Protect Yourself With These 7 IT Asset Disposal Procedure
You’ve just ordered fresh IT office equipment, and to make room for the new gear you decide to put retired IT assets in the storeroom out back for a few months. Sounds like a perfectly fine idea, right?
Without a proper IT asset disposal procedure in place, you risk equipment “disappearing” from your hands, leaving you open to severe fines should a data breach occur…
So in this article, let’s look at the IT asset disposal best practices that will ensure you remain indemnified – avoiding career-buckling fines and potential jail time as well.
Indemnify Yourself With These 7 IT Asset Disposal Procedure Best Practices
1. When A Device Is Deemed Redundant, Remove It Swiftly
When your register flags a device for replacement, begin the IT asset disposal process as soon as possible. There are two main reasons why you want to do this:
- The longer your IT assets stay in service, the less you are able to claim back through remarketing.
- If the device accidentally gets misplaced during changeover, then there is a higher risk of lost or stolen data if it gets into the wrong hands.
Get your IT team working swiftly or employ a professional IT asset disposition service provider to ensure the process starts and finished with correct documentation, tracking, and a full chain of custody.
2. Use Comprehensive Device Tracking To Avoid $Billions In Breach Fines
Paper trails are no longer enough. When a device comes out of service, you need to have it labelled immediately with a serial/tracking number and a barcode. While you could manage this in-house yourself, a better option is to employ the professional services of a certified ITAD disposal vendor, who is required to do this as part of the ITAD process.
Why is this such an important practice?
If your devices – which can store sensitive data – were to become ‘lost’, you could be left vulnerable to hefty fines…
According to a recent study, over 80% or corporate IT asset disposal projects had at least one missing asset – 15% of these potentially bearing sensitive data.
US healthcare provider TRICARE contributed to these statistics in 2011, when it failed to track the destruction of a backup tape which was eventually found in public hands – resulting in lawsuits of over $4.9 billion in damages.
If only they had the right steps in place from the beginning!
3. Hold Retired Devices in a Secure Location, Not In A Storeroom
Don’t be tempted to let your team stash devices underneath desks or in drawers. Instead, have a designated, secure, lockable facility on-site, or arrange for an ITAD vendor to conduct off-site management on your behalf.
You don’t want your assets to grow legs – as they often do. An astounding 41% of all data breach events from 2005 through 2015 were due to devices like laptops, tablets and smartphones going missing.
As part of your IT asset disposal procedure, ensure that all devices are checked into a secure holding location to avoid devices being lost or stolen. Ideally, this location should:
- Be fully enclosed with no more than 2 points of ingress.
- Have limited access through use of a secured entry – 2-step verification is preferred.
- Keep a detailed digital and paper record of device movement in and out of the space. This should be done using certified tracking software and identification labels.
Following such a process will, in many cases, eliminate the chance of data theft and maximize the efficiency of your IT asset disposal procedure and equipment replacement program.
4. Ensure Appropriate Data Destruction Measures Are Used
Simply pressing “delete” in your OS is not enough. Without using one of the following specialized methods, it can simply be “un-deleted”…
- Erasing/Overwriting – Data is removed using software that overwrites existing data with a minimum of three passes. For highly confidential information, DOD certified data wiping to DoD 5220.22-M may be used.
- Degaussing – using a magnetic charge to de-magnetize a hard drive or tape to a magnetically neutral state – void of information.
- Destruction – The safest option for equipment destruction. On site hard drive destruction, or physical destruction and shredding of hard drives, computers, and electronic equipment to defective or “dead” state.
A data destruction method using one or a combination of the above is selected based on your requirement, and in some cases, your industry:
- Health and Human Services (HHS) – Protected health information (PHI) is regulated by the HIPAA and HITECH legistlation.
- Financial Sector – Data holding institutions may be held accountable against the SEC, Office of Comptroller of Currency, Federal Reserve Board, FDIC, Office of Thrift Supervision or the National Credit Union Administration.
And while 47 of the 50 states and the District of Columbia all have separate data breach notification laws, IT asset managers can abide by the majority of regulations by following these IT asset disposal procedure best practices:
- You must be in a position to guarantee 100% destruction of all data on devices. If you are unable to do this, consider secure IT disposals through a vendor.
- Provide a certificate of data destruction for all unwanted IT equipment. Again, if you are unable to arrange this, best to employ a professional.
- Erase data using CESG approved data wiping software.
- Select vendors that are certified by the National Association of Information Destruction (NAID). If a NAID-certified vendor is used, in the eyes of regulators, due diligence is completed.
- Use a microshredding device to destroy SSD drives to 2 mm particle size (recommended by the NSA), as the best degausser on the market is harmless to these.
5. Use Certified Compliance Reporting Software
Detailed documentation is essential, so you can prove your compliance to overseeing bodies such as HIPPA, PCI, SOX, FCC, FDA, etc.
An IT asset disposal procedure may see an asset change hands several times as it enters into a different tracking and reporting process should it not be managed by a single end-to-end ITAD vendor or in-house.
In each case, as the original asset owner, you need a certified compliance report you can keep in your back office systems should an audit be triggered.
6. Plan in Advance to Remarket Your Assets And Achieve Significant ROI
In general, IT assets (such as PCs, laptops, cell phones and servers) that are less than three to four years old have resale value. You can use data from your IT asset disposal procedure to predict the market valuation and book value of your assets, so you can proactively plan for one of two options: Remarket or Recycle.
If your equipment is deemed to have commercial value then you can choose to remarket, which involves refurbishment, upgrade, and resale to capitalize on the recoverable value. Re-selling, selling to employees, or donating to schools or foundations are all ways to get value back from your old technology.
As a best practice:
- Ensure you destroy data according to the requirements of relevant legislation as detailed in #4 above. Or use an ITAD vendor who can do this for you.
- To indemnify yourself, ensure you obtain (and keep in your records) a Certificate of Destruction for any storage media that has been erased or replaced.
- To ensure that you don’t accidentally leak confidential personally identifiable information (PII), it’s best to employ a professional ITAD vendor to work on your behalf who asset-tracks all equipment so you have a record of exactly where the equipment has been sent to and, if it has been sent for reuse, where and how it is being used. They may also be able to offer advanced services such as software harvesting and a network of existing remarketing channels.
Making the potential for remarketing a core aspect of your IT asset disposal process can help create a revenue-generating stream with a profitable ROI.
7. When Remarketing Isn’t Viable, Use Certified Equipment Destruction & Recycling
If remarketing isn’t an option, then what happens to retired IT assets? Are they being recycled correctly and properly, or are they headed straight to a third-world country where children break it down for scrap – a process that is a strain on the environment and potentially dangerous to your organization’s reputation.
IT asset disposal procedure best practices for recycling are to:
- Use a certified data destruction and recycling vendor who can provide you with a Certificate of Electronic Equipment Destruction (CEED), which demonstrates and certifies that you took the proper steps to dispose of you assets, which is not only the responsible thing to do, but can can also save you from penalties down the line.
- Always use an approved disposal provider that is registered with the Environment Protection Agency.
- Use an organisation which uses comprehensive asset-tracking for all IT equipment.
- Request hard-copy evidence of the disposal route of your equipment – where it was sent to, which parts were reused and which were recycled.
- Ensure that all your waste goes to an authorised site. All waste must be treated by an Approved Authorised Treatment Facility (AATF) or an Authorised Treatment Facility (ATF).
- Ensure every item of e-waste that leaves your premises is covered by a Waste Transfer Note (WTN) and keep WTNs for a minimum of 2 years.
Keep in mind as well that the data on the devices remains critical. If the data has not been properly destroyed, there is still a risk of a major data breach. Whether you choose to destroy data in-house (not recommended) or outsource the data destruction process (recommended).
What Is It Asset Disposal?
IT asset disposal, also known more widely as ITAD, or IT Asset Disposition, is defined as: “A process of safe and responsible management of retired electronic equipment according to a strict data security protocol which is tracked and certified.”
To achieve this is no small task. ITAD companies specialize in the processes related to disposing of, remarketing, and recycling IT assets in a way that is fully tracked with a chain of custody. Working according to an IT asset disposal procedure with the right ITAD vendor can help ensure you’re maximizing the value of each device while simultaneously minimizing your environmental impact.
Seeing that the alternative is to throw your old laptops, servers, printers, faxes etc. into a dumpster and hope for the best (leaving yourself wide-open to data breach scenarios), it’s a service that can save you from significant privacy breach costs.
In fact, leading corporate firms such as Sutter Health and Emory Healthcare have faced data breach lawsuits of over $1Billion and $200Million respectively.
How To Find a Suitable IT Asset Disposition Vendor
We’ve recommended using a certified ITAD vendor to streamline and automate your IT asset disposal process, but how to find the right one?
Work with them to answer the following questions:
- What are the vendor’s processes and procedures for destroying legacy data? The vendor should be able to provide written certification that ALL data was destroyed, as well as proof of the method used.
- Does the vendor follow any of the recognized best practices we’ve discussed here?
- Who certifies and audits the vendor’s processes? Is it a reputable company certified by a recognized body (E.g. R2 or E-Stewards)?
- Can the vendor produce evidence that it has proper facilities, training and equipment?
- What certifications does the vendor have?
- Does the vendor send equipment to third party partners? If “Yes,” what are their processes and procedures?
- Does the vendor have strong record-keeping practices (shipment records, serial tracking)?
- What percentage of materials is recycled vs. destroyed?
At All Green, we use a state-of-the-art ITAD process with end-to-end tracking which begins upon receipt of IT assets to our secure recycling facility. All IT equipment received are individually logged into a tracking system and tagged with a unique barcode and documentation that creates a full chain of custody.
Request a quote or call our support team who can begin the IT asset disposal process for you.