Six Myths About IT Asset Disposition

Value Recovery
White Paper
Six Myths About IT Asset
Don’t fall prey to a data breach, legal liability or
reputation damage.
Six Myths About IT Asset
Data at Risk
Organizations pay close attention to purchasing new IT
assets and managing them. But retiring that equipment
effectively? Not so much. When a new laptop is
commissioned, a faulty hard drive is replaced or a server is
decommissioned, it’s decision time: What to do with the old
technology? The original asset may still have value. More
important, it probably contains sensitive data that needs to
be properly eradicated. Environment at Risk
Brand at Risk
The Call for ITAD
Myth #1
Myth #2
Myth #3
Myth #4
Myth #5
Myth #6
Getting ITAD Right
About Arrow Value Recovery
Blockbuster headlines about the theft of
confidential data housed on lost, stolen or
recycled IT assets – employee personal
information, patient health records,
company intellectual property and more –
make the news almost daily. That’s because
the same organizations that handle IT
asset procurement and management so
carefully often have no reliable processes
and procedures in place to ensure that
the devices they retire are truly purged
of confidential data. These businesses
unwittingly expose themselves to a host of
legal liabilities as well as the potential loss
of sensitive corporate data and intellectual
property, which can prove devastating. In
short, they risk their business. | 800 393 7627
Six Myths About IT Asset Disposition
White Paper
Data at Risk
Major data heists like the one a beverage manufacturer discovered in 2014,1 after 55 retired
laptops were allegedly stolen by a former employee, make headline news. This breach is
especially important because it highlights a common vulnerability – these assets were stolen
after they were taken out of service but still contained data. In addition, research conducted
by Australia’s National Association for Information Destruction2 (NAID) revealed that many
computers obtained through legitimate channels can also include the previous owner’s data
intact. The study involved procuring 52 secondhand hard drives from a range of publicly
available sources, such as eBay, for analysis. Significant highly sensitive information was
found on 15 of the 52 (30 percent of them). Businesses were no more savvy than individuals
in wiping their hard drives of sensitive data: 8 of the 15 un-erased hard drives had been sold
by businesses. NAID found clients’ personal information, confidential client correspondence,
According to research
conducted by the Ponemon
Institute, the average cost
of a single lost or stolen
data record is $201. Multiply
that by thousands or tens
billing information and personal medical information.
of thousands (as in the
According to research conducted by the Ponemon Institute, the average cost of a single lost
beverage manufacturer’s data
or stolen data record is $201.3 Multiply that by thousands or tens of thousands (as in the
beverage manufacturer’s data breach) and there goes your IT budget.
breach) and there goes your
As the sheer number of retired machines grows, so does the problem of keeping the
IT budget.
sensitive data on those machines from getting into the wrong hands. For example, Gartner
estimated worldwide combined shipments of devices (PCs, tablets, ultramobiles and mobile
phones) at 2.4 billion units in 2014.4 A significant number of those devices will be procured
by enterprises as replacements for retired equipment. Gartner’s estimate also includes over
1.8 billion mobile phones and smartphones; many of these devices have the capacity to store
large amounts of proprietary information, and most of them will simply be thrown away after a
couple of years of use.
The problem of technology disposal isn’t limited to PCs and personal devices. Over the past
five years, it is estimated that over 46 million servers were shipped.5 In fact, despite shrinking
demand, a record number of servers shipped in 2013.6 Many of these servers likely replaced
machines that were being retired – and all of them will one day need to be retired as well.
Value Recovery | 800 393 7627
Six Myths About IT Asset Disposition
White Paper
Environment at Risk
All this has obvious environmental implications, with the attendant
legal and regulatory exposure. Although for IT managers, data
security is often the more immediate concern, both areas leave a
business vulnerable. Because devices can contain toxic compounds,
their proper handling is imperative for both worker safety and
environmental stewardship. Organizations of all sizes cope with a
complex web of regulations that vary by industry and jurisdiction.
Brand at Risk
These rules not only add administrative overhead, but they can
also expose a company to significant fines, lawsuits and damaging
negative publicity. And ignorance of the law is not a valid excuse.
The Call for ITAD
The need to manage the safe and orderly retirement of this large
By taking the liability and headache out of asset disposition,
volume of equipment, along with expanding data security, regulatory
full-service ITAD firms are growing in popularity. In fact, Arrow’s
and environmental concerns, is driving the growth of the IT asset
Value Recovery group found in its 2014 survey of ITAD trends
disposition (ITAD) industry. New ITAD providers seem to pop up daily,
that nearly two out of three companies surveyed choose to have
but not all ITAD service providers are created equal. Many waste
a third-party service provider manage their end-of-life assets.
disposal and recycling firms now collect unwanted technology along
Conducted by independent research and consulting firm Blumberg
with other waste without implementing practices to meet data security
Advisory Group, Inc., and summarized in the 2014 Arrow IT Asset
and regulatory needs. Building secure and accountable ITAD takes
Disposition Trends Report,7 the trends survey also revealed that data
time and investment – investment few waste companies can make.
security concerns are a major driver of the shift to third-party ITAD
Inadequate ITAD exposes clients to risk by giving them a false sense
of security. And customers whose equipment still has value lose out
when their trash collector does nothing to reclaim residual value on
their behalf. Customers are not protected nor do they benefit.
providers. As you look for a reputable ITAD provider, beware of six
prevalent myths you need to debunk. Understanding the rules and
best practices of ITAD can save your organization money, time and
reputation, and provide competitive advantage.
Reputable asset disposition firms navigate the maze of regulations
and find alternatives to disposal, including internal redeployment,
resale and donation. These service providers track and report on the
status of an individual piece of equipment in detail, from its pickup to
its ultimate disposition.
Value Recovery | 800 393 7627
Six Myths About IT Asset Disposition
White Paper
Myth #1: Disposing of IT assets is simple.
Many firms are still under the impression that you can simply sell your equipment or give it
away and be free of regulatory requirements and liabilities. Not so. Penalties for improper
data protection include steep fines and even imprisonment, and these penalties are levied
on the organization responsible for the data – not the disposition vendor. When handing
over electronics, you need to be sure of how the data will be destroyed and have proof of its
actual destruction.
Because of data protection and environmental regulations, the administrative burden
of disposing of a single PC can run into many hours of work. That’s why you should be
When handing over
electronics, you need to be
sure of how the data will be
destroyed and have proof of
its actual destruction.
especially wary of firms that pick up electronics for free. Chances are they are not thoroughly
erasing data and may even be selling the electronics as scrap abroad.
Myth #2: Once ownership is transferred to the asset disposal
company, it’s not our problem.
This is a dangerous assumption. Liability for data protection continues long after you transfer
a retired asset to a third party. If a data security breach is uncovered, law enforcement
officials will not limit their focus to the disposal firm but will also target the company that
gathered the data.
The small mom-and-pop recycler or the “guy in a truck” who comes to pick up your old
computers may take them out of your life – but if you don’t know what happens to them
afterward, you may find yourself liable down the road. One recycler in Utah8 simply decamped
with no notice, leaving behind mountains of IT assets that are now the responsibility of the
original owners. The situation reached the headlines when one of their facilities caught fire,
highlighting the exposure a company can face if its assets are not handled properly.
If a data security breach is
uncovered, law enforcement
officials will not limit their
focus to the disposal firm but
will also target the company
that gathered the data.
In choosing an ITAD vendor, partner with a well-established ITAD firm that has checks and
balances in place to ensure that any kind of liability that could be associated with your IT
assets – data security, environmental compliance or brand exposure – is definitively addressed
when those assets leave your company’s direct custody. It’s extremely important that the
receiving organization has bulletproof chain-of-custody processes in place, along with thorough
documentation of those processes.
Contractual overrides rarely insulate data owners from liability and potential environmental
issues. Regulators may insist on detailed tracking records to establish that appropriate data
protection procedures were followed during disposition. These records should establish a chain
of custody that is linked to a company’s internal asset management systems. In many cases,
these audit trails involve specialized reports that are unique to a government or regulatory
agency. It can be time-consuming and expensive for businesses to track these requirements.
Professional ITAD firms make this reporting a core component of their service.
Value Recovery | 800 393 7627
Six Myths About IT Asset Disposition
White Paper
Myth #3: Deleting data or reformatting hard disks or
resetting mobile devices is sufficient.
Simply deleting data, reformatting a disk or resetting a mobile device does not actually
remove the data. Formatting a drive, for example, simply overwrites indexed tables but may
delete little actual data. Resetting mobile devices only reverts devices to factory settings,
and all user data remains intact. Using these methods as the sole means for data sanitization
Simply deleting data,
reformatting a disk or resetting
puts your company at risk of regulatory noncompliance, stolen data and brand damage.
a mobile device does not
Experts recommend using the Department of Defense’s 5220.22-M erasure standard and
actually remove the data.
NIST 800-88 Revision 1 guidelines “which will assist organizations and system owners in
making practical sanitization decisions based on the categorization of confidentiality of their
information. Media sanitization refers to a process that renders access to target data on the
media infeasible for a given level of effort.”9 This approach ensures that media are completely
cleansed of recoverable data. Not only must the data be destroyed, but the destruction must
also be verified.
Commercial tools are available to automate this process, but licenses and equipment
costs can run to several thousand dollars. Add to that the considerable expense of training
employees to use these tools, and paying them to cleanse each individual hard disk. And
when you’re done with the time and expense of self-verifying, liability still remains.
Erasure tools for computer magnetic hard drives do not necessarily work with the wide
variety of solid state drives (SSDs) and mobile devices available. Different manufacturers of
SSDs and mobile devices usually require specialized procedures to ensure media sanitization
that many erasure tools do not handle. These devices are replaced by organizations on
average every two years, so having the capability to completely remove sensitive data from
them is highly important.
Professional ITAD firms use state-of-the-art data erasure technologies and apply economies
of scale to achieve maximum efficiency. They also understand the specialized data
destruction procedures required by SSDs and mobile devices as well as the importance
of providing verification of data destruction. For businesses that want to use physical disk
destruction, professional providers offer a thorough and safe solution. And for the tightest
security, some ITAD firms offer complete on-site physical disk destruction.
Physically destroying disks lacks a way to verify data destruction. Disks are scanned and
then dropped into a shredder. There is no system verification that once scanned, the disk is
actually dropped into the shredder. Physical security of the site (monitoring of employees, for
example) can help reduce this vulnerability.
Value Recovery | 800 393 7627
Six Myths About IT Asset Disposition
White Paper
Myth #4: Asset disposal is a commodity.
When all IT asset disposition vendors appear to be offering the
disposal options such as shipping equipment overseas without first
same services, it’s tempting to simply go with the cheapest solution.
cleansing data from the equipment. A traceable chain of custody
Appearances can be deceiving, and choosing the low-cost provider
and audits that document downstream partners’ adherence to
could end up costing significantly more – it could cost you your
environmental and data standards are critical.
A one-size-fits-all, low-budget approach to data security will not
Effective, secure, legal ITAD requires both knowledge of detailed
protect your organization and its brand reputation. The potential
regulations and standardized processes. With an ever-changing
costs associated with a data breach can be enormous, and can
regulatory landscape, it is critical to choose an ITAD provider that
become media fodder for years. From a big box retailer to an
understands the regulations and that has a robust process for
entertainment giant to healthcare providers and government
integrating new regulations as they emerge.
agencies, the stories of data being compromised seem endless.
Low-cost providers that don’t know the rules may resort to cheap
A data breach is bad for your brand and bad for business.
Consider these critical factors when choosing an ITAD partner:
-- Do services and quality levels meet your needs? Can the
provider support your organization wherever you operate? If the
vendor relies on many partners, how are the partners vetted?
Carefully consider the full range of IT assets that require
disposition, the regulatory environments wherever you do
business and any specialized reporting needs you may have.
-- How do they handle data security? Do your devices contain
trade secrets, intellectual property, employee data or
confidential customer information such as credit card numbers
or patient records? Chances are they do. Always make data
security a top priority.
-- What is the environmental impact? Safe and responsible
handling of electronics is not free. Some low-cost providers
skirt environmental and worker health and safety concerns
by shipping nonworking equipment to countries with weak or
nonexistent environmental regulations. This is unethical and it is
a potential liability. Often these assets can be tracked back to
the original owner, exposing that organization’s brand. Typically,
low-cost providers don’t erase the equipment they export.
-- Does the vendor have the right certifications? Choose an
ITAD provider that is certified to leading industry standards,
and don’t just take the provider’s word for it. These standards
bodies routinely audit providers to ensure that adequate
and appropriate safeguards are in place. The International
Organization for Standardization (ISO) certifications that focus
on quality (9001) and environmental (14001) impacts are
good indicators of a provider’s processes. However, R2 and
e-Stewards remain the most important certifications when it
comes to environmental standards for electronics at end-of-life.
Both of these standards bodies list their certified providers on
their websites. If the provider you are considering isn’t listed, it
isn’t certified.
Value Recovery
-- What tracking processes are in place? Ideally, any asset should
be traceable in real time and records should be matched to
your own internal asset management system.
-- How secure are vendor facilities? Equipment may need to be
stored before disposition. The physical security of that location
is one concern, but another is the issue of who has access to
the stored equipment. Get specifics.
-- What are the hidden costs? Providers may layer logistics costs,
disposal fees, exclusions and other charges on top of their
base contracts. Study these provisions carefully, as they can
add significantly to the total bill.
-- Does the vendor have effective remarketing resources?
There can still be considerable value locked up in end-of-life
equipment. Will you see a return on usable equipment from
resale, or is the provider only interested in smelting the parts to
recover minerals such as gold or silver? Skilled and reputable
ITAD firms can determine which assets can be reused, then
refurbish if needed, add new operating systems, and remarket
them in various channels, using the revenues to offset your
costs. Not every vendor has this capability.
-- Is the vendor financially healthy? Any reliable ITAD vendor
should be willing to provide evidence of a healthy balance
sheet. Will they be around for the long term? This is important,
since regulatory challenges and investigations may turn up
years after the date of disposition. Be sure the vendor will be
around and available to answer questions. | 800 393 7627
Six Myths About IT Asset Disposition
White Paper
Myth #5: There is such a thing as unlimited liability.
An ITAD provider might dangle liability insurance in front of a prospective customer in hopes
of putting their mind at ease about the risk of prosecution for data privacy breaches. This is
a common and potentially dangerous misconception. In fact, there really is no such thing as
“unlimited” liability, as an organization’s ability to pay should a breach occur is limited by the
constraints of its own insurance and ultimately by the value of the company itself. Small or
weakly capitalized ITAD firms are especially vulnerable in this respect. If the service provider
goes out of business meeting a claim that exceeds the value of the business, what isn’t
covered (in terms of data breach loss or environmental damages, for example) reverts to the
organization whose assets are tied to the loss.
Insurance is good to have, but policies vary widely in type and definition of coverage. Some
limit terms so severely that their insurance amounts to no insurance at all. Insurance that
covers only the value of equipment is inadequate.
Your ITAD provider’s insurance should also cover more than just penalties. Business costs
In fact, there really is no such
thing as “unlimited” liability,
as an organization’s ability to
pay should a breach occur
is limited by the constraints
of its own insurance and
ultimately by the value of the
company itself.
may also factor into the equation. The cost of defending or remedying a legal dispute may
include such factors as labor and legal expenses. Comprehensive plans cover a wide range
of expenses. For example, one financial services company was forced to pay $8 million to
provide free credit protection service for its customers because of a data breach involving a
single laptop.
Myth #6: All big ITAD companies provide global services.
Not all global claims are truly global. Just because an ITAD provider marks a location on a
map doesn’t mean they have the necessary expertise to serve your company in that region.
For all organizations, details matter. For global organizations, even more so. Understand
who will be handling your assets – the ITAD provider or a partner. Make sure the vendor can
warrant that their partners have been vetted and are held to the same standards you expect
from the vendor themselves. They have the pertinent certifications; they need to have the
requisite insurance; they need to be financially solid.
Countries have different regulations around e-waste, so understanding what needs to be
done on a country-by-country basis is important. Ensuring secure technology retirement also
requires the ability to deliver the same level of service at all processing facilities, regardless
Make sure the vendor can
warrant that their partners
have been vetted and are
held to the same standards
you expect from the vendor
of location.
If you are a multinational organization, having an ITAD partner that does business where you
do business and does so with a consistent, vetted process will go a long way toward ensuring
you are compliant with regulations in every geography and toward protecting your assets,
your data and your brand.
Value Recovery | 800 393 7627
Six Myths About IT Asset Disposition
White Paper
Getting ITAD Right
IT assets – more than ordinary trash – carry huge areas of vulnerability for an organization,
and potentially an upside. Effective, legal, safe ITAD is not a one-size-fits-all, commodity
service. Done right, in partnership with a qualified, reputable provider, ITAD returns value to
your organization.
Proper ITAD is complex – it contends with an intricate web of regulations that continue to
evolve, and a verifiable chain of custody requires assiduous attention to detail. But a good
ITAD provider will shield you from the complexity and make ITAD easy on your end.
In your ITAD vendor selection process, make sure you consider ease of use, service quality,
reputation, financial stability, audit controls, security practices, and compliance with all
relevant regulations and leading industry standards. Your ITAD provider should make your life
easier, providing data, environmental and brand protection and returning value. Good ITAD
improves data security and can optimize asset use for the greatest return. It’s no myth.
About Arrow Value Recovery
Arrow’s Value Recovery group is a worldwide provider of IT asset disposition (ITAD) and
aftermarket solutions designed to deliver data security, efficiency and value. With specialized
expertise in reverse logistics, Arrow enables organizations to uncover hidden value and
1. Theft of Unencrypted Laptops behind
Coca-Cola breach impacting 74,000,
SCMagazine, January 27, 2014, http://www.
au_=iVVTQs7MJ0qJ5MvQ .
2. Study shows recycled computers give away
personal information, NAID online consumer
news, February 19, 2014, http://www.
3.Is Your Company Ready for a Big Data Breach?,
Ponemon Institute, 2014, http://www.experian.
4. Gartner Newsroom, July 7, 2014, http://www.
5. Statista, The Statistics Portal, http://www.
6.eWeek, February 27, 2014, http://www.eweek.
7. The Arrow IT Asset Disposition Trends Report,
9. Department of Defense National Industry
Security Program document 5220.22M,
increase sustainability at the end of the IT product lifecycle.
Arrow Electronics, Inc.
Value Recovery
9201 East Dry Creek Road
Centennial, CO 80112, USA
©2015 Arrow Electronics, Inc. Arrow and the Arrow logo are registered trademarks of Arrow Electronics, Inc. Other trademarks and product information are the property of their respective owners.