Perhaps your company has purchased secondhand phones or computers, only to discover that the previous owners had left personal information on them.
Or perhaps you’ve heard of major corporations getting penalized millions of dollars for improperly disposing of their IT assets.
Or perhaps you’ve read frightening news reports of landfills stacked high with discarded devices in poor countries, wreaking havoc on the communities they serve and giving easy pickings for cyber-criminals who know that valuable information lurks among the rubbish.
While purchasing IT assets is normally the primary emphasis of any technology-enabled business plan, what happens when those IT assets reach end-of-life yet still retain information about the company’s and its customers’ lives is sometimes overlooked.
As product cycles shorten, technology changes at a faster rate, and more firms resort to cloud services, rethinking IT Asset Disposition (ITAD) and making it more top-of-mind is crucial. You’ll have to deal with an increasing number of IT assets as they reach the end of their useful lives, and making the correct decisions about your ITAD strategy will reduce business risk while also protecting the environment.
THE FASTEST GROWING WASTE STREAM
According to the United Nations, humans produce 53 million tons of electronic garbage (e-waste) each year, a figure that is expected to more than double by 2050. As a result, e-waste is the world’s fastest-growing trash source. IT is becoming a significant component of our environmental footprint, not just in terms of energy use but also in terms of hardware. Heavy metals (mercury, lead, cadmium, and others) can leach out of these devices and into the environment, producing a variety of problems. It’s unsurprising that more countries are refusing to accept electronic garbage. As of September 2020, Thailand is the latest.
DIFFICULTIES IN SECURITY AND LAW
In addition, e-waste raises significant security and legal concerns. A total of 25 states, plus the District of Columbia, have passed laws requiring some level of electronic recycling, as well as fines for poor management of the process. Ontario, Canada, has begun implementing new e-waste legislation, with the goal of reaching a recycling rate of 70%. Furthermore, many data privacy and protection laws and regulations, including international law, have far-reaching implications for IT asset disposition. Noncompliance with the General Data Protection Regulation (GDPR), for example, can result in significant fines of up to €20 million or 4% of annual global revenue, depending on the severity and circumstances of the infringement.
COMMON ITAD MISTAKES
It’s critical to have clear protocols in place for a safe and secure ITAD, but it’s simple to make mistakes. Here are some frequent blunders to stay away from.
Many companies consider getting rid of obsolete IT hardware to be a no-brainer: simply wipe the devices clean and have them taken away. Unfortunately, it isn’t as simple as that. The complexities of wiping, shredding, and degaussing necessitate tried-and-true techniques as well as operational efficiency. Simply deleting, reformatting, or resetting the device may not be enough to delete the data. The risk of a data leak still exists if data is not adequately cleansed or the media is not securely destroyed.
LEAVING IT IN THE HANDS OF IT
While it may appear rational, if not obvious, to delegate responsibility for ITAD to your IT team, this is not always the case. Technical, legal, logistical, and administrative aspects of safely and securely disposing of IT equipment exist, and your IT staff may or may not have the necessary skill sets, including:
- Implementing the exact procedures needed to thoroughly wipe any existing data
- Assessing whether chain of custody (tracking who had access to the devices and when) is appropriately captured
- Assessing a third-party provider’s environmental and data security credentials
IT, of course, plays a part, but so do other administrators, departments, and senior management.
UNDERSTANDING YOUR LEGAL RESPONSIBILITY
As the amount of electronic garbage grows, so do the laws and regulations that control it, as well as the penalties for violation. For mishandling the decommissioning of two data centers, one financial services business was recently fined $60 million. It’s far from the only one who has had to pay a price.
And it’s not just the laws and regulations controlling e-waste that you should be concerned about. As previously stated, GDPR, industry standards like PCI-DSS, state privacy laws like the California Consumer Privacy Act (CCPA), and larger legislation like HIPAA, the MEGABYTE Act, and Sarbanes-Oxley all apply to e-waste (SOX).