Discarded IT Can Hurt You
An IT asset disposition policy can be helpful in managing the decommission of IT devices and their contents appropriately.
We all have IT assets. IT assets can include servers and storage devices, but also computers, tablets, and even our phones. It is called e-waste when you discard these assets. We could throw them away (penalties for poor disposal can be costly), we could sell them (make some money), or we could give them away (charitable contribution). The problem is there is also information and applications stored in these devices. When we get rid of them, we also release that information and applications as well. Do you really know what's on that IT device you just disposed of? Will you regret it?
The last two questions were prompted by the white paper, "Keeping Compliant: The Benefits of a Formal IT Asset Disposition Policy," published by CIO and Iron Mountain.
Penalties for Poor E-waste Disposal
In the U.S., there are federal and state requirements for disposing of e-waste. Twenty-five states currently have legislation that dictate how to dispose of or recycle e-waste. In at least one state, disposing of a PC with 8 different kinds of hazardous metals can cost thousands of dollars per unit, per metal. This means that the poor disposal of one PC could cost a company well over $10,000 in fines. There are even regulations for some industries in the U.S., including healthcare and financial services, that require compliance for e-waste.
E-waste may contain information such as:
- Application IDs
- Links to secure sites and information
- Personal data
- Financial data
- Healthcare information
- Private information
- Data on friends and relatives
- Intellectual property
Information stored on the IT devices can lead to the loss of other information. Data elements are often linked together. A company's reputation can be damaged, and regaining that reputation can be very costly, time-consuming, or may not even be possible. A vendor could lose intellectual property information which in turn could cause severe revenue damage.
What is an ITAD?
An IT asset disposition policy (ITAD) is a documented process for determining the effectiveness of IT organizations and their ability to protect their business. The idea is to decommission IT devices and their contents effectively. A proper policy includes the need to control the data that is stored on the IT equipment, its disposition, removal, and transfer.
There are two reasons for having an ITAD. You need to track your assets and ensure you efficiently use them during their normal life. This is a matter of ensuring that your investment is successful. The second reason is the ability to ensure you are complying with the increasing number of regulations and compliance requirements surrounding IT assets. IT asset disposal is also a concern to environmental organizations. This is true both in the U.S. and overseas. You need an enforceable policy with standardized practices across your organization to make this work.
What a Good ITAD Plan Can Do
Creating a policy means you should develop a set of best practices. Disposing of technology equipment is not new. The construction industry has been dealing with it for decades. So have the chemical, manufacturing, and energy industries. IT disposal is just another aspect to deal with in an organization.
- Create a framework. This framework should include documenting all the IT assets that you have and the present use and location. You should set up policies for data destruction, asset tracking, complying with data security standards, and regulatory compliance requirements.
- Think outside the box. Discuss the ITAD policy with others in your organization. You may find input from procurement, finance, facilities management, lawyers, and those dealing with employee and customer health. Security may have the most to contribute.
- Understand that not all regulations are the same throughout the United States and certainly are different as you go overseas. Ensure that you have incorporated regional differences in your policy.
- Do not underestimate the potential risks. Plan for IT disposal as you plan for the lifecycle of the IT devices. Use your employees to help flag violations. Also ensure that your employees know that when they do not adhere to the policy, there will be penalties.
- You are not an expert in the disposal of the IT technology. Use outside assistance wherever you can. This assistance can be advice or can be the actual disposal of the technologies. Understand there may be some cost to dispose of equipment. It is not free in most cases.
You may find these other blogs on the subject helpful. "Buy vs. Lease for Communications Technology" covers why you would want to lease rather than buy IT technologies and let the lessor deal with the disposal problem. If you do want to sell, then "eBay, An Alternate Source" discusses eBay as a place to sell. If recycling is your choice, read "Recycle That Gadget Responsibly."