First, let's understand the ITAD industry…
The evolution of IT Asset Disposition & ITAD Companies - an end users glimpse into the reality of the industry:
Today's ITAD Companies vs The Past Scrap Metal Recycling Companies
There's been an evolution in the IT Asset Disposition industry from the days of simple scrap metal recycling companies from asset recovery companies to data erasure and shredding companies to today's Compliance as a Service model.
Compliance as a Service Model
It all started many years ago when companies began to churn through technology at a rate that called for a recycling solution. The mindset of the client was that they needed to get rid of their old IT as inexpensively as possible. Many scrap metal companies relabeled themselves as electronics recyclers and began to process IT material. They viewed electronics like any other metal in terms of precious metals to be harvested and tonnage exported for reclamation value. It was a simple system that seemed to work at the time. The recyclers provided recycling certificates and everyone was happy. Clients would ask for things like EPA permits, ISO certifications, etc.
Residual Value in Retired Equipment
Then one-day clients began to realize that there was residual value in their retired IT equipment and they wanted to be able to reclaim it. Secondary markets started to pop up for used equipment, and IT investment recovery companies that specialized in buying and selling retired IT equipment came to life.
ROI in Your ITAD as a Value Proposition
Their value propositions to the clients were based on ROI, and they flourished for many years. Some companies would take lower value equipment to give the client a single source for equipment disposition, but many times they would leave lower value equipment to the recyclers.
Companies Have Increased Awareness towards Data Security and the Environment
The next change in the market came with a mindset shift in the client base caused by increased awareness of data security and environmental needs. News that exposed the practices of recyclers and IT investment recovery companies of e-waste exporting to third world countries for cheap processing became widely known.
Data Security Top of Mind in Reliable ITAD Companies and Vendors
In parallel with this, awareness of data security needs became top of mind. Hard drives that had passed through investment recovery companies and recyclers were being found for sale on eBay with clients' data still in them. The recyclers responded to client demands by providing data destruction services. Certifications like E-Stewards and R2 became checklist items to give clients the comfort that their material was responsibly processed the same way they asked for EPA permits 20 years prior from there scrap metals recyclers. Documentation provided to clients was still heavily influenced by the heritage of the recyclers and IT investment recovery providers and had little connection to what would be needed for a client to mount a defense for a security breach. Indemnification was being requested by clients, and the recycling and investment recovery providers responded with indemnification programs that either only protected themselves (the recycler) or were lacking in terms of what would be needed to respond to a breach.
The World Changed with Major High Profile Data Breaches
Then the world changed. Major high profile data breaches began occurring, and C Level Executives began to lose their jobs. The government started increasing its capacity to prosecute for violations giving State Attorney General the power to prosecute for violations of federal law.
There was a complete mindset change in the client base as more and more they were being held accountable for security and compliance. It was no longer good enough to be reactive as they had in the past. They now needed to be proactive to ensure they were in compliance and maintained compliance with respect to how they disposed of IT assets.
Anticipating what could and should happen in ITAD
They were now audited. The new compliance mindset is different because it anticipates what could and should happen. For example, for years the heart of the typical investment recovery security program focused on the hard drive and omitted data at rest even though data at rest can give access to the network. In the compliance model, ITAD Companies establish accountability for destroying data at rest and documenting its destruction.
The chain of custody documentation that is available in the computer recycling industry and ITAD companies today, in most cases cannot stand up to a data security audit. It’s the same type of documentation that’s been used for the last 20 years, but because the world has changed, the documentation needs to change as well to be effective.
Here is where we disagree with industry certifications and magic quadrants to determine who you use for an ITAD vendor.
Here is what we think is essential.
Never assume that nothing will go wrong with processes so inherently dependent on human involvement.
Understand that liability is not severed when material leaves your possession. Insurance/Indemnification that covers you and your company, not just your vendor is a necessity.
Having data security practices that cover all forms of media, not just hard drives, tapes, CD's, etc.
It's critical to develop those data at rest practices.
Documentation will put you in the best defensible position if there were either a data security breach or an environmental claim brought against you for improper disposal.
Questions for the Vendor or ITAD Companies in general
- Do they have a practice for all types of media included data at rest? Is the process documented and how mature is it?
- If data gets out- how does the vendor protect the client and when?
- Does the documentation you receive from the vendor give you the most effective defense in court if something goes wrong?