Leasing IT assets has benefits for IT budgets as well as keeping IT assets in an organization current. With the increase in emerging technologies, the consumerization of IT, tighter budgets in a down economy and the need to meet the demands of the enterprise, leasing IT assets is attractive to many IT departments. Leasing allows organizations to secure large technology purchases while spreading the costs over multiple years by facilitating cash flow to manage technology budgets.
Capital leases are a means to finance IT asset purchases while maintaining ownership when the lease is fulfilled. These leases are commonly called “dollar-buyout” leases where the lessee acquires the assets through a transfer of title for a final payment of $1.00 after all other obligations are fulfilled. All obligations of associated with asset management are the responsibility of the lessee, including maintenance and support. The lessor retains ownership until the lease is fulfilled and can request a report of asset placement and/or the state of the assets. Since the assets remain the lessor’s throughout the duration of the lease, leasing requires good asset management practices. Asset management, from receiving the assets through their final disposition, including data sanitization, is the responsibility of the lessee. These assets are treated in much the same manner as assets that are purchased outright.
Fair Market Value Leases
Many IT departments make use of the Fair Market Value lease as a way to spread costs out, minimize maintenance demands on internal IT resources, and provide technology that is relevant to their organization’s success. The terms of a Fair Market Value lease allow for the use of the assets over a period of time for a pre-determined monthly payment while the lessor maintains ownership of the assets. When the lease is fulfilled, IT departments must make a decision about those leased assets. One of the common choices made at the end of a Fair Market Value Lease is to return the leased assets to the leasing company.
Returning the leased assets presents an option for replacement with current technology and an advantage in that the lessee is not required to bear the high cost of asset disposal. It is no longer the organization’s responsibility to make sure the assets are disposed of in accordance with federal, state, and local guidelines since the assets never belonged to the organization.
Disposition of Leased Assets
More stringent federal, state and local regulations governing the disposition of electronic waste have caused IT asset managers to be especially mindful of how decommissioned assets are disposed of. When assets are purchased under a capital lease, these electronic assets are treated in much the same way any other technology assets are treated and the cost of asset disposal is borne by the lessee. Standard operating procedures for asset disposition should be followed in accordance with your organization’s policies and regulatory guidelines.
Assets leased via a fair market value lease release the lessee from the cost, responsibility and liability of asset disposition, while at the same time creating a challenge that may be overlooked. Disposition of the actual asset is one thing; ownership of and protection of the data on those assets is something entirely different.
Data Sanitization of Leased Assets
This leads to the question: Who owns the responsibility for data sanitization on those leased assets? Regardless of who owns the leased assets, we must be aware of who owns and therefore is responsible for the data on any and all leased assets. With a fair market value lease, this becomes something that has the possibility of being overlooked. And while a leasing company may say they secure your data when the assets are returned, how can you be sure? What can you do to protect your organization from exposure to data leakage from leased assets?
Erasing hard drives has become a common practice employed for data sanitization by most organizations prior to disposition of company owned assets, whether through recycling or destruction of the assets. However, data sanitization of leased assets is often assumed to be the reasonability of the lessor. Indeed, some assets, such as those leased as part of a managed print service, may have data security kits installed on them. This provides a level of security for most companies. But, is this enough to protect your organization if there is data breach as a result of those leased assets being compromised?
Many IT asset managers have implemented the practice of hard drive erasure before contacting an asset removal company to dispose of decommissioned assets. Although the process can be tedious, it is well worth the time and effort to sanitize hard drives before assets leave the premises. Other asset managers depend on the certified asset disposition company to provide certification of data sanitization of electronic assets. Securing certificates of data erasure from certified recyclers and asset disposition services is a common practice for many asset managers. Companies certified in asset disposal should provide documentation that includes an itemized audit report of items being disposed of that includes the name of the asset, the manufacturer, the model number and the serial number. This documentation should be supplied whether assets are being recycled or destroyed. If the asset disposition company is destroying any assets removed from your premises, a Certificate of Destruction should be provided. Otherwise a certificate that ensures data sanitization of assets prepared for recycling should be secured.
Whether your organization makes the decision to lease or purchase assets, it behooves every IT department to do its homework and know the benefits, costs, and risks associated with the different options presented. Asset managers should be included in decisions where large technology purchase options are being considered. Many technologists fail to include the cost of asset management (receiving, tagging, tracking, and disposition of assets) in the total cost of ownership. While leasing IT assets is a viable option and provides benefits for IT departments, it behooves IT departments to have the facts and count the costs associated with all IT purchases.