Why Your Small Business Should Understand and Prioritize IT Asset Disposition
A Guide to Data Compliance, Catastrophic Data Breach Avoidance, Sustainable Technology, and e-Recycling Best Practices.
Written By Lisa DeMarco, CMO - Pupfish Sustainability Solutions
Originally published by HIA-LI for The Reporter on 05.19.2021
Businesses of all sizes – in every industry – rely more heavily on technology than ever before. As a result, sensitive data is exchanged at lightning speeds, then saved to hard drives located inside the IT equipment (the laptops, desktops, tablets, scanners, servers, printers, and mobile devices) we use each day. While data-conscious businesses implement various network security measures to prevent a data compromise when their equipment is in use, they are often unaware of the steps that must be taken once equipment is retired, leaving themselves vulnerable to a catastrophic data breach long after their assets have been replaced. This is known as a Breach After Improper Asset Disposition and is the one type of Data Breach that can be easily and inexpensively avoided.
IT Asset Disposition (ITAD) is the process of disposing of IT Hardware no longer in use, and while this process need not be complex, the key components - Data Destruction, and Electronics Recycling - must be a top priority for your businesses, from a mission-critical and compliance perspective.
To appreciate the importance of having an ITAD Plan in place, it is helpful to first understand Sensitive Personal Identifying Information (SPII) and your company’s obligation to protect it. SPII is information that, if lost, compromised, or disclosed could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual – employees, clients, vendors, etc. In general, SPII is defined as any information that could be used by criminals to conduct crimes against an individual, including identity theft. Social security numbers, financial, banking, and credit card information, home and email addresses, driver’s license and state identification numbers, healthcare insurance and medical records, student information and test scores, payroll information, and income tax records are all examples of SPII that are collected by businesses each day. Federal, State, and Regulatory Compliance laws dictate how this electronic data must be stored, transmitted, processed and you guessed it – disposed of – which is why a solid ITAD Plan is critical.
Once we understand our obligation to safeguard the sensitive data hiding on our hard drives and other electronic media - we can begin to take steps to mitigate the risk of a Breach After Disposition (BAD) and ensure Data Compliance, a term which refers to any regulations that a business must follow to ensure the sensitive digital assets it possesses are guarded against loss, theft, and misuse. Examples of common Data Compliance Laws include:
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes-Oxley Act (SOX)
Financial Industry Regulatory Authority (FINRA)
Gramm-Leach-Bliley Act (Financial Services Modernization Act)
USA Patriot Act (Bank Security Act)
Homeland Security Information Sharing Act (HSISA)
National Institute of Standards and Technology (NIST)
Health Information Technology for Economic and Clinical Health (HITECH)
Fair and Accurate Credit Transactions Act (FACTA)
Identity Theft and Assumption Deterrence Act
FDA Security Regulations (21 C.F.R. part 11)
Payment Card Information Security Standard (PCI)
Contrary to popular belief, deleting, reformatting, or damaging (hammering, drilling, smashing, or even running over) a hard drive or any other electronic media will not permanently erase or eradicate data, which remains recoverable long after computer equipment is out of sight and mind. To remain compliant with any one of the Federal, State and Regulatory Laws listed above, your organization’s sensitive data must be destroyed according to the strict guidelines set forth by NIST 800-88, Department of Defense 5220.22-M, and the National Security Agency standard for clearing, purging, and destroying data. Following these standards will not only ensure compliance but will mitigate your company’s risk of a catastrophic Data Breach After Disposition.
Two highly effective and inexpensive Data Destruction methods most often employed by ITAD providers include the Three-Pass Sanitization Method and the Degaussing Method. The Three-Pass Data Sanitizing Method leverages a verified series of zeros, ones, and a random character. While this is the most time-consuming of all approved methods, taking hours or even days per drive depending upon size, the Three-Pass Sanitization Method will enable the media to be re-used, making it a more sustainable solution. The second and fastest method, referred to as Degaussing, destroys data by demagnetizing the hard drive, rendering it completely inoperable. To accomplish this, a High Definition 5T Degausser with patented internal NSA approved field verification is used and the field strength is measured. Results are available in real-time, ensuring media is being degaussed to National Security Agency standards each time.
When creating an ITAD Plan, choose a full-service IT Asset Disposition firm that offers seamless ITAM Integration, partners with your Managed IT Services provider, or operates as an extension of your own IT Department to develop or execute your ITAD strategy. Not only should they offer Data Destruction options but also opportunities to ensure the Chain of Custody is maintained if this is part of your ITAD Plan. To accomplish this, a representative from your organization would accompany your IT equipment and hard drives to the ITAD location, then physically witness data destruction. Alternately you might opt to use a lockbox with optional GPS tracking, using a combination of your choosing to safeguard the hard drives - you will provide the combination once the assets have arrived securely at the ITAD facility. Pupfish leverages their High-Def Data Destruction Cam to capture serial numbers located on hard drives, offering clients the opportunity to (virtually) witness the unlocking of their assets and the ability to witness data being destroyed in real-time. Both processes can also be recorded, and visual proof of destruction maintained with Certificates of Data Destruction, an invaluable asset in the event of an audit.
Sustainable Technology Practices pertain to the management, repurposing, and lawful disposition of IT hardware in a manner that reduces environmental impact and is the final component of a comprehensive ITAD Plan. Obsolete IT assets and other electronics are considered toxic waste and by law must be properly recycled, which conserves natural resources and reduces air and water pollution, as well as greenhouse gas emissions that are caused by manufacturing virgin materials. Equipment that cannot be repurposed should be carefully dismantled to prevent damage to components that may be reintroduced back into the manufacturing stream since electronics are made from valuable resources and materials, which require energy to manufacture. Not only is this a critical process since electronic waste represents 2% of the trash in US landfills but equals 70% of overall toxic waste in the US alone - but prioritizing Sustainable Technology will help your organization reduce its environmental footprint and meet Corporate Social Responsibility goals.
IT Asset Disposition practices are more time-consuming than complex. Having a strategy in place will ensure process and procedure is followed when it is time to dismantle IT equipment - even if employee responsibility shifts significantly mitigating your organizational risk of a Breach After Disposition and ensuring Data Compliance.
Located in the Hauppauge Industrial Park, Pupfish Sustainability Solutions is a Full-Service IT Asset Disposition (ITAD) Firm operating within Long Island’s rapidly advancing technology space. Offering Seamless ITAM Integration, Pupfish partners directly with your Managed IT Services provider or functioning as an extension of your own IT Department to develop or execute your disposition strategy.
Visit Pupfish Sustainability Solutions or call 631.403.1100 to learn more about Data Compliance, Catastrophic Data Breach Avoidance, Sustainable Technology, and eRecycling Best Practices.