IT Asset Disposition: 4 Gravest Threats to Your Data Security in 2024 and What to Do About Them

Every year that goes by it becomes more mission critical that you update your equipment and dispense with old items properly, protecting against major fail points such as Morgan Stanley experienced.

Already in early 2024 we’re seeing a number of new worldwide developments that stand to directly impact IT departments everywhere, particularly in companies that serve a global marketplace. In this paper we’ll identify four of them specifically.

More than anything else, these developments could make protecting your valuable data during the asset disposition process a greater challenge than ever before. We’ll show you what steps you can take to ensure the security of your equipment and of your most sensitive data during times of transition.

The four critical threats in 2024 that could impact you are:

1. Shifting Geopolitical Forces. We specifically highlight a key few that could impact your supply chain, your costs, and your sustainability goals.
2. Mitigating Your Exposure to Risk. There are two trends in particular here that you’ll need to know about. Both could elevate your exposure to breaches and increase your liability.
3. Continued Regulatory Changes. These require further work on your part to prove that you’re handling customer data correctly. We explain the effect this could have on your organization in 2024.
4. The AI Explosion. More powerful AI means new innovations in hardware design for greater power and speed. This could put your data at risk in new ways. We’ll show you how.

Inflation over the last two years has created new pressure from two directions simultaneously. Your own ITAD vendor has most likely gotten caught in the pinch. Internally, labor costs are going up; yours have very likely gone up as well. At the same time, it’s a safe bet you’re not eager to start paying more for your ITAD services.

Something has to give.

There’s a real possibility that the cost of your ITAD services may increase this year. If that hasn’t happened already, it may be that to keep your fees the same your provider is doing some internal corner cutting that you don’t know about.

There could be any number of risks to you if that happens. One immediate concern is that upon annual inspection your ITAD provider could lose their certification. Other possible knock-on effects include these:

• Your ITAD provider could choose to opt out of certification entirely, which means there’s no longer any third party to vet the process of how your equipment and data are being handled. (Note that every year 10% of ITAD vendors opt out of certification anyway.)
• Your ITAD provider could be acquired by a larger company that operates on different quality control and security standards and practices.
• Your ITAD provider could go out of business, in which case it’s absolutely essential that you have a backup strategy.

The major certifying bodies in 2024 will most certainly be de-certifying a number of vendors who had previously been qualified. That may include yours. And count on ITAD vendors this year opting out of the major certification programs at rates higher than the normal 10%. Again: your vendor could be one of them.

Here’s what we recommend:

1. Confirm that your vendor is still currently third-party certified. If their annual renewal passed and they did not get certified, they’ll very likely remove the certifying bodies’ seals of approval from their website. There’s a good chance that they will not notify you when they do so, so be sure to check.
2. Don’t rely solely on third-party environmental or data security certifications. Consider having your own checklists ready and conduct your own audit of your ITAD vendor’s methods and practices, if at all possible.

The international landscape is changing, and labor markets along with it. The ITAD labor market is changing too.

In 2023 we saw major changes in immigration and populations of people moving around the planet. To cite one specific example, the U.S. has seen a surprising new wave of immigrants from mainland China. According to the Associated Press, the border patrol reported encounters with over 22,000 Chinese immigrants crossing the southern border in 2023, and that was just January through September. That’s nearly 13 times what we saw during the same period in 2022.

In November 2023 the New York Times reported that more than 24,000 Chinese nationals had crossed into the United States from Mexico over the prior twelve months. This is a higher number than in the previous 10 years combined.

And that’s just one slice of the ever-evolving immigrant population in America.

What does this mean for you? It’s all about changes in the labor market. We mentioned upward wage pressures earlier; the same issues show up here. In order to fill gaps and keep costs down, ITAD vendors may well be going downmarket, hiring lower-wage individuals from the swelling labor pool.

Your job does not change: Ensure the security of your equipment, protect your sensitive data, and avoid exposing your processes to greater security risks. Be extra vigilant in ensuring that you have an ITAD vendor that is not cutting mission-critical corners amid a labor market with changing demographics and changing economics. Be certain that they’re maintaining the highest standards in hiring and recruiting.

When you upgrade your IT equipment, where does the old equipment go? One of two places: It can get refurbished and resold—which means dollars back in your pocket—or it can be recycled.

For a long time there have been strong markets for older technologies, the equipment that gets refurbished and resold. But these markets have historically been found in Eastern Europe, the Middle East, and Asia.

This is one key element of what we call the circular economy, where products and materials can be recovered and regenerated at the end of their life cycle rather than being thrown away.

Unfortunately, in the last two years the market for this kind of older equipment has taken a hit. Most notably due to conflict in the Ukraine. And the situation is getting worse: this time last year, war in the Ukraine was clearly in our sights; war in the middle east was not.

What does this mean for your business?

It’s getting harder to refurbish and resell your older equipment. Conflicts in these key geographic regions are choking off supply chains. The market for older equipment is simply not there anymore. This means more and more materials are going straight to recycling, in record numbers.

And that means, very simply, you’re going to take a financial hit. It’s not unlike the resale value on your vehicle: As that drops, it’s more money out of your pocket when it comes time to make the next purchase.

Unfortunately, your next equipment upgrade is going to be that much more expensive. This is especially true if you typically refresh your equipment on a four-year cycle or longer. That’s just the nature of the current economy. Smart customers and smart service providers will be aware of this.

Here’s what we recommend:

1. Be crystal clear with your vendor on what exactly you mean by “recycle.” Many use the term to refer to what we call refurbishing—where a product is resold as-is after data has been erased and cleaned up for sale. Others use it to refer to when a product is shredded, smelted, and reused as feedstock for brand new products. Check to see that you and your ITAD provider are 100% in agreement on the definition of terms.
2. If your drives are not going to be eligible for resale, your ITAD vendor needs to erase the data. And then your vendor needs to supply proof to you that they’ve done so, in the form of a Certificate of Destruction that provides actual serial numbers of destroyed items, along with a forensic report detailing what was and was not successfully erased.

The ITAD industry is growing, but providers in 2023 saw a notable slowdown.

Why was this? When COVID disrupted supply chains, companies everywhere overbought IT technology, compared to what they actually needed. Once COVID passed, these companies had extra technology that they still needed to put to use. That meant less work for ITAD providers. That’s our best hypothesis to explain the slowdown in 2023.

We expect 2024 will be an improvement for the ITAD industry, as companies everywhere get back to refreshing their equipment again on a normal cycle.

So there’s a bounce-back coming. But it arrives with a caveat for you: Many solution providers who do front-end work and are not experts in ITAD will try to expand to include services like ITAD, without really understanding what they’re doing … all the while encouraging you to consolidate and go exclusively with them. If ITAD is not already their core expertise, that’s a risk to you.

Here’s what we recommend:

1. Have a direct relationship with an ITAD vendor, and have them lead your entire project. That way, if they happen to be adding complimentary services (like kitting, shipping, and installation), and they’re encouraging you to consolidate these services under their umbrella, this reduces your risk substantially.
2. Be especially vigilant about who is doing your recycling. There are several key questions concerning your service provider that you’ll want answers to, including:

• • How is the recycler vetted, either by you or by third-party certification bodies? • What is the service provider’s track record?
  • How exactly will the vendor indemnify you, the customer?
  • How will you get paid on the return for your equipment?

How do most Fortune 500 companies ensure that their ITAD vendors are up to the task? Answer: They rely on third-party independent certifying bodies to vet them. It’s very likely that your ITAD provider is certified to be in compliance with several standards, and that’s a good thing.

But as we mentioned earlier, financial pressures in 2024 will force some ITAD providers to let their certifications expire. As we mentioned, this may include your provider. Still worse, a few vendors will maintain their certifications but look for ways to cheat the system.

Even when your ITAD provider is certified, there are questions you need to ask:

• What industry standards is your ITAD provider certified to?
• What flaws in your ITAD vendor’s processes or methods might standard certification protocols miss?

Important though they are, certification protocols won’t cover everything necessary. They can only take you so far. There’s no way they can thoughtfully address all the real-word ways in which human beings actually deal with each other.

How High Reliability ITAD Services Close The Gap

High Reliability is a technical term originally from the nuclear industry, and it’s a set of principles developed to prevent catastrophic accidents. It became standard there and then spread to the airline industry, then to hospitals. Before adopting High Reliability principles, for example, the healthcare industry was losing in human lives the equivalent of the full passenger count of a 747, every single day.

And its principles apply everywhere. High Reliability has now come to the ITAD industry. Brass Valley was the first to adopt it. Its methodology covers human error in ways that normal certification protocols will miss.

When it’s your data at risk, be sure you have the strongest operating methods in place.

Here’s what we recommend:

1. Check to be sure your ITAD provider is in fact still certified. Better yet if your vendor is certified to be in compliance with more than one standard—for example, both the R2 standard and the NAID AAA+ standard.
2. Be aware that third-party vetting protocols can only go so far. Check to see if your ITAD provider has adopted High Reliability as their standard operating practice.

Customer indemnification in the ITAD industry has historically been structured in a way that benefits the ITAD service provider primarily. That benefits you far less.

We mentioned that in 2023 there was increasing exposure to data breaches everywhere. ITAD providers struggled more than ever to get insurance companies to provide cyber liability insurance.

2024 is going to continue the trend, and it’s going to impact your provider.

There will be more data breach activity this coming year; that’s a certainty. This means the costs of indemnification are going to go up, and you’re going to feel this in your bottom line. (Or at best, your costs will stay the same but you’ll be getting less bang for your buck—paying the same amount of money while enjoying less protection.)

Quite a few ITAD providers will be unable to get insurance at all. If your ITAD provider can’t get proper coverage, they’ll simply pass the risk on to you.

For vendors who can get insurance, it often won’t be enough to cover their clients. So they’ll structure their service agreements in a way that provides a minimum amount of protection for you their customer. That means ratcheting down the limit amounts they allow on their contracts, and so on.

Let’s assume your ITAD provider does provide insurance as they should. There’s now a critical question you need to ask: If there’s a breach, when exactly will the vendor indemnification activate? The answer to this determines who could sue whom, and when.

You’ll want to look for a specific key phrase in your policy: Primary and Noncontributory. If you don’t see those exact words, that’s a red flag.

A solid policy is one where when something goes wrong it will activate to protect both the vendor and you the client. If the policy is not primary and noncontributory, you as a client will have to sue your ITAD vendor to get their insurance to activate.

In addition, a strong indemnification package will carry a waiver of subrogation, which ensures that your ITAD vendor’s insurance company cannot sue you, the client.

With growing risk of breaches in 2024, be sure you’re covered.

Here’s what we recommend:

1. Count on indemnification costs going up this year, which means your ITAD vendor may raise your processing fees or else cut corners internally.
2. Review your master service agreement and your vendor insurance policies. Look for the key phrase “Primary and Noncontributory.”

There are a number of key regulations that currently impact data security for companies like yours.

These include:

• GDPR, the General Data Protection Regulation. In 2018, the European Union introduced stringent measures and financial penalties for mishandling the personal data of EU citizens. This applies to you regardless of your company’s location, operational scope, or headquarters. Compliance is mandatory if you handle, process, or store any data belonging to EU citizens. Failing to comply can result in severe consequences, including fines of up to €20 million or 4 percent of your global revenue.
• UK GDPR. The United Kingdom introduced its own version after Brexit. Same core principles, but with the flexibility for the UK to enact future changes as necessary. It requires you to remain adaptable and stay informed about evolving data protection requirements in the UK market.
• HIPAA, the Health Insurance Portability and Accountability Act. Safeguards healthcare patient data.
• GLBA, the Gramm-Leach-Bliley Act and FACTA, the Fair and Accurate Credit Transactions Act. These are directed at financial institutions specifically.
• SOX, the Sarbanes Oxley Act. This is directed at publicly traded companies.

• PCI DSS, the Payment Card Industry Data Security Standard. This applies to companies handling credit card payments.

Most recently, California developed CCPA, the California Consumer Privacy Act. This represents a significant shift in digital privacy regulation in the US, on the level of GDPR. It gives consumers the right to know what data your company is collecting about them, and why. It also mandates that you delete consumer data upon request.

California is a bellwether here. More states will follow.

You as a company have to be able to retrieve information upon request that shows how you’ve handled customer data. Customers have the right to know about their private information and how it is used.

When you do an IT refresh project, this becomes especially critical. At the end of the project, the vendor provides a report to the client that includes a chain of custody. If the reporting is deficient in any way, it can become a serious problem. When something goes wrong, you have to be able to prove that you followed protocols and handled all the data responsibly.

Bottom line: You have to handle your customer data lawfully, and you have to be able to demonstrate through detailed reporting that you have done so. Having an ITAD provider who understands these laws and who executes their role correctly is a key part of this.

Here’s what we recommend:

Work with your ITAD vendor to develop reports that will capture relevant data to support new regulatory requirements and allow you to access necessary information quickly. A good ITAD vendor will walk you through this.

AI is growing faster than ever, and there’s a side effect of it that’s going to affect you and your  data. 

AI requires ever more computational power and speed. To meet the demand, equipment  manufacturers are designing systems with faster buffer components. (For example, NVRAM,  non-volatile random-access memory.) 

This will make systems run faster, but it will have another unintended effect.

During the disposition process, technicians show up and their job is to destroy data. But these  new component designs will place data in parts of systems where some ITAD technicians don’t  know to look for it. That means you could end up in violation of corporate information security  policies—inadvertently, even when nobody is consciously trying to do anything malicious. 

This is a technical reality that many will overlook. You want to avoid doing that. 

So watch for this in 2024: AI continues to drive innovation in hardware design, but many ITAD  providers find themselves behind the curve in knowing all the places where data can be stored  on new equipment. 

Here’s what we recommend: 

• To the extent that you’re doing internal erasure and destruction of your own data, be  absolutely sure that your technicians are aware of architectural changes in your  equipment, and that they don’t miss hidden media in their erasure processes. 
• To the degree that you’re outsourcing your data destruction to a vendor, look through their  reporting: Are they providing enough detail to demonstrate to you that they’re properly  destroying all sensitive information on hidden media? This is critical. 
• Have a checklist in hand that tells you exactly what to look for in a vendor’s detailed  report. That could save you from serious breaches down the road.

I’ve been in the IT asset disposition business for 23 years.

I’ve watched companies make bad decisions when money was tight. I’ve watched them loosen their standards and cut corners, both in terms of their own internal protocols and their hiring practices. I’ve watched good people get hoodwinked by bad vendors and questionable contracts. As a result I’ve watched companies suffer devastating data breaches.

One of the most notorious of all involved Morgan Stanley. This serves as a powerful cautionary tale.

In July 2020 Morgan Stanley notified clients that they had discovered “potential data security incidents” stemming from two major failures, one in 2016 and the other in 2019. The first failure was discovered when a third party purchased hard drives that, it turned out, still had Morgan Stanley data on them. The later failure in 2019 happened when equipment was disconnected and then misplaced during a branch refresh.

After the disclosure the company was served with seven class-action lawsuits. In the time since they’ve paid out over $155 million in fines and settlements.3

For a business like yours, this could be catastrophic. What can you do to avoid a similar situation?

• Be sure your provider knows how to dot every I and cross every T. Never rely solely on third party certifying bodies to do your vetting job for you.
• Understand what a good chain of custody looks like and don’t compromise on getting what you truly need.
• Get a solid understanding of how indemnification works. Ask how they will protect you if something goes wrong.
• Know when consolidating your services is right. Also know when it’s critical to have separate solution providers covering your bases.
• Be sure your provider is on top of all the latest changes in technology and how it affects the storage of your data.
• Find a company who has experience with the types of projects you need help with. Let them work with you to develop a process that mitigates your risk.

Poorly managed IT asset disposition can be a serious weak link in the chain of security and a grave exposure to vulnerability.

I work hard to stay on top of the latest global and industry trends and make sure my clients’ data remains safe. Give me a call at Brass Valley, (844) 390-5366. I’d love to talk with you. In 29 minutes or less I’ll give you specific action steps to identify and eradicate your single biggest vulnerability. Our call will be confidential.

If in the few minutes we talk it’s clear to me that your current ITAD vendor is thoroughly covering your bases, I will tell you so.

As an added bonus I’ll provide you with a copy of my Vendor Vetting Checklist, a succinct outline of the rigorous operational standards we follow internally at Brass Valley to protect our clients.

I look forward to talking with you.

Rocco D’Amico, CEO
Brass Valley