Disposing of IT assets

How confident are you that your discarded end-of-life IT assets aren’t going to come back to haunt you? Consider this:

Last year, two discarded Bank of Montreal computers, containing hundreds of customer files including account numbers and balances, were listed for sale on eBay. Also last year, a former Morgan Stanley vice president sold his old BlackBerry on eBay for $15; it still had a trove of confidential internal e-mails and a company directory.

As these widely reported horror stories demonstrate, improper disposal of old equipment poses huge security risks.

And data security isn’t the only worry. Environmental concerns about widespread dumping of potentially toxic, used IT equipment is creating major potential legal and publicity hazards for enterprises looking to dispose of e-waste, as it is sometimes known. E-waste can have concentrations of lead, cadmium, mercury, and other harmful chemicals.

In short, the disposal of end-of-life assets has become a ticking time bomb for many enterprises. “There’s a tsunami of used, obsolete PCs that is going to hit the marketplace, a huge backlog of assets that has not been dealt with,” explains Kathy Ferguson, business unit executive at IBM Global Asset Recovery Services. She says that many enterprises are dealing with the problem by “shoving product into the closets and the hallways.”

About 1 billion units of computer equipment will become potential scrap between now and 2010, according to the International Association of Electronics Recyclers. And enterprises can no longer count on selling off their used assets at a profit, because the pace of innovation has cut the resale value of used computer equipment in half, according to Robert Houghton, president of Redemtech, a technology recycling firm. “The old practice of asking a broker to take the stuff away [for free], wipe the drives, and give me a certificate of liability doesn’t work anymore,” Houghton says.

What’s an enterprise with end-of-life assets to do? If you plan ahead, you can minimize your data security risks, your environmental liabilities, and your costs.

Ensure data destruction

Avoid getting burned by industrial espionage or privacy lawsuits by completely destroying all data before disposing of IT assets. Healthcare and financial services enterprises must comply with laws from HIPAA (Health Insurance Portability and Accountability Act) to the Gramm-Leach-Bliley Act, so the stakes in those fields are even higher.

One extreme approach favored by those who have been burned in the past, according to Gartner Research Director Frances O’Brien, is to simply remove and destroy all drives before handing machines over to a disposal or recycling vendor, or before reselling them. But for most enterprises, completely overwriting the data according to stringent guidelines such as the DOD’s (Department of Defense’s) 5220.2-M standard, which requires overwriting each disk sector four times, should be sufficient.