Choose your language:

France
Germany
Hong Kong

India
Ireland
Japan
Malaysia
Netherlands
New Zealand

Singapore

Sweden
United Kingdom
United States

Have you ever entered your credit card number, sensitive corporate data or other private information into a computer? What did you do with that computer once you upgraded to a new machine? If you weren’t aware of proper data destruction procedures, you may have given the world access to your private data. Hard drives, cell phones and USB drives frequently hold sensitive records such as proprietary corporate knowledge, personal employee information, benefits materials and sales data. Unfortunately, I have witnessed well-intending companies retire their hardware the wrong way, thus leading to the theft of sensitive information, subsequent lawsuits and even government penalties.

Stolen data is just one half of the story, however. What happens to your hardware once it is out of your hands? Worst case scenario is that your equipment can be exported illegally to China or other countries, where environmental policies are more relaxed than in the U.S. It has been found that in many foreign countries, technical equipment is often burned to obtain copper, with hazardous materials being leaked into the water supply as part of the incineration process.

Thus, for the sake of data protection and environmental safety, it is important that companies utilize a reputable, professional vendor that knows how to retire assets appropriately, ensuring that data is properly handled and removed, while following local, state and federal environmental laws and regulations around asset retirement.

 

It is important that companies utilize a reputable, professional vendor that knows how to retire assets appropriately.

 

 

 

Proper Destruction of Data

While many companies realize that the misuse of confidential information could lead to various hassles, they may not always know that, in some instances, improper destruction can result in government penalties associated with the Fair and Accurate Credits Transactions Act (FACTA). FACTA states that any company collecting consumer information for a business purpose must dispose of that information in a way that prevents unauthorized access and misuse of the data. Penalties can be as severe as $1,000 on a state level and $2,500 on a federal level for just a single FACTA violation. Failure to comply with the following points will constitute a FACTA violation:

     

  • A company must implement reasonable policies and procedures requiring the proper disposal of consumers’ personal information, including consumer reports;
  • A company must take reasonable actions in disposing of such information;
  • A company must identify reasonably foreseeable internal and external risks to consumer information;
  • A company shall develop, implement and / or maintain a comprehensive written information security program; and
  • A company must provide its customers a privacy notice describing its information collection and sharing practices.

Other examples of federal regulations around asset retirement include the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach Bliley Act (GLB). These regulations put further safeguards around data destruction within their respective industries.

HIPAA requires that electronic media containing patient health information be destroyed so it cannot be read or reconstructed. When outsourcing the destruction of this data, companies must ensure the provider signs due diligence documentation to support its service. In the same manner, the GLB is a federal law that forces financial institutions to respect the privacy of its customers and to protect the security and confidentiality of those customers.

Outsourced asset retirement vendors must strictly adhere to these regulations, while also adhering to Department of Defense 5220.22-M standards. The Department of Defense (DoD) 5220.22-M is a set of standards for the clearing and sanitization of data. Various agencies such as the DoD, Department of Energy, Nuclear Regulatory Commission and CIA must follow the standards set forth in this manual as it prescribes the current best known source for which classified data must be secured and destroyed.

     

     

     

Retiring hardware the wrong way could lead to theft of sensitive information, subsequent lawsuits and even government penalties.

Green Initiatives

To adhere to government regulations and reap potential cost savings, many corporations are prioritizing green IT initiatives. Fortunately, proper asset management and retirement practices can help companies reduce their carbon footprint as well. Before a company can optimize its IT infrastructure, it must dispose of dated and inefficient hardware.

While companies do not all follow the same practices for retirement and recycling, some commonly agreed upon themes include:

  •  Developing a plan that has written goals and procedures requiring the reuse, recovery and disposal of hardware throughout the entire downstream process.
  • Complying with environmental legal requirements relating to responsible recycling. At this time, legal requirements focus on the disposal of plastic additives and four heavy metals: Lead, Mercury, Cadmium and Hexavalent Chromium.
  • Banning the export of waste to countries that cannot or do not recycle heavy metals effectively.

 

Too Good to be True?

Companies should be wary of vendors that offer very inexpensive asset retirement services. Research is necessary to help select a vendor with a strong track record of past performance and appropriate certifications. To ensure your company’s assets are being retired in a secure, environmentally safe manner, I recommend conducting due diligence on potential vendors using the following measurements:

Research the Vendor’s Past Performance
Past performance is the biggest factor when selecting a vendor. Consider the following: Does the vendor maintain long-term business relationships or is it involved in a series of one-off engagements? To inspect this, you should perform in-depth reference checks. I recommend verifying with at least three references. Furthermore, it is important to ensure the service provider is transparent with its records so you can easily research its past performance and compliance.

Conduct a Site Visit
Visit the vendor’s processing facility to see first-hand how it handles the equipment. Inviting a trusted expert will allow you to verify proper compliance. What you find during this visit should weigh heavily into your decision process. Is the facility secure, clean and organized? What is its inventory management process and how is the product controlled? Does it have a comprehensive environmental downstream process and can it provide complete end of life documentation? Does it have a standardized process for performing certified data destruction? Have its employees undergone a thorough drug and background check? What is its risk management policy? What is the average tenure of employees and management? Is the management team onsite and actively involved in the day to day operations?

Conduct Audits
Unannounced audits offer a good means to ensure your vendors are doing what they should be. Each step of the data erasure policy should be formally tracked using a standard process. Additionally, through the destruction and breakdown phase, a vendor should generate periodic reports detailing the movement and destruction of equipment, until its final destruction and destination. When transporting equipment outside of the U.S., vendors must demonstrate strict adherence to U.S. export laws.

 

 

 

Validate it is Certification Based
Is your vendor certified to ISO 14001? ISO 14000 is the International Organization for Standardization’s standard for environmental management systems. It is applicable to any business with a goal of reducing the business’ environmental footprint and decreasing the pollution and waste it produces. The most recent version, released in 2004, is ISO 14001. In order for an organization to be certified to ISO 14001:2004 it must be externally audited by an audit body that has been accredited by an accreditation body.

 

 

You should also care if your vendor is certified to OHSAS 18001. OHSAS 18001 is an Occupation Health and Safety Assessment Series for health and safety management systems. It allows a company to identify occupational health and safety risks and develop training and procedures to mitigate those risks. OHSAS 18001 is important to any company that makes employee health and safety a priority.

 

Ensure that the Vendor has a Social Responsibility Policy
It is important that your vendor has a strong social responsibility policy, clearly outlining responsibility and liability for maintaining environmental best practices and meeting regulatory requirements. While unique to each organization, corporate responsibility policies typically include stipulations around sustainable production and environmental cleanup; transparency in corporate finances and accounting; and production safety and risk management. Extreme clarity within the policy is of utter importance so the vendor is deliberate and specific with its actions, and so you are able to track and verify compliance.

 

 

Conclusion

The world of IT is rapidly evolving. To keep pace, it is a necessity to ensure you properly retire outdated hardware, destroy data and recycle the materials in an environmentally safe manner. Due to the risks of data exposure, lawsuits, environmental hazards and government penalties, it is critical that companies partner with a vendor that has a proven track record of meeting or exceeding best-practice asset retirement guidelines.

 

 

About TEKsystems®:

People are at the heart of every successful business initiative. At TEKsystems, we understand people. Every year we deploy over 80,000 IT professionals at 6,000 client sites across North America, Europe and Asia. Our deep insights into IT human capital management enable us to help our clients achieve their business goals – while optimizing their IT workforce strategies. We provide IT staffing solutions, IT talent management expertise and IT services to help our clients plan, build and run their critical business initiatives. Through our range of quality-focused delivery models, we meet our clients where they are, and take them where they want to go, the way they want to get there.

 

TEKsystems. Our people make IT possible.