Six Myths About IT Asset Disposition
advertisement
Value Recovery White Paper Six Myths About IT Asset Disposition Contents Don’t fall prey to a data breach, legal liability or reputation damage. Six Myths About IT Asset Disposition 1 Data at Risk 2 Organizations pay close attention to purchasing new IT assets and managing them. But retiring that equipment effectively? Not so much. When a new laptop is commissioned, a faulty hard drive is replaced or a server is decommissioned, it’s decision time: What to do with the old technology? The original asset may still have value. More important, it probably contains sensitive data that needs to be properly eradicated. Environment at Risk Brand at Risk The Call for ITAD Myth #1 Myth #2 Myth #3 Myth #4 Myth #5 Myth #6 3 3 3 4 4 5 6 7 7 Getting ITAD Right 8 About Arrow Value Recovery 8 Blockbuster headlines about the theft of confidential data housed on lost, stolen or recycled IT assets – employee personal information, patient health records, company intellectual property and more – make the news almost daily. That’s because the same organizations that handle IT asset procurement and management so carefully often have no reliable processes and procedures in place to ensure that the devices they retire are truly purged of confidential data. These businesses unwittingly expose themselves to a host of legal liabilities as well as the potential loss of sensitive corporate data and intellectual property, which can prove devastating. In short, they risk their business. arrowvaluerecovery.com | 800 393 7627 Six Myths About IT Asset Disposition White Paper Data at Risk Major data heists like the one a beverage manufacturer discovered in 2014,1 after 55 retired laptops were allegedly stolen by a former employee, make headline news. This breach is especially important because it highlights a common vulnerability – these assets were stolen after they were taken out of service but still contained data. In addition, research conducted by Australia’s National Association for Information Destruction2 (NAID) revealed that many computers obtained through legitimate channels can also include the previous owner’s data intact. The study involved procuring 52 secondhand hard drives from a range of publicly available sources, such as eBay, for analysis. Significant highly sensitive information was found on 15 of the 52 (30 percent of them). Businesses were no more savvy than individuals in wiping their hard drives of sensitive data: 8 of the 15 un-erased hard drives had been sold by businesses. NAID found clients’ personal information, confidential client correspondence, According to research conducted by the Ponemon Institute, the average cost of a single lost or stolen data record is $201. Multiply that by thousands or tens billing information and personal medical information. of thousands (as in the According to research conducted by the Ponemon Institute, the average cost of a single lost beverage manufacturer’s data or stolen data record is $201.3 Multiply that by thousands or tens of thousands (as in the beverage manufacturer’s data breach) and there goes your IT budget. breach) and there goes your As the sheer number of retired machines grows, so does the problem of keeping the IT budget. sensitive data on those machines from getting into the wrong hands. For example, Gartner estimated worldwide combined shipments of devices (PCs, tablets, ultramobiles and mobile phones) at 2.4 billion units in 2014.4 A significant number of those devices will be procured by enterprises as replacements for retired equipment. Gartner’s estimate also includes over 1.8 billion mobile phones and smartphones; many of these devices have the capacity to store large amounts of proprietary information, and most of them will simply be thrown away after a couple of years of use. The problem of technology disposal isn’t limited to PCs and personal devices. Over the past five years, it is estimated that over 46 million servers were shipped.5 In fact, despite shrinking demand, a record number of servers shipped in 2013.6 Many of these servers likely replaced machines that were being retired – and all of them will one day need to be retired as well. Value Recovery arrowvaluerecovery.com | 800 393 7627 2 Six Myths About IT Asset Disposition White Paper Environment at Risk All this has obvious environmental implications, with the attendant legal and regulatory exposure. Although for IT managers, data security is often the more immediate concern, both areas leave a business vulnerable. Because devices can contain toxic compounds, their proper handling is imperative for both worker safety and environmental stewardship. Organizations of all sizes cope with a complex web of regulations that vary by industry and jurisdiction. Brand at Risk These rules not only add administrative overhead, but they can also expose a company to significant fines, lawsuits and damaging negative publicity. And ignorance of the law is not a valid excuse. The Call for ITAD The need to manage the safe and orderly retirement of this large By taking the liability and headache out of asset disposition, volume of equipment, along with expanding data security, regulatory full-service ITAD firms are growing in popularity. In fact, Arrow’s and environmental concerns, is driving the growth of the IT asset Value Recovery group found in its 2014 survey of ITAD trends disposition (ITAD) industry. New ITAD providers seem to pop up daily, that nearly two out of three companies surveyed choose to have but not all ITAD service providers are created equal. Many waste a third-party service provider manage their end-of-life assets. disposal and recycling firms now collect unwanted technology along Conducted by independent research and consulting firm Blumberg with other waste without implementing practices to meet data security Advisory Group, Inc., and summarized in the 2014 Arrow IT Asset and regulatory needs. Building secure and accountable ITAD takes Disposition Trends Report,7 the trends survey also revealed that data time and investment – investment few waste companies can make. security concerns are a major driver of the shift to third-party ITAD Inadequate ITAD exposes clients to risk by giving them a false sense of security. And customers whose equipment still has value lose out when their trash collector does nothing to reclaim residual value on their behalf. Customers are not protected nor do they benefit. providers. As you look for a reputable ITAD provider, beware of six prevalent myths you need to debunk. Understanding the rules and best practices of ITAD can save your organization money, time and reputation, and provide competitive advantage. Reputable asset disposition firms navigate the maze of regulations and find alternatives to disposal, including internal redeployment, resale and donation. These service providers track and report on the status of an individual piece of equipment in detail, from its pickup to its ultimate disposition. Value Recovery arrowvaluerecovery.com | 800 393 7627 3 Six Myths About IT Asset Disposition White Paper Myth #1: Disposing of IT assets is simple. Many firms are still under the impression that you can simply sell your equipment or give it away and be free of regulatory requirements and liabilities. Not so. Penalties for improper data protection include steep fines and even imprisonment, and these penalties are levied on the organization responsible for the data – not the disposition vendor. When handing over electronics, you need to be sure of how the data will be destroyed and have proof of its actual destruction. Because of data protection and environmental regulations, the administrative burden of disposing of a single PC can run into many hours of work. That’s why you should be When handing over electronics, you need to be sure of how the data will be destroyed and have proof of its actual destruction. especially wary of firms that pick up electronics for free. Chances are they are not thoroughly erasing data and may even be selling the electronics as scrap abroad. Myth #2: Once ownership is transferred to the asset disposal company, it’s not our problem. This is a dangerous assumption. Liability for data protection continues long after you transfer a retired asset to a third party. If a data security breach is uncovered, law enforcement officials will not limit their focus to the disposal firm but will also target the company that gathered the data. The small mom-and-pop recycler or the “guy in a truck” who comes to pick up your old computers may take them out of your life – but if you don’t know what happens to them afterward, you may find yourself liable down the road. One recycler in Utah8 simply decamped with no notice, leaving behind mountains of IT assets that are now the responsibility of the original owners. The situation reached the headlines when one of their facilities caught fire, highlighting the exposure a company can face if its assets are not handled properly. If a data security breach is uncovered, law enforcement officials will not limit their focus to the disposal firm but will also target the company that gathered the data. In choosing an ITAD vendor, partner with a well-established ITAD firm that has checks and balances in place to ensure that any kind of liability that could be associated with your IT assets – data security, environmental compliance or brand exposure – is definitively addressed when those assets leave your company’s direct custody. It’s extremely important that the receiving organization has bulletproof chain-of-custody processes in place, along with thorough documentation of those processes. Contractual overrides rarely insulate data owners from liability and potential environmental issues. Regulators may insist on detailed tracking records to establish that appropriate data protection procedures were followed during disposition. These records should establish a chain of custody that is linked to a company’s internal asset management systems. In many cases, these audit trails involve specialized reports that are unique to a government or regulatory agency. It can be time-consuming and expensive for businesses to track these requirements. Professional ITAD firms make this reporting a core component of their service. Value Recovery arrowvaluerecovery.com | 800 393 7627 4 Six Myths About IT Asset Disposition White Paper Myth #3: Deleting data or reformatting hard disks or resetting mobile devices is sufficient. Simply deleting data, reformatting a disk or resetting a mobile device does not actually remove the data. Formatting a drive, for example, simply overwrites indexed tables but may delete little actual data. Resetting mobile devices only reverts devices to factory settings, and all user data remains intact. Using these methods as the sole means for data sanitization Simply deleting data, reformatting a disk or resetting puts your company at risk of regulatory noncompliance, stolen data and brand damage. a mobile device does not Experts recommend using the Department of Defense’s 5220.22-M erasure standard and actually remove the data. NIST 800-88 Revision 1 guidelines “which will assist organizations and system owners in making practical sanitization decisions based on the categorization of confidentiality of their information. Media sanitization refers to a process that renders access to target data on the media infeasible for a given level of effort.”9 This approach ensures that media are completely cleansed of recoverable data. Not only must the data be destroyed, but the destruction must also be verified. Commercial tools are available to automate this process, but licenses and equipment costs can run to several thousand dollars. Add to that the considerable expense of training employees to use these tools, and paying them to cleanse each individual hard disk. And when you’re done with the time and expense of self-verifying, liability still remains. Erasure tools for computer magnetic hard drives do not necessarily work with the wide variety of solid state drives (SSDs) and mobile devices available. Different manufacturers of SSDs and mobile devices usually require specialized procedures to ensure media sanitization that many erasure tools do not handle. These devices are replaced by organizations on average every two years, so having the capability to completely remove sensitive data from them is highly important. Professional ITAD firms use state-of-the-art data erasure technologies and apply economies of scale to achieve maximum efficiency. They also understand the specialized data destruction procedures required by SSDs and mobile devices as well as the importance of providing verification of data destruction. For businesses that want to use physical disk destruction, professional providers offer a thorough and safe solution. And for the tightest security, some ITAD firms offer complete on-site physical disk destruction. Physically destroying disks lacks a way to verify data destruction. Disks are scanned and then dropped into a shredder. There is no system verification that once scanned, the disk is actually dropped into the shredder. Physical security of the site (monitoring of employees, for example) can help reduce this vulnerability. Value Recovery arrowvaluerecovery.com | 800 393 7627 5 Six Myths About IT Asset Disposition White Paper Myth #4: Asset disposal is a commodity. When all IT asset disposition vendors appear to be offering the disposal options such as shipping equipment overseas without first same services, it’s tempting to simply go with the cheapest solution. cleansing data from the equipment. A traceable chain of custody Appearances can be deceiving, and choosing the low-cost provider and audits that document downstream partners’ adherence to could end up costing significantly more – it could cost you your environmental and data standards are critical. business. A one-size-fits-all, low-budget approach to data security will not Effective, secure, legal ITAD requires both knowledge of detailed protect your organization and its brand reputation. The potential regulations and standardized processes. With an ever-changing costs associated with a data breach can be enormous, and can regulatory landscape, it is critical to choose an ITAD provider that become media fodder for years. From a big box retailer to an understands the regulations and that has a robust process for entertainment giant to healthcare providers and government integrating new regulations as they emerge. agencies, the stories of data being compromised seem endless. Low-cost providers that don’t know the rules may resort to cheap A data breach is bad for your brand and bad for business. Consider these critical factors when choosing an ITAD partner: -- Do services and quality levels meet your needs? Can the provider support your organization wherever you operate? If the vendor relies on many partners, how are the partners vetted? Carefully consider the full range of IT assets that require disposition, the regulatory environments wherever you do business and any specialized reporting needs you may have. -- How do they handle data security? Do your devices contain trade secrets, intellectual property, employee data or confidential customer information such as credit card numbers or patient records? Chances are they do. Always make data security a top priority. -- What is the environmental impact? Safe and responsible handling of electronics is not free. Some low-cost providers skirt environmental and worker health and safety concerns by shipping nonworking equipment to countries with weak or nonexistent environmental regulations. This is unethical and it is a potential liability. Often these assets can be tracked back to the original owner, exposing that organization’s brand. Typically, low-cost providers don’t erase the equipment they export. -- Does the vendor have the right certifications? Choose an ITAD provider that is certified to leading industry standards, and don’t just take the provider’s word for it. These standards bodies routinely audit providers to ensure that adequate and appropriate safeguards are in place. The International Organization for Standardization (ISO) certifications that focus on quality (9001) and environmental (14001) impacts are good indicators of a provider’s processes. However, R2 and e-Stewards remain the most important certifications when it comes to environmental standards for electronics at end-of-life. Both of these standards bodies list their certified providers on their websites. If the provider you are considering isn’t listed, it isn’t certified. Value Recovery -- What tracking processes are in place? Ideally, any asset should be traceable in real time and records should be matched to your own internal asset management system. -- How secure are vendor facilities? Equipment may need to be stored before disposition. The physical security of that location is one concern, but another is the issue of who has access to the stored equipment. Get specifics. -- What are the hidden costs? Providers may layer logistics costs, disposal fees, exclusions and other charges on top of their base contracts. Study these provisions carefully, as they can add significantly to the total bill. -- Does the vendor have effective remarketing resources? There can still be considerable value locked up in end-of-life equipment. Will you see a return on usable equipment from resale, or is the provider only interested in smelting the parts to recover minerals such as gold or silver? Skilled and reputable ITAD firms can determine which assets can be reused, then refurbish if needed, add new operating systems, and remarket them in various channels, using the revenues to offset your costs. Not every vendor has this capability. -- Is the vendor financially healthy? Any reliable ITAD vendor should be willing to provide evidence of a healthy balance sheet. Will they be around for the long term? This is important, since regulatory challenges and investigations may turn up years after the date of disposition. Be sure the vendor will be around and available to answer questions. arrowvaluerecovery.com | 800 393 7627 6 Six Myths About IT Asset Disposition White Paper Myth #5: There is such a thing as unlimited liability. An ITAD provider might dangle liability insurance in front of a prospective customer in hopes of putting their mind at ease about the risk of prosecution for data privacy breaches. This is a common and potentially dangerous misconception. In fact, there really is no such thing as “unlimited” liability, as an organization’s ability to pay should a breach occur is limited by the constraints of its own insurance and ultimately by the value of the company itself. Small or weakly capitalized ITAD firms are especially vulnerable in this respect. If the service provider goes out of business meeting a claim that exceeds the value of the business, what isn’t covered (in terms of data breach loss or environmental damages, for example) reverts to the organization whose assets are tied to the loss. Insurance is good to have, but policies vary widely in type and definition of coverage. Some limit terms so severely that their insurance amounts to no insurance at all. Insurance that covers only the value of equipment is inadequate. Your ITAD provider’s insurance should also cover more than just penalties. Business costs In fact, there really is no such thing as “unlimited” liability, as an organization’s ability to pay should a breach occur is limited by the constraints of its own insurance and ultimately by the value of the company itself. may also factor into the equation. The cost of defending or remedying a legal dispute may include such factors as labor and legal expenses. Comprehensive plans cover a wide range of expenses. For example, one financial services company was forced to pay $8 million to provide free credit protection service for its customers because of a data breach involving a single laptop. Myth #6: All big ITAD companies provide global services. Not all global claims are truly global. Just because an ITAD provider marks a location on a map doesn’t mean they have the necessary expertise to serve your company in that region. For all organizations, details matter. For global organizations, even more so. Understand who will be handling your assets – the ITAD provider or a partner. Make sure the vendor can warrant that their partners have been vetted and are held to the same standards you expect from the vendor themselves. They have the pertinent certifications; they need to have the requisite insurance; they need to be financially solid. Countries have different regulations around e-waste, so understanding what needs to be done on a country-by-country basis is important. Ensuring secure technology retirement also requires the ability to deliver the same level of service at all processing facilities, regardless Make sure the vendor can warrant that their partners have been vetted and are held to the same standards you expect from the vendor themselves. of location. If you are a multinational organization, having an ITAD partner that does business where you do business and does so with a consistent, vetted process will go a long way toward ensuring you are compliant with regulations in every geography and toward protecting your assets, your data and your brand. Value Recovery arrowvaluerecovery.com | 800 393 7627 7 Six Myths About IT Asset Disposition White Paper Getting ITAD Right IT assets – more than ordinary trash – carry huge areas of vulnerability for an organization, and potentially an upside. Effective, legal, safe ITAD is not a one-size-fits-all, commodity service. Done right, in partnership with a qualified, reputable provider, ITAD returns value to your organization. Proper ITAD is complex – it contends with an intricate web of regulations that continue to evolve, and a verifiable chain of custody requires assiduous attention to detail. But a good ITAD provider will shield you from the complexity and make ITAD easy on your end. In your ITAD vendor selection process, make sure you consider ease of use, service quality, reputation, financial stability, audit controls, security practices, and compliance with all relevant regulations and leading industry standards. Your ITAD provider should make your life easier, providing data, environmental and brand protection and returning value. Good ITAD improves data security and can optimize asset use for the greatest return. It’s no myth. About Arrow Value Recovery Arrow’s Value Recovery group is a worldwide provider of IT asset disposition (ITAD) and aftermarket solutions designed to deliver data security, efficiency and value. With specialized expertise in reverse logistics, Arrow enables organizations to uncover hidden value and References: 1. Theft of Unencrypted Laptops behind Coca-Cola breach impacting 74,000, SCMagazine, January 27, 2014, http://www. scmagazine.com/theft-of-unencryptedlaptops-behind-coca-cola-breachimpacting-74000/article/331273/?_sm_ au_=iVVTQs7MJ0qJ5MvQ . 2. Study shows recycled computers give away personal information, NAID online consumer news, February 19, 2014, http://www. naidonline.org/nitl/en/consumer/news/5164. html 3.Is Your Company Ready for a Big Data Breach?, Ponemon Institute, 2014, http://www.experian. com/assets/data-breach/brochures/2014ponemon-2nd-annual-preparedness.pdf 4. Gartner Newsroom, July 7, 2014, http://www. gartner.com/newsroom/id/2791017 5. Statista, The Statistics Portal, http://www. statista.com/statistics/219596/worldwideserver-shipments-by-vendor/ 6.eWeek, February 27, 2014, http://www.eweek. com/servers/server-shipments-hit-recordin-2013-but-revenues-fall-idc.html?_sm_ au_=iVVVF4S54q6R4SRJ 7. The Arrow IT Asset Disposition Trends Report, http://www.arrowvaluerecovery.com/resources/ it-asset-disposition-trends-report/ 8.http://www.standard.net/ Environment/2014/11/08/Company-underpressure-after-Clearfield-hazardous-wastefire?_sm_au_=iVVR2ktFjT2fj72v 9. Department of Defense National Industry Security Program document 5220.22M, http://www.dss.mil/documents/odaa/ nispom2006-5220.pdf increase sustainability at the end of the IT product lifecycle. Arrow Electronics, Inc. Value Recovery 9201 East Dry Creek Road Centennial, CO 80112, USA ©2015 Arrow Electronics, Inc. Arrow and the Arrow logo are registered trademarks of Arrow Electronics, Inc. Other trademarks and product information are the property of their respective owners. 1003_6Myhs_06/15_CDS1.2
