First let's understand the industry…
The evolution of IT Asset Disposition- an end users glimpse into the reality of the industry:
There’s been an evolution in the IT Asset Disposition industry from the days of simple scrap metal recycling companies, to asset recovery companies, to data erasure and shredding companies to todays Compliance as a Service models.
It all started many years ago when companies started to churn through technology at a rate that called for a recycling solution. The mindset of the client was that they needed to get rid of their old IT as inexpensively as possible. Many scrap metal companies relabeled themselves as electronics recyclers and began to process IT material. They viewed electronics like any other metal in terms of precious metals to be harvested and tonnage to be exported for reclamation value. It was as simple system that seemed to work at the time. The recyclers provided recycling certificates and everyone was happy. Clients would ask for things like EPA permits, ISO certifications etc.,
Then one-day clients began to realize that there was residual value in their retired IT equipment and they wanted to be able to reclaim it. Secondary markets began to pop up for used equipment and IT investment recovery companies that specialized in buying and selling retired IT equipment came to life. Their value propositions to the client were based on ROI and they flourished for many years. Some companies would take lower value equipment to give the client a single source for equipment disposition, but many times they would leave lower value equipment to the recyclers.
The next change in the market came with a mindset shift in the client base caused by increased awareness of data security and environmental needs. News that exposed the practices of recyclers and IT investment recovery companies of e-waste exporting to third world countries for cheap processing became widely known. In parallel with this, awareness of data security needs became more top of mind. Hard drives that had passed through investment recovery companies and recyclers were being found for sale on EBay with clients' data still on them. The recyclers responded to client demands by providing data destruction services. Certifications like E-Stewards and R2 became checklist items to give clients the comfort that their material was being processed responsibly the same way they asked for EPA permits 20 years prior from there scrap metals recyclers. Documentation provided to clients was still heavily influenced by the heritage of the recyclers and IT investment recovery providers and had little connection to what would actually be needed for a client to mount a defense for a security breach. Indemnification was being requested by clients and the recycling and investment recovery providers responded with indemnification programs that either only protected themselves (the recycler) or were lacking in terms of what would really be needed to respond to a breach.
Then the world changed. Major high profile data breaches began occurring and C Level Executives began to lose their jobs. The government began increasing its capacity to prosecute for violations giving State Attorney Generals the power to prosecute for violations of federal law. There was a complete mindset change in the client base as more and more they were being held accountable for security and compliance. It was no longer good enough to be reactive as they had in the past. They now needed to be proactive to insure they were in compliance and maintained compliance with respect to how they disposed of IT assets. They were now audited. The new compliance mindset is different because it anticipates what could and should happen. For example, for years the heart of the typical investment recovery security program focused on the hard drive and omitted embedded media even though embedded media can give access to the network. In the compliance model there is a process for accounting for and destroying embedded media and documenting its destruction.
The Chain of custody documentation that is available in the computer recycling industry today in most cases cannot stand up to an data security audit. It’s the same type of documentation that’s been used for the last 20 years but because the world has changed, the documentation needs to change as well to be effective.
Here is where we disagree with industry certifications and magic quadrants to determine who you use for a vendor.
Here is what we do think is important.
Never assume that nothing will go wrong with processes so inherently dependent on human involvement.
Understand that liability is not severed when material leaves your possession. Insurance/Indemnification that covers you and your company not just your vendor is a necessity.
Data Security practices that cover all forms of media, not just hard drives and tape, CD etc. Mature embedded media practices.
Documentation that puts you, the client, in the best defensible position if there was either a data security breach or an environmental claim brought against you for improper disposal.
Questions for the Vendor
- Do they have a practice for all types of media included embedded media. Is the process documented and how mature is it?
- If data gets out- how does the vendor protect the client and when?
- Does the documentation you receive from the vendor give you the most effective defense in court if something goes wrong?