Perhaps your company has purchased secondhand phones or computers, only to discover that the previous owners had left personal information on them. Or perhaps you’ve heard of major corporations getting penalized millions of dollars for improperly disposing of their IT assets.
Or perhaps you’ve read frightening news reports of landfills stacked high with discarded devices in poor countries, wreaking havoc on the communities they serve and giving easy pickings for cyber-criminals who know that valuable information lurks among the rubbish.
While purchasing IT assets is normally the primary emphasis of any technology-enabled business plan, what happens when those IT assets reach end-of-life yet still retain information about the company’s and its customers’ lives is sometimes overlooked.
As product cycles shorten, technology changes at a faster rate, and more firms resort to cloud services, rethinking IT Asset Disposition (ITAD) and making it more top-of-mind is crucial. You’ll have to deal with an increasing number of IT assets as they reach the end of their useful lives, and making the correct decisions about your ITAD strategy will reduce business risk while also protecting the environment.
THE FASTEST GROWING WASTE STREAM
According to the United Nations, humans produce 53 million tons of electronic garbage (e-waste) each year, a figure that is expected to more than double by 2050. As a result, e-waste is the world’s fastest-growing trash source. IT is becoming a significant component of our environmental footprint, not just in terms of energy use but also in terms of hardware. Heavy metals (mercury, lead, cadmium, and others) can leach out of these devices and into the environment, producing a variety of problems. It’s unsurprising that more countries are refusing to accept electronic garbage. As of September 2020, Thailand is the latest.
DIFFICULTIES IN SECURITY AND LAW
In addition, e-waste raises significant security and legal concerns. A total of 25 states, plus the District of Columbia, have passed laws requiring some level of electronic recycling, as well as fines for poor management of the process. Ontario, Canada, has begun implementing new e-waste legislation, with the goal of reaching a recycling rate of 70%. Furthermore, many data privacy and protection laws and regulations, including international law, have far-reaching implications for IT asset disposition. Noncompliance with the General Data Protection Regulation (GDPR), for example, can result in significant fines of up to €20 million or 4% of annual global revenue, depending on the severity and circumstances of the infringement.
COMMON ITAD MISTAKES
It’s critical to have clear protocols in place for a safe and secure ITAD, but it’s simple to make mistakes. Here are some frequent blunders to stay away from.
OVERSIMPLIFYING
Many companies consider getting rid of obsolete IT hardware to be a no-brainer: simply wipe the devices clean and have them taken away. Unfortunately, it isn’t as simple as that. The complexities of wiping, shredding, and degaussing necessitate tried-and-true techniques as well as operational efficiency. Simply deleting, reformatting, or resetting the device may not be enough to delete the data. The risk of a data leak still exists if data is not adequately cleansed or the media is not securely destroyed.
LEAVING IT IN THE HANDS OF IT
While it may appear rational, if not obvious, to delegate responsibility for ITAD to your IT team, this is not always the case. Technical, legal, logistical, and administrative aspects of safely and securely disposing of IT equipment exist, and your IT staff may or may not have the necessary skill sets, including:
- Implementing the exact procedures needed to thoroughly wipe any existing data
- Assessing whether chain of custody (tracking who had access to the devices and when) is appropriately captured
- Assessing a third-party provider’s environmental and data security credentials
IT, of course, plays a part, but so do other administrators, departments, and senior management.
UNDERSTANDING YOUR LEGAL RESPONSIBILITY
As the amount of electronic garbage grows, so do the laws and regulations that control it, as well as the penalties for violation. For mishandling the decommissioning of two data centers, one financial services business was recently fined $60 million. It’s far from the only one who has had to pay a price.
And it’s not just the laws and regulations controlling e-waste that you should be concerned about. As previously stated, GDPR, industry standards like PCI-DSS, state privacy laws like the California Consumer Privacy Act (CCPA), and larger legislation like HIPAA, the MEGABYTE Act, and Sarbanes-Oxley all apply to e-waste (SOX).
SUMMARY
As with many IT projects and processes, IT Asset Disposal may not be a do-it-yourself project. Your best outcomes will be from working with a asset disposal company that is experienced in the legal and regulatory environment, as well as proper disposal techniques, including recycling and repurposing. It is best not to take chances with end-of life asset disposal issues.
ShareNOV
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com