the biggest problems with proper ITAD is the lack of accountability and the belief that simply telling people to wipe or destroy data means it will actually happen. Moreover, trusting that all environmental protocols are being met can be naïve.

As reported in the previously mentioned 60 Minute expose, the Government Accountability Office set up a sting operation to see just how rampant the abuse of e-waste recycling regulations was. Only scratching the surface, this operation discovered more than 42 American companies willing to illegally sell e-waste products to foreign importers.

As technology evolves so does the commitment and responsibility of companies worldwide to make sure their processes are up to date and ecologically sound. Doing your homework and partnering with a trusted, experienced ITAD vendor who employs the highest level of security at your location and has the in-house infrastructure to responsibly process e-waste will ensure ITAD is safe, secure and sustainable.

About the Author

Jeff Kegley is the Chief Security Officer for U.S. Micro Corporation.