According to a report issued by Gartner, Inc. in 2005, the discerning executive’s concern is moving beyond the conventional controlling of costs, and into the more progressive realm of managing data security and privacy risks.

This shift in focus is warranted. It is estimated that through 2009 consumers and businesses will replace more than 800 million PCs worldwide and try to dispose of an estimated 512 million (64 percent) of those PCs. This situation poses huge and costly data security and privacy risks, as well as environmental and health risks. (Gartner, Inc., November 2005, PC Disposal Cost Update 2005: Mitigating Risks.)

The risks — and costs — associated with disregarding regulations can be tremendously damaging.

Instead, consider the following:

Save money, save time, save face by using TechDisposal’s knowledge and foresight. Let us help you manage the disposal process, contain costs and maintain an aboveboard operation.

Evaluate your risk issues such as accounting, asset management, depreciation, regulatory requirements, storage, taxes and PC valuation. We can help you with that process. We can also provide further consultation to develop a cost-effective and time-efficient plan to retire your outmoded equipment that will honor the bottom line and the environment.

Your cost depends on the amount and type of your equipment and your choice of disposition options. Generally, if your assets are remarketable, this service covers its own costs and may generate a profit for you. Product with no value is scrapped in an environmentally safe manner.

Some cost considerations

Storing obsolete equipment can be expensive in more ways than one. Stockpiling technology isn’t a good idea when you add up the associated costs. For example, the average cost for a Microsoft Office license is $300. Add that to the costs of storage and property taxes, and you could be paying 300 percent more to store an asset than to dispose of it properly (Gartner, 2005). Consider these costs associated with storing equipment:

• Property taxes — many states assess these on IT assets whether or not the assets are in use
• Software de-installation compliance
• Square footage of rental space
• Labor — putting equipment into storage and then removing it from storage

In addition, consider the fiscal issues associated with properly depreciating owned assets:

1. Changes to deployment lifetimes affect amortization, depreciation schedules, net income and taxes
2. Failing to transfer unused software licenses and warranties can result in costly overpayment

The risks — and costs — associated with disregarding regulations can be tremendously damaging.

Privacy regulations

California Senate Bill 1386

• Requirement: Protection of any confidential information about California residents. This includes driver’s license, Social Security, bank account and credit/debit card account numbers.
• Applies to: Every public or private organization conducting business with California residents.
• Penalty for noncompliance: Fines from potential class-action lawsuits are determined on a case-by-case basis.

FACTA (Fair Trade and Credit Transaction Act of 2003)

• Requirement: Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.
• Applies to: Any person who maintains or otherwise possesses consumer information for a business purpose.
• Penalty for noncompliance: Civil liability in which an employee can recover actual damages from his/her employer for all damages incurred from identity theft.

Gramm-Leach-Biley Act

• Requirement: Protection of a customer or consumer’s personal financial data, including name, address, Social Security number, account numbers or nonpublic personal data.
• Applies to: Financial institutions, banks, investment companies, credit unions or any of their partners that collect and retain nonpublic personal data.
• Penalty for noncompliance: Regulatory fines can be levied. CEOs and board members can be held personally liable.

HIPAA (Health Insurance Portability and Accountability Act)

• Requirement: Protection of a patient’s medical records and other personal healthcare information.
• Applies to: All companies that transmit healthcare information, including healthcare providers and healthcare benefit plans.
• Penalty for noncompliance: Fines of $250,000 can be levied; criminal prosecution can occur and can result in jail time of up to 10 years.

Environmental regulations

Risks associates with environmental protection and hazardous waste arise primarily from two regulations:

• RCRA (The Resource Conservation and Recovery Act): Regulates the use, transportation and disposal of hazardous wastes.
• CERCLA (The Comprehensive Environmental Recovery, Compensation and Liability Act): Assigns liability for the cleanup of hazardous materials disposed of improperly.

PC End of Life: Where Enterprises Make Mistakes

Many enterprises neglect PC end-of-life issues; these enterprises are not adequately protecting enterprise data and are not taking the proper environmental precautions when retiring PCs.

Corporations frequently, even if inadvertently, neglect PC end-of-life issues by paying regional recyclers or hardware vendors to remove old hardware. Unfortunately, this action does not ensure that sufficient recycling methods are employed to reduce landfill waste. Also, IT executives often fail to validate that the proper or most effective data cleansing, destruction and/or retention techniques are employed. This means that many enterprises are not taking the proper environmental precautions and are not adequately protecting enterprise data when retiring PCs.

Pending legislation at the local, state, federal and international levels will make existing statutes more stringent, and enterprises soon will face increased penalties, requirements and scrutiny when disposing of enterprise assets. Therefore, wise IT executives make it their business to understand end-of-life requirements for data and environmental legislation, and to build forward-looking, defensible PC-disposal strategies that minimize corporate costs and risk exposures.

Issues that businesses should attend to:

• Enterprises that select their PC recycling vendors based primarily on incidental factors, such as cost or geographic locality, taking significant risks. Effective PC recycling requires appropriate data cleansing, as well as "de-manufacturing" capabilities that minimize landfill contributions. IT executives who believe transfer of ownership certificates provide appropriate risk mitigation are falsely informed, and executives should be aware that corporations could be liable for assets many years after those assets are retired. Electronic waste regulations are gaining traction at all levels in developed nations, and hefty lawsuits for improper disposal are likely to be widespread within the next three to five years. IT executives should ensure that selected disposal firms perform the proper de-manufacturing and recycling procedures, should enforce procedures by scrutinizing vendors and their business partners, and should build an audit trail to ensure that landfill dumping is minimized and safe.
• Cost is frequently the fundamental criterion enterprises use when considering how and with whom to outsource recycling efforts. Unfortunately, there can be a direct relationship between recycling costs and the rigorousness of the asset-disposition procedures, particularly in the area of data cleansing. IT executives should pay particular attention to which techniques are used to remove data, as vendor procedure descriptions may be misleading. Furthermore, it is essential to verify that the removal procedures specified in contracts are adequately followed. In addition, IT executives should require vendors to capture critical data electronically in order to demonstrate that best efforts were made. Relevant data includes PC asset information, hard disk serial number, the number of times overwrite was completed, the overwrite type utilized, and relevant time and date data points.
• Most enterprises that dispose of unwanted PC assets have developed requirements for data destruction. Research, however, has found that these operations often are insufficient or not followed. In fact, illicit businesses sell sensitive data, such as credit card and Social Security data, that often has been extracted from retired enterprise PCs. Corporations should work with regulatory agencies to trace the cause of these sizable transgressions and hold the liable parties responsible. Surprisingly, a large number of enterprise executives still believe that a simple disk reformat provides effective data protection. Moreover, disk-cleansing services are not included in the standard procedures followed by most recycling firms. IT executives should “understand that a U.S. Department of Defense (DoD) three-times overwrite is the minimum requirement for sensitive data and that proper data removal services are extremely affordable.

Properly retiring enterprise PC assets should be a top concern for enterprises engaging in system refresh. However, many IT executives are not applying the necessary methods or scrutiny to guarantee protection.

A recent investigation from the Computer Forensics team at the University of Glamorgan in the United Kingdom demonstrates this fact. Only two of 100 hard drives purchased on eBay, at fairs, and from wholesalers had no recoverable data on them – and one of the two drives was brand new. Half of the remaining drives could have had their data easily restored. The other half showed no attempts to remove data at all. Readily obtainable information, including financial details, a template for university degree certificates, and school records, were recovered. This is not the first such report on data available on second-hand disk drives. Robert Francis Group (RFG) profiled another such experiment performed by the Massachusetts Institute of Technology (MIT) in 2003. (See the RFG Research Note "PC Disposal Strategies.")

Reports of plainly viewable and easily recoverable hard drive data have routinely made headlines over the last several years. Enterprises and end users alike are not taking the necessary precautions. RFG finds that most corporations have policies in place to ensure that proper data destruction occurs, either by the enterprise or an outsourcer. However, these policies are rarely followed suitably or sufficiently.

One reason that these lapses continue is that corporations have not yet suffered damage to their images or had considerable fines levied. Government agencies across the world are taking an increased interest in protecting consumer privacy, and RFG expects regulatory bodies to be fully empowered to take action well within the next three to five years. RFG believes PC data removal is still an afterthought for most corporations and is, therefore, the leading contributor to this on-going issue. IT executives should be proactive in understanding data-destruction requirements and should employ processes and technologies that effectively wipe, audit, report, and log activities. (See the RFG Research Note "PC Disposal: Are You Exposed")

RFG has researched enterprise end-of-life failure points and identified some of the most common mistakes and misperceptions corporations make and believe. A few of these examples are presented below, followed by delineation and analysis of the critical success factors identified by RFG.

Example: "The Process is in Place"

One of the largest insurance companies in the world had a process in place to eliminate data from hard drives prior to systems being sold to recyclers. Users were provided with a software tool to cleanse PCs before their release. However, an inspection by a data-destruction and computer-recycling firm found that the tool went largely unused.

Analysis:

In this scenario, users were required to wipe data from their hard drives independently. Most hard drive cleansing tools are fairly easy to use, but the data-elimination process takes up valuable time and delays other work efforts. Additionally, larger hard drive sizes require longer data-overwrite times. This fact is somewhat offset by gains concurrently seen in processor speed. However, users are clearly not given the incentive to spend two to three hours waiting for data-removal tools to complete the data-elimination process.

It is typically more expensive for enterprises to wipe data themselves, as outsourcers usually charge between $9 and $20 for disk-overwrite services. If IT executives insist on performing data-removal processes internally, it is generally best for trained IT personnel to take responsibility for the procedure. Moreover, a system of checks and balances should be enacted to validate that operations are being conducted correctly.

Audit trails capturing key overwrite criteria, including asset identification, disk information, number of passes, and overwrite type, should be electronically and physically maintained and on file, along with time stamps. Furthermore, drives should be selected at random and inspected to ensure accuracy and effectiveness. Data-removal vendors encourage IT executives to visit facilities, sometimes at unscheduled times, and to observe procedures.

Example: "Leasing PCs Ensures Safe Data Disposal"

An international shoe manufacturer has been leasing PCs, citing advantages such as cost predictability, leverage of new technology improvements, regular refresh, paying for assets using operational rather than capital funding, and productivity gains. Since the shoe company never owns the asset, it feels protected against any risks of improper disposal. The shoe company assumes that the leasing company wipes out all data prior to the system being resold or parted out. (See the RFG Research Note "PC Leasing vs. Buying Revisited.")

Analysis:

The leasing company's ownership of the asset does protect the shoe company from any e-waste disposal requirements, but system rebuilds do not incorporate hard drive cleansing by default. As long as Certificates of Authenticity (COAs) remain intact, the leasing company can simply re-format, and then restore the hard drive using imaging software. This can be accomplished in a fraction of the time needed to perform a drive overwrite and re-imaging. The leasing company, therefore, is not highly motivated to perform actual, thorough data cleansing. If the leasing company sells the system to a third-party wholesaler, or does not have access to re-imaging tools, the PC may only have obvious contents removed, such as from the "My Documents" folder. In any case, where no overwrite is conducted, enterprise data is at risk.

No matter what the industry, product, or service, IT executives cannot rely on vendors to deliver beyond the specifications of the contract. Thus, IT executives need to ensure that overwrite requirements and procedures are specifically detailed in the contract terms. Furthermore, not all vendors have the capabilities in place to perform data overwrites in house. Corporations should protect themselves against vendors that outsource activities to unknown third parties with undocumented or questionable practices. Such parties may, in turn, resell drives without performing required data-destruction procedures.

IT executives should incorporate into their decision-making criteria a procedural review of vendor and third-party contractor or partner capabilities and processes. Procedures should be tightly defined, followed, and tracked in order to encourage accountability and provide the appropriate assurance.

Example: "Vendors and Processes are Created Equally"

A large financial institution recently upgraded 5,000 laptops and had to select a recycling and data-destruction vendor. The company asked for bids from multiple firms and ultimately selected the vendor with the lowest price for disk cleansing. The vendor claimed it was able to do a US Department of Defense Standard 5220.22-M (DoD 5220.22-M) data-removal procedure for $2 to $3 per system. This price was one-fourth to one-tenth of that typically quoted by competitors. However, the financial institution later learned that the disk-cleansing technique employed by its chosen vendor was a one-time overwrite, rather than the three-times overwrite specified in the DoD standard.

Analysis:

Although cost should certainly be a factor in selecting a partner to perform PC data removal, IT executives should first concentrate their efforts on qualifying vendor performance and attention to detail. Having proprietary and confidential data unprotected and untraceable until it later resurfaces to cause the enterprise embarrassment and damage quickly eclipses the nominal savings realized by using the lower-cost provider. Data destruction and PC recycling are not large profit centers, and no outsourcer can provide sufficient services for $2 to $3 per system. If a deal seems too good to be true, it probably is.

In one way, the profiled financial institution was somewhat lucky. The vendor did perform a one-time data overwrite, thus providing at least some level of protection. In a manner both confusing and misleading, the data-destruction vendor likely considers that it has lived up to its obligations. DoD 5220.22 requires a three-times overwrite in order for data to be declared sufficiently unrecoverable. However, a clause in the specification states that a one-time overwrite is acceptable when the drive recipient has the same or higher security clearance. IT executives should test their data-destruction vendors by performing random audits during unannounced on-site inspections.

PC End-of-Life Issues: Lessons Learned

1. A one-time disk overwrite is better than no overwrite at all; however, data can still be recovered. IT executives should require a three-times disk overwrite for sensitive data. If a one-time overwrite is deemed appropriate, bits should be written at random rather than all "0s" or all "1s" in order to make recovery more difficult.
2. Transfer-of-ownership certificates are not sufficient proof to release enterprises of liability related to e-waste or data destruction. Solid vendor processes are the best guarantee, and IT executives should closely monitor capabilities and performance.
3. IT executives should require proof of data elimination and de-manufacturing. Ideally, the recycler should provide electronic proof of how and when the data was removed. If system parts are being de-manufactured, the enterprise should be provided with a record of what was able to be recycled and what ended up in landfill.
4. Proper data destruction takes time, and a simple reformat and re-image or quick data deletion is much faster and less expensive when reselling a PC or hard drive. Thus, identity thieves and other exploitive individuals are actively using improperly removed hard disk data as a means of income.
5. Geographic location need not be a high cost in data disposal. While shipping costs can approach $30 individually, palletized PCs can cost as little as $5 per PC to ship.
6. Most enterprise recyclers will share profits recaptured from the resale of PCs, and PCs less than 48 months old have positive residual value.
7. Indemnification is desirable, but much less important than selecting a recycling vendor that has proven processes and can provide an audit trail before, during, and after data removal and/or de-manufacturing is completed.
8. Recyclers can provide indemnification, if necessary.
9. Requirements and procedures are useless without accountability. IT executives need to take the time to pre-qualify vendors, perform spot checks, and put procedures in place to ensure that contract terms are met.
10. An IBM Global Financing (IGF) survey found that 90 percent of companies have procedures in place to eliminate sensitive system data. Some 70 percent of those companies were simply performing a disk re-format, which they mistakenly believed provided sufficient security.
11. Openness is key. Vendors need to be as transparent with their data-destruction and e-waste processes as possible, and encourage the enterprise to keep them to task. In addition to offering process and facility inspection.
12. Employee sales and charitable donations can be tricky. The disposal, data, and software licensing risks defined above all need to be addressed.

Source: Robert Frances Group

The proper destruction of enterprise hard drive data and disposal of PC assets is, and should be, a growing concern for companies. Although most companies have strategies in place to deal with data cleansing, many IT executives have not yet invested the time and energy required to ensure that internal processes and/or selected vendors can and do adequately perform their processes effectively themselves. Short listed candidate vendors should have in-house capabilities and rigorous procedures to wipe drive data and minimize the number of PC components that end up in landfills. IT executives should incorporate these operational requirements into contracts. Moreover, IT executives should avoid the common mistakes and misperceptions associated with PC disposition by holding vendors to task through careful inspection, required reporting, and oversight that includes unscheduled visits and audits.

Source: Robert Frances Group

Risk Mitigation- Questions you should ask

What is your tolerance for corporate risk? Don’t take chances with the disposal of PCs and the data that resides on drives. If you improperly dispose of hardware and software, your company is exposed to potential scavengers of your high-level proprietary information.

Sidestepping strict federal regulations regarding the environment can cost your organization tremendously in fines, exploitation, destroyed reputation, and lost inherent value.

Ask yourself these questions.

How do I know the data on my computer is completely erased?

We use the data erasure standard used by The Department of Defense to sanitize your drives — permanently erasing system files, programs files, viruses, and all of your data. It also safeguards your software licensing agreements.

Why is storing obsolete equipment considered an expensive time bomb?

Storage can cost you in square footage costs, labor costs, property taxes, licensed software liabilities and, perhaps most expensive of all, by letting your equipment sit exposed to sly data thieves.

Is my charitable donation exposing my company to data liability?

Possibly. Are you totally erasing your hard drives in compliance with regulations before donating your old equipment? If not, your big-hearted drop-off of old equipment at your favorite charity might backfire and become a big, expensive (and even embarrassing!) headache.

How do I know EPA regulations are being properly followed?

TechDisposal provides complete documentation of the effective and proper disposal of your end-of-life assets, mitigating your risks by meeting all EPA, SOX404, and HIPPA requirements – whether yours is a government enterprise or a small chain of stores.

Why should I care who works for my retirement solution provider?

You should care a lot because you never know who is really working for whom unless you ask and check. We do. All TechDisposal’s employees — technicians, operatives, laborers, office managers and clerical support — undergo background screening and drug tests before hire. We never use prison labor.

How secure is the facility where my technology is retired?

TechDisposal operates in a state-of-the-art ISO compliant facility in Columbus, Ohio. It is monitored 24/7/365 by Guardian Security and multiple internal cameras surveying the auditing facility.

Is my equipment secure in transit?

Yes, we make sure it's “gone for good” in a variety of ways. The load is boxed or palletized, sealed or shrink-wrapped, loaded and padlocked during shipment. If you prefer, we use a numbered seal to seal off your shipment as further security against tampering, and a “stealth cleaner” can be loaded on all drives before they are shipped to us by certified transporters.

How do I know when it’s time to redistribute, or redeploy my organization’s technology assets?

Hardware will be overtaken within three years or fewer by new models that are better, faster, and cheaper than what you paid for existing models.

The life cycle of computers is rapid, planned obsolescence. It’s a good rule of thumb is to set a budget to upgrade or replace one third of your computers each year so that nothing more than three years old reamins deployed within in your organization.

Why shouldn’t I simply redeploy my equipment internally?

Because it’s not as simple as it sounds.

You may be able to find another spot for older computers in your organization, but do you really want to try and maintain multi-generations of computer equipment that can’t talk to each other? The disruption caused by "trickle down" internal redeployment often exceeds the cost of external replacement with new machines. Plus, for most companies, asset disposal is not a core competency and is better handled by a knowledgeable, experienced provider.

Why not just store my obsolete equipment?

Because it’s expensive — in more ways than one.

Storage may seem to be an effective approach at first, but it can prove to be an expensive tactic long term. Consider square footage costs, labor costs to put the equipment into storage and again, later, to remove it. Consider, too, that some states assess property taxes on IT equipment unless you show documentation of disposal. Plus, you’re responsible for the licensed software loaded into each machine’s hard drive — not to mention propriety data that may be a sitting duck for information scavengers.

What’s wrong with just formatting the computer’s hard drives?

Because formatting does not erase data on the disk and you’re putting your company at risk.

Formatting is not a secure method of sanitizing data. With formatting, the computer’s own operating system may erase bookkeeping information, but a computer specialist can usually recover most, if not all, of the information on the disk. Do you really want an unauthorized computer specialist to recover your proprietary information?

How does TechDisposal’s overwrite solution make my equipment safe from cannibals?

Because it uses its own operating system to launch the erasure and does a complete irretrievable, irrefutable overwrite.

Otherwise, when your computer’s own operating system launches the erasure, retrieval of the information contained on the drive is still possible. To not fully erase your company’s sensitive material is to put it in jeopardy of exposure to crafty data thieves.

Why bother with disposing of our equipment at all?

Because it’s the law of the land, and to not comply is more than irresponsible, it’s foolish.

Strict environment regulations are enforced for all levels of businesses and across all industries. To not comply is to create a dangerous path of welcome for potential litigation, severe fines, loss of revenue and loss of reputation for your organization – and even yourself.

How does TechDisposal help me be "environmentally friendly?"

We take on the task of recycling or remarketing your old computers and computer parts.

This helps keep environmentally sensitive materials out of landfills, reduces the amount of raw materials needed to produce new products, and helps to conserve our natural resources. We help you to be one of the good guys.

What kind of equipment will you address?

We dispose of any IT equipment made by any manufacturer.

If marketable, we will resell for you through our successful remarket provider. If not, we will dispose of it in compliance with all relevant environmental laws and regulations.

What documentation is provided to ensure me that everything is done correctly?

A multitude of documentation is provided to ensure thorough and legal processes are conducted.

Process documentation which includes what was received, transfer of ownership, disk drive overwrite detail and ultimate disposition. If disposed of, you will also receive certificates of destruction showing compliance with environmental regulations. Some documentation, such as title transfers, and certificates of destruction and overwrite require that the item have a clearly visible serial number. Documentation is provided electronically and on a regular basis.

What about data security and hard drives?

We provide full data sanitation solutions and hard drive cleansing.

Data sanitization is addressed with disk wiping and cleansing service to ensure proper overwrite of your entire disk. Hard-file data is cleansed via a 3x overwrite process so that data is virtually impossible to recover; this option meets Department of Defense 5220-22-m 3-pass standards. If additional overwrite is required (beyond the DoD requirements) we can provide an estimate for that service. Disks that are non-functional are physically destroyed.

What kind of costs are we talking about?

This depends on the amount and type of equipment and your choice of disposal options.

Generally, if your assets retain any value, they are considered remarketable and can generate a revenue stream to offset some of the cost of asset retirement. Product with no value is scrapped in an environmentally safe manner.

Does TechDisposal’s services meet HIPPA standards?

Of course! Several levels of data overwrite services meet high security standards.

Descriptions of overwrite processes will be made available to allow your company to assess HIPAA compliance

How is my equipment shipped to TechDisposal?

We offer global services that do this for you.

We can provide transportation management and scheduling to meet your needs at your location(s). Consequently, while there is no minimum quantity or weight requirement, consolidating your assets will reduce your overall cost.

How much volume does TechDisposal process annually?

More than 50 million pounds …and growing each year… of IT equipment is processed by TechDisposal. Zero percent goes into landfills.

What if I have questions?

Please feel free to e-mail us at sales@techdisposal.com or call us at 1.877.770.8324 x 125

Back to the top