Disposing of IT assets

How to make sure the equipment you throw out today won't become a security threat tomorrow

How confident are you that your discarded end-of-life IT assets aren’t going to come back to haunt you? Consider this:

Last year, two discarded Bank of Montreal computers, containing hundreds of customer files including account numbers and balances, were listed for sale on eBay. Also last year, a former Morgan Stanley vice president sold his old BlackBerry on eBay for $15; it still had a trove of confidential internal e-mails and a company directory.

As these widely reported horror stories demonstrate, improper disposal of old equipment poses huge security risks.

And data security isn’t the only worry. Environmental concerns about widespread dumping of potentially toxic, used IT equipment is creating major potential legal and publicity hazards for enterprises looking to dispose of e-waste, as it is sometimes known. E-waste can have concentrations of lead, cadmium, mercury, and other harmful chemicals.

In short, the disposal of end-of-life assets has become a ticking time bomb for many enterprises. “There’s a tsunami of used, obsolete PCs that is going to hit the marketplace, a huge backlog of assets that has not been dealt with,” explains Kathy Ferguson, business unit executive at IBM Global Asset Recovery Services. She says that many enterprises are dealing with the problem by “shoving product into the closets and the hallways.”

About 1 billion units of computer equipment will become potential scrap between now and 2010, according to the International Association of Electronics Recyclers. And enterprises can no longer count on selling off their used assets at a profit, because the pace of innovation has cut the resale value of used computer equipment in half, according to Robert Houghton, president of Redemtech, a technology recycling firm. “The old practice of asking a broker to take the stuff away [for free], wipe the drives, and give me a certificate of liability doesn’t work anymore,” Houghton says.

What’s an enterprise with end-of-life assets to do? If you plan ahead, you can minimize your data security risks, your environmental liabilities, and your costs.

Ensure data destruction

Avoid getting burned by industrial espionage or privacy lawsuits by completely destroying all data before disposing of IT assets. Healthcare and financial services enterprises must comply with laws from HIPAA (Health Insurance Portability and Accountability Act) to the Gramm-Leach-Bliley Act, so the stakes in those fields are even higher.

One extreme approach favored by those who have been burned in the past, according to Gartner Research Director Frances O’Brien, is to simply remove and destroy all drives before handing machines over to a disposal or recycling vendor, or before reselling them. But for most enterprises, completely overwriting the data according to stringent guidelines such as the DOD’s (Department of Defense’s) 5220.2-M standard, which requires overwriting each disk sector four times, should be sufficient.

“Data destruction takes time and a specific process,” says Tod Arbogast, senior manager at Dell Asset Recovery Services. Simply scrambling or deleting the file allocation table isn’t sufficient, he adds, nor is rewriting each drive sector just once, because the data can still be reconstructed. The more secure four-pass DOD method takes more time, Arbogast says, but can be accomplished economically by daisy-chaining PCs together to rewrite multiple drives simultaneously. Another tip: some disposal firms, such as RetroBox, randomly send wiped PCs to data recovery specialists to verify that their data destruction processes are bulletproof.

Minimize environmental liabilities

“Seventy-five to 80 percent of [IT equipment] that’s being recycled in this country still goes to Third World countries,” estimates Redemtech’s Houghton, where it “essentially gets laundered” through a series of brokers before being dumped in environmentally unfriendly ways. A 2002 report about e-waste from the Silicon Valley Toxics Coalition exposed this phenomenon, pointing out the potential for corporate brands to turn up in unflattering photos of piles of e-waste.

The best approach is to perform due diligence on how your disposal vendor handles environmental compliance and what hazardous materials handling certifications it has — such as the International Organization for Standardization’s Environmental Management System standard 14001. Also learn what its downstream vendors are doing, because your liability is not necessarily limited once the equipment has changed hands several times. Approximately 50 pieces of proposed state legislation address e-waste, on top of existing state requirements for hazardous waste disposal. Some proposals would mandate fees built into the cost of new machines to cover proper disposal.

The technology for recycling electronic equipment is improving, according to Dell’s Arbogast, so look for vendors using state-of-the-art processes. Most destruction and recycling of raw materials is done by physically grinding components and separating raw materials. However, Gartner’s O’Brien notes that electronics recycling is a limited option because there’s not enough of a market for the resulting recycled materials — so you’re more likely to be dealing with environmental issues surrounding disposal than recycling.

Think cradle-to-grave TCO

Rather than assuming there’s a paying market for your used equipment, experts recommend taking a hard look at disposal costs as part of the asset’s total cost of ownership.

A recent Gartner study found that per-PC disposal costs could vary from about $85 to $135 depending on disposal method, including resale proceeds (see “Cost Comparison,” above). But vendors say most enterprises don’t really have a handle on what their true disposal costs will be, especially the cost of managing the logistics of equipment removal and disposal. “Our No. 1 competitor is internal programs,” says Stampp Corbin, RetroBox’s CEO, “but most customers have no idea how much it costs them.”

The best way to manage disposal is to start planning for those costs when you acquire assets. Prices are all over the map for outsourced disposal — Dell charges a flat $49 per system, for example — but remember that those figures don’t include your own internal administrative and labor costs. “It’s when do you retire it, how do you retire it,” says Gerri Gold, vice president of corporate development at HP Financial Services. “All those things need to be integrated together in a total solution,” Gold says.

When you decide to upgrade, get the old equipment out the door as fast as possible so you can recapture the maximum resale value, Ferguson says, rather than having it sit around in storage where it will surely lose all value.

Include downstream liability in your cost calculation. One company thought it was getting a bargain paying $3 per monitor to a vendor that dumped the tubes in a field, O’Brien recalls. After getting a call from the state department of environmental protection, the company had to pay for site cleanup, plus an additional $7 per monitor to have them hauled away and dismantled. “Everyone’s looking to save a dollar, but it just could come back to haunt you in the long run,” O’Brien warns.

Leverage process automation

To minimize your costs, establish enterprisewide processes for handling asset retirement and disposal. “You need to set a corporatewide strategy,” IBM’s Ferguson says, “an efficient process for deciding if [an asset] has value or needs to be scrapped, getting the most cash if there’s value, or disposing of it in an environmentally safe manner.” Other options that could be part of your overall strategy include internal redeployment, sales to employees, and charitable donations — although the latter programs can be costly and time-consuming. And charities may want software and support to come with used equipment.

“You want to try and take the labor out of [asset disposal],” O’Brien adds, and recommends using asset management software to handle documentation of such end-of-life issues as asset mix and condition, status, chain of custody, and important details such as software license removal. “Know what you own in the first place,” says O’Brien, “and understand that different equipment comes out of service at different points in time for different reasons, and you may need multiple paths for [disposal of] that equipment.”

Logistics and equipment removal is another area where process is key, Arbogast explains. “Often customers aren’t really in tune with where their assets are located, or the specs of the equipment, so they need on-site inventories,” he adds.

Choose the right vendors

Vendor selection is a critical issue in disposal. In addition to strong environmental, data security, and operational processes, enterprises should look for robust audit trail, asset tracking, and reporting capabilities.

Disposal vendors include large OEMs such as Dell, Hewlett-Packard, and IBM — who have developed disposal programs as part of their leasing ventures and are now starting to market them more aggressively — plus smaller national and regional players such as Newmarket Trading, Redemtech, RetroBox, SpaceFitters, and United Recycling Industries. Most of these vendors will support the options previously mentioned including resale, destruction and recycling, or internal redeployment, for a wide variety of IT equipment.

O’Brien recommends conducting extensive due diligence, including scrutinizing hiring processes (do they do routine background checks?), subcontractor selection, and available indemnifications they can offer you. “Look at their insurance policy — if it’s $3 million to $5 million and I’m a $50 billion company, that won’t cut it,” she explains.

And because shipping is one of the biggest cost components of disposal, O’Brien recommends choosing a vendor that has locations relatively near where your equipment is located.

But with vendor selection, as with the data security and environmental aspects of disposal, it all comes back to cost vs. risk. O’Brien sums up the challenge of disposing of end-of-life assets: “At the end of the day, you have to look at how much risk you want to assume.”

Copyright © 2004 IDG Communications, Inc.