Embed Size (px)
Citation preview
Value Recovery
White Paper
Six Myths About IT Asset Disposition Don’t fall prey to a data breach, legal liability or reputation damage.
Organizations pay close attention to purchasing new IT assets and managing them. But retiring that equipment effectively? Not so much. When a new laptop is commissioned, a faulty hard drive is replaced or a server is decommissioned, it’s decision time: What to do with the old technology? The original asset may still have value. More important, it probably contains sensitive data that needs to be properly eradicated. Blockbuster headlines about the theft of confidential data housed on lost, stolen or recycled IT assets – employee personal information, patient health records, company intellectual property and more – make the news almost daily. That’s because the same organizations that handle IT asset procurement and management so carefully often have no reliable processes and procedures in place to ensure that the devices they retire are truly purged of confidential data. These businesses unwittingly expose themselves to a host of legal liabilities as well as the potential loss of sensitive corporate data and intellectual property, which can prove devastating. In short, they risk their business.
Contents
Six Myths About IT Asset Disposition 1
Data at Risk 2
Environment at Risk Brand at Risk The Call for ITAD Myth #1 Myth #2 Myth #3 Myth #4 Myth #5 Myth #6
3 3 3 4 4 5 6 7 7
Getting ITAD Right 8
About Arrow Value Recovery 8
arrowvaluerecovery.com | 800 393 7627
2arrowvaluerecovery.com | 800 393 7627Value Recovery
Six Myths About IT Asset Disposition
White Paper
Data at RiskMajor data heists like the one a beverage manufacturer discovered in 2014,1 after 55 retired
laptops were allegedly stolen by a former employee, make headline news. This breach is
especially important because it highlights a common vulnerability – these assets were stolen
after they were taken out of service but still contained data. In addition, research conducted
by Australia’s National Association for Information Destruction2 (NAID) revealed that many
computers obtained through legitimate channels can also include the previous owner’s data
intact. The study involved procuring 52 secondhand hard drives from a range of publicly
available sources, such as eBay, for analysis. Significant highly sensitive information was
found on 15 of the 52 (30 percent of them). Businesses were no more savvy than individuals
in wiping their hard drives of sensitive data: 8 of the 15 un-erased hard drives had been sold
by businesses. NAID found clients’ personal information, confidential client correspondence,
billing information and personal medical information.
According to research conducted by the Ponemon Institute, the average cost of a single lost
or stolen data record is $201.3 Multiply that by thousands or tens of thousands (as in the
beverage manufacturer’s data breach) and there goes your IT budget.
As the sheer number of retired machines grows, so does the problem of keeping the
sensitive data on those machines from getting into the wrong hands. For example, Gartner
estimated worldwide combined shipments of devices (PCs, tablets, ultramobiles and mobile
phones) at 2.4 billion units in 2014.4 A significant number of those devices will be procured
by enterprises as replacements for retired equipment. Gartner’s estimate also includes over
1.8 billion mobile phones and smartphones; many of these devices have the capacity to store
large amounts of proprietary information, and most of them will simply be thrown away after a
couple of years of use.
The problem of technology disposal isn’t limited to PCs and personal devices. Over the past
five years, it is estimated that over 46 million servers were shipped.5 In fact, despite shrinking
demand, a record number of servers shipped in 2013.6 Many of these servers likely replaced
machines that were being retired – and all of them will one day need to be retired as well.
According to research
conducted by the Ponemon
Institute, the average cost
of a single lost or stolen
data record is $201. Multiply
that by thousands or tens
of thousands (as in the
beverage manufacturer’s data
breach) and there goes your
IT budget.
3arrowvaluerecovery.com | 800 393 7627Value Recovery
Six Myths About IT Asset Disposition
White Paper
Environment at RiskAll this has obvious environmental implications, with the attendant
legal and regulatory exposure. Although for IT managers, data
security is often the more immediate concern, both areas leave a
business vulnerable. Because devices can contain toxic compounds,
their proper handling is imperative for both worker safety and
environmental stewardship. Organizations of all sizes cope with a
complex web of regulations that vary by industry and jurisdiction.
Brand at RiskThese rules not only add administrative overhead, but they can
also expose a company to significant fines, lawsuits and damaging
negative publicity. And ignorance of the law is not a valid excuse.
The Call for ITADThe need to manage the safe and orderly retirement of this large
volume of equipment, along with expanding data security, regulatory
and environmental concerns, is driving the growth of the IT asset
disposition (ITAD) industry. New ITAD providers seem to pop up daily,
but not all ITAD service providers are created equal. Many waste
disposal and recycling firms now collect unwanted technology along
with other waste without implementing practices to meet data security
and regulatory needs. Building secure and accountable ITAD takes
time and investment – investment few waste companies can make.
Inadequate ITAD exposes clients to risk by giving them a false sense
of security. And customers whose equipment still has value lose out
when their trash collector does nothing to reclaim residual value on
their behalf. Customers are not protected nor do they benefit.
Reputable asset disposition firms navigate the maze of regulations
and find alternatives to disposal, including internal redeployment,
resale and donation. These service providers track and report on the
status of an individual piece of equipment in detail, from its pickup to
its ultimate disposition.
By taking the liability and headache out of asset disposition,
full-service ITAD firms are growing in popularity. In fact, Arrow’s
Value Recovery group found in its 2014 survey of ITAD trends
that nearly two out of three companies surveyed choose to have
a third-party service provider manage their end-of-life assets.
Conducted by independent research and consulting firm Blumberg
Advisory Group, Inc., and summarized in the 2014 Arrow IT Asset
Disposition Trends Report,7 the trends survey also revealed that data
security concerns are a major driver of the shift to third-party ITAD
providers. As you look for a reputable ITAD provider, beware of six
prevalent myths you need to debunk. Understanding the rules and
best practices of ITAD can save your organization money, time and
reputation, and provide competitive advantage.
4arrowvaluerecovery.com | 800 393 7627Value Recovery
Six Myths About IT Asset Disposition
White Paper
Myth #1: Disposing of IT assets is simple.
Many firms are still under the impression that you can simply sell your equipment or give it
away and be free of regulatory requirements and liabilities. Not so. Penalties for improper
data protection include steep fines and even imprisonment, and these penalties are levied
on the organization responsible for the data – not the disposition vendor. When handing
over electronics, you need to be sure of how the data will be destroyed and have proof of its
actual destruction.
Because of data protection and environmental regulations, the administrative burden
of disposing of a single PC can run into many hours of work. That’s why you should be
especially wary of firms that pick up electronics for free. Chances are they are not thoroughly
erasing data and may even be selling the electronics as scrap abroad.
Myth #2: Once ownership is transferred to the asset disposal company, it’s not our problem.
This is a dangerous assumption. Liability for data protection continues long after you transfer
a retired asset to a third party. If a data security breach is uncovered, law enforcement
officials will not limit their focus to the disposal firm but will also target the company that
gathered the data.
The small mom-and-pop recycler or the “guy in a truck” who comes to pick up your old
computers may take them out of your life – but if you don’t know what happens to them
afterward, you may find yourself liable down the road. One recycler in Utah8 simply decamped
with no notice, leaving behind mountains of IT assets that are now the responsibility of the
original owners. The situation reached the headlines when one of their facilities caught fire,
highlighting the exposure a company can face if its assets are not handled properly.
In choosing an ITAD vendor, partner with a well-established ITAD firm that has checks and
balances in place to ensure that any kind of liability that could be associated with your IT
assets – data security, environmental compliance or brand exposure – is definitively addressed
when those assets leave your company’s direct custody. It’s extremely important that the
receiving organization has bulletproof chain-of-custody processes in place, along with thorough
documentation of those processes.
Contractual overrides rarely insulate data owners from liability and potential environmental
issues. Regulators may insist on detailed tracking records to establish that appropriate data
protection procedures were followed during disposition. These records should establish a chain
of custody that is linked to a company’s internal asset management systems. In many cases,
these audit trails involve specialized reports that are unique to a government or regulatory
agency. It can be time-consuming and expensive for businesses to track these requirements.
Professional ITAD firms make this reporting a core component of their service.
When handing over
electronics, you need to be
sure of how the data will be
destroyed and have proof of
its actual destruction.
If a data security breach is
uncovered, law enforcement
officials will not limit their
focus to the disposal firm but
will also target the company
that gathered the data.
5arrowvaluerecovery.com | 800 393 7627Value Recovery
Six Myths About IT Asset Disposition
White Paper
Myth #3: Deleting data or reformatting hard disks or resetting mobile devices is sufficient.
Simply deleting data, reformatting a disk or resetting a mobile device does not actually
remove the data. Formatting a drive, for example, simply overwrites indexed tables but may
delete little actual data. Resetting mobile devices only reverts devices to factory settings,
and all user data remains intact. Using these methods as the sole means for data sanitization
puts your company at risk of regulatory noncompliance, stolen data and brand damage.
Experts recommend using the Department of Defense’s 5220.22-M erasure standard and
NIST 800-88 Revision 1 guidelines “which will assist organizations and system owners in
making practical sanitization decisions based on the categorization of confidentiality of their
information. Media sanitization refers to a process that renders access to target data on the
media infeasible for a given level of effort.”9 This approach ensures that media are completely
cleansed of recoverable data. Not only must the data be destroyed, but the destruction must
also be verified.
Commercial tools are available to automate this process, but licenses and equipment
costs can run to several thousand dollars. Add to that the considerable expense of training
employees to use these tools, and paying them to cleanse each individual hard disk. And
when you’re done with the time and expense of self-verifying, liability still remains.
Erasure tools for computer magnetic hard drives do not necessarily work with the wide
variety of solid state drives (SSDs) and mobile devices available. Different manufacturers of
SSDs and mobile devices usually require specialized procedures to ensure media sanitization
that many erasure tools do not handle. These devices are replaced by organizations on
average every two years, so having the capability to completely remove sensitive data from
them is highly important.
Professional ITAD firms use state-of-the-art data erasure technologies and apply economies
of scale to achieve maximum efficiency. They also understand the specialized data
destruction procedures required by SSDs and mobile devices as well as the importance
of providing verification of data destruction. For businesses that want to use physical disk
destruction, professional providers offer a thorough and safe solution. And for the tightest
security, some ITAD firms offer complete on-site physical disk destruction.
Physically destroying disks lacks a way to verify data destruction. Disks are scanned and
then dropped into a shredder. There is no system verification that once scanned, the disk is
actually dropped into the shredder. Physical security of the site (monitoring of employees, for
example) can help reduce this vulnerability.
Simply deleting data,
reformatting a disk or resetting
a mobile device does not
actually remove the data.
6arrowvaluerecovery.com | 800 393 7627Value Recovery
Six Myths About IT Asset Disposition
White Paper
Myth #4: Asset disposal is a commodity.
When all IT asset disposition vendors appear to be offering the
same services, it’s tempting to simply go with the cheapest solution.
Appearances can be deceiving, and choosing the low-cost provider
could end up costing significantly more – it could cost you your
business.
Effective, secure, legal ITAD requires both knowledge of detailed
regulations and standardized processes. With an ever-changing
regulatory landscape, it is critical to choose an ITAD provider that
understands the regulations and that has a robust process for
integrating new regulations as they emerge.
Low-cost providers that don’t know the rules may resort to cheap
disposal options such as shipping equipment overseas without first
cleansing data from the equipment. A traceable chain of custody
and audits that document downstream partners’ adherence to
environmental and data standards are critical.
A one-size-fits-all, low-budget approach to data security will not
protect your organization and its brand reputation. The potential
costs associated with a data breach can be enormous, and can
become media fodder for years. From a big box retailer to an
entertainment giant to healthcare providers and government
agencies, the stories of data being compromised seem endless.
A data breach is bad for your brand and bad for business.
Consider these critical factors when choosing an ITAD partner:
- Do services and quality levels meet your needs? Can the provider support your organization wherever you operate? If the vendor relies on many partners, how are the partners vetted? Carefully consider the full range of IT assets that require disposition, the regulatory environments wherever you do business and any specialized reporting needs you may have.
- How do they handle data security? Do your devices contain trade secrets, intellectual property, employee data or confidential customer information such as credit card numbers or patient records? Chances are they do. Always make data security a top priority.
- What is the environmental impact? Safe and responsible handling of electronics is not free. Some low-cost providers skirt environmental and worker health and safety concerns by shipping nonworking equipment to countries with weak or nonexistent environmental regulations. This is unethical and it is a potential liability. Often these assets can be tracked back to the original owner, exposing that organization’s brand. Typically, low-cost providers don’t erase the equipment they export.
- Does the vendor have the right certifications? Choose an ITAD provider that is certified to leading industry standards, and don’t just take the provider’s word for it. These standards bodies routinely audit providers to ensure that adequate and appropriate safeguards are in place. The International Organization for Standardization (ISO) certifications that focus on quality (9001) and environmental (14001) impacts are good indicators of a provider’s processes. However, R2 and e-Stewards remain the most important certifications when it comes to environmental standards for electronics at end-of-life. Both of these standards bodies list their certified providers on their websites. If the provider you are considering isn’t listed, it isn’t certified.
- What tracking processes are in place? Ideally, any asset should be traceable in real time and records should be matched to your own internal asset management system.
- How secure are vendor facilities? Equipment may need to be stored before disposition. The physical security of that location is one concern, but another is the issue of who has access to the stored equipment. Get specifics.
- What are the hidden costs? Providers may layer logistics costs, disposal fees, exclusions and other charges on top of their base contracts. Study these provisions carefully, as they can add significantly to the total bill.
- Does the vendor have effective remarketing resources? There can still be considerable value locked up in end-of-life equipment. Will you see a return on usable equipment from resale, or is the provider only interested in smelting the parts to recover minerals such as gold or silver? Skilled and reputable ITAD firms can determine which assets can be reused, then refurbish if needed, add new operating systems, and remarket them in various channels, using the revenues to offset your costs. Not every vendor has this capability.
- Is the vendor financially healthy? Any reliable ITAD vendor should be willing to provide evidence of a healthy balance sheet. Will they be around for the long term? This is important, since regulatory challenges and investigations may turn up years after the date of disposition. Be sure the vendor will be around and available to answer questions.
7arrowvaluerecovery.com | 800 393 7627Value Recovery
Six Myths About IT Asset Disposition
White Paper
Myth #5: There is such a thing as unlimited liability.
An ITAD provider might dangle liability insurance in front of a prospective customer in hopes
of putting their mind at ease about the risk of prosecution for data privacy breaches. This is
a common and potentially dangerous misconception. In fact, there really is no such thing as
“unlimited” liability, as an organization’s ability to pay should a breach occur is limited by the
constraints of its own insurance and ultimately by the value of the company itself. Small or
weakly capitalized ITAD firms are especially vulnerable in this respect. If the service provider
goes out of business meeting a claim that exceeds the value of the business, what isn’t
covered (in terms of data breach loss or environmental damages, for example) reverts to the
organization whose assets are tied to the loss.
Insurance is good to have, but policies vary widely in type and definition of coverage. Some
limit terms so severely that their insurance amounts to no insurance at all. Insurance that
covers only the value of equipment is inadequate.
Your ITAD provider’s insurance should also cover more than just penalties. Business costs
may also factor into the equation. The cost of defending or remedying a legal dispute may
include such factors as labor and legal expenses. Comprehensive plans cover a wide range
of expenses. For example, one financial services company was forced to pay $8 million to
provide free credit protection service for its customers because of a data breach involving a
single laptop.
Myth #6: All big ITAD companies provide global services.
Not all global claims are truly global. Just because an ITAD provider marks a location on a
map doesn’t mean they have the necessary expertise to serve your company in that region.
For all organizations, details matter. For global organizations, even more so. Understand
who will be handling your assets – the ITAD provider or a partner. Make sure the vendor can
warrant that their partners have been vetted and are held to the same standards you expect
from the vendor themselves. They have the pertinent certifications; they need to have the
requisite insurance; they need to be financially solid.
Countries have different regulations around e-waste, so understanding what needs to be
done on a country-by-country basis is important. Ensuring secure technology retirement also
requires the ability to deliver the same level of service at all processing facilities, regardless
of location.
If you are a multinational organization, having an ITAD partner that does business where you
do business and does so with a consistent, vetted process will go a long way toward ensuring
you are compliant with regulations in every geography and toward protecting your assets,
your data and your brand.
In fact, there really is no such
thing as “unlimited” liability,
as an organization’s ability to
pay should a breach occur
is limited by the constraints
of its own insurance and
ultimately by the value of the
company itself.
Make sure the vendor can
warrant that their partners
have been vetted and are
held to the same standards
you expect from the vendor
themselves.
Six Myths About IT Asset Disposition
White Paper
©2015 Arrow Electronics, Inc. Arrow and the Arrow logo are registered trademarks of Arrow Electronics, Inc. Other trademarks and product information are the property of their respective owners.
1003_6Myhs_06/15_CDS1.2
Arrow Electronics, Inc. Value Recovery
9201 East Dry Creek Road Centennial, CO 80112, USA
Getting ITAD RightIT assets – more than ordinary trash – carry huge areas of vulnerability for an organization,
and potentially an upside. Effective, legal, safe ITAD is not a one-size-fits-all, commodity
service. Done right, in partnership with a qualified, reputable provider, ITAD returns value to
your organization.
Proper ITAD is complex – it contends with an intricate web of regulations that continue to
evolve, and a verifiable chain of custody requires assiduous attention to detail. But a good
ITAD provider will shield you from the complexity and make ITAD easy on your end.
In your ITAD vendor selection process, make sure you consider ease of use, service quality,
reputation, financial stability, audit controls, security practices, and compliance with all
relevant regulations and leading industry standards. Your ITAD provider should make your life
easier, providing data, environmental and brand protection and returning value. Good ITAD
improves data security and can optimize asset use for the greatest return. It’s no myth.
About Arrow Value RecoveryArrow’s Value Recovery group is a worldwide provider of IT asset disposition (ITAD) and
aftermarket solutions designed to deliver data security, efficiency and value. With specialized
expertise in reverse logistics, Arrow enables organizations to uncover hidden value and
increase sustainability at the end of the IT product lifecycle.
References:1. Theft of Unencrypted Laptops behind
Coca-Cola breach impacting 74,000, SCMagazine, January 27, 2014, http://www.scmagazine.com/theft-of-unencrypted-laptops-behind-coca-cola-breach-impacting-74000/article/331273/?_sm_au_=iVVTQs7MJ0qJ5MvQ .
2. Study shows recycled computers give away personal information, NAID online consumer news, February 19, 2014, http://www.naidonline.org/nitl/en/consumer/news/5164.html
3. Is Your Company Ready for a Big Data Breach?, Ponemon Institute, 2014, http://www.experian.com/assets/data-breach/brochures/2014-ponemon-2nd-annual-preparedness.pdf
4. Gartner Newsroom, July 7, 2014, http://www.gartner.com/newsroom/id/2791017
5. Statista, The Statistics Portal, http://www.statista.com/statistics/219596/worldwide-server-shipments-by-vendor/
6. eWeek, February 27, 2014, http://www.eweek.com/servers/server-shipments-hit-record-in-2013-but-revenues-fall-idc.html?_sm_au_=iVVVF4S54q6R4SRJ
7. The Arrow IT Asset Disposition Trends Report, http://www.arrowvaluerecovery.com/resources/it-asset-disposition-trends-report/
8. http://www.standard.net/Environment/2014/11/08/Company-under-pressure-after-Clearfield-hazardous-waste-fire?_sm_au_=iVVR2ktFjT2fj72v
9. Department of Defense National Industry Security Program document 5220.22-M, http://www.dss.mil/documents/odaa/nispom2006-5220.pdf
