IT Asset Disposition Best Practices 

What your Business Should Know About Electronic Data Destruction and eRecycling to Maintain Industry Specific Regulatory + Data Compliance, Avoid a Catastrophic Data Breach, and Protect the Environment. 

Written by Lisa DeMarco, Chief Marketing Officer, Pupfish Sustainability Solutions for Cerini & Associates’ Business Insights Technology Guide - a Best Practice Resource for Technology Executives.

IT Asset Disposition (ITAD) is the process of retiring computer equipment and other IT Hardware and electronics your business no longer uses. While this process need not be complex, the key components - Data Destruction, and Electronics Recycling - must be a top priority, from a mission-critical and data compliance perspective. In fact, every business regardless of size or industry should have an ITAD Policy that includes a solid data destruction and e-recycling plan. Not only will having a plan in place help mitigate the risk of a data breach due to improper ITAD practices but in most cases, should ensure data compliance and may even reduce the rate of your organization’s cyber insurance policy. 

Businesses of all sizes – in every industry – rely more heavily on technology than ever before. As a result, sensitive data is exchanged at lightning speeds, then saved to hard drives located inside the laptops, desktops, tablets, scanners, servers, printers, and mobile devices we use each day. While data-conscious businesses implement security measures to prevent a data compromise when their equipment is in use, they are often unaware of the steps that must be taken once the equipment is retired, leaving themselves vulnerable to a catastrophic data breach long after their computer equipment has been retired and replaced. This substantial, potential liability can lay dormant for years until the hard drives and other media devices are properly destroyed. 
 
Contrary to popular belief, deleting, formatting, or damaging (hammering, drilling, smashing, or submerging) a hard drive or any other electronic media will not permanently erase or eradicate data, which remains recoverable long after computer equipment is out of sight and mind. To remain compliant with any one of the Federal, State, and Regulatory Laws listed below, your sensitive data must be destroyed according to the strict guidelines set forth by either NIST 800-88, Department of Defense 5220.22-M, and the NAID standard for clearing, purging, and destroying data. Following these standards will not only ensure compliance but will mitigate your company’s risk of a data breach associated with improper data disposition practices. 

To appreciate the importance of having an ITAD Plan in place, it is helpful to first understand Sensitive Personal Identifying Information and your company’s obligation to protect it. This is information that, if lost, compromised, or disclosed could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual – employees, clients, vendors, etc. In general, it is defined as any information that could be used by criminals to conduct crimes against an individual, including identity theft. Social security numbers, financial, banking, and credit card information, home and email addresses, driver’s license and state identification numbers, healthcare insurance and medical records, student information and test scores, payroll information, and income tax records are all examples of SPII that are collected by businesses each day. Federal, State, and Regulatory Compliance laws dictate how this electronic data must be stored, transmitted, processed and you guessed it – disposed of – which is why a solid data destruction and disposal plan is critical to your business. 

Once we understand our obligation to safeguard the sensitive data hiding on our hard drives and other electronic media - we can begin to take steps to mitigate the risk and ensure data compliance, a term which refers to any regulations that a business must follow to ensure the sensitive digital assets it possesses are guarded against loss, theft, and misuse.  
 
Examples of common Data Compliance Laws include: 

• Health Insurance Portability and Accountability Act (HIPAA)   

• Sarbanes-Oxley Act (SOX) 

• Financial Industry Regulatory Authority (FINRA) 

• Gramm-Leach-Bliley Act (Financial Services Modernization Act) 

• USA Patriot Act (Bank Security Act)

• Homeland Security Information Sharing Act (HSISA)

• Health Information Technology for Economic and Clinical Health (HITECH) 

• Fair and Accurate Credit Transactions Act (FACTA) 

• Identity Theft and Assumption Deterrence Act 

• FDA Security Regulations (21 C.F.R. part 11) 

• Payment Card Information Security Standard (PCI) 

Three highly effective and inexpensive Data Destruction methods employed by ITAD providers include to meet the above regulatory requirements include: 

• Media Sanitization. Often referred to as Wiping a Hard Drive, sanitization meets up to 24 International Standards including the US Department of Defense’s DoD 5220.22-M.    

• Degaussing. Demagnetizing or degaussing a hard drive renders it completely unusable. To accomplish this, a High Definition 5T degausser with patented internal NSA Approved Field Verification is used. Field strength can then be measured in real-time, ensuring your media is being degaussed to NSA standards. 

• Hard Drive Destruction. A method that leverages a hard drive destruction machine to physically fold and destroy the device. 

When creating an ITAD Plan, choose a NAID certified IT Asset Disposition firm that offers seamless integration by collaborating with your Managed Service Provider, or works as an extension of your own IT Department to develop or execute your strategy. Not only should they offer the Data Destruction options above, but also ensure that chain of custody is maintained, and the data destruction process can be recorded and saved as visual proof with Certificates of Data Destruction, an invaluable asset in the event of an audit. 

Sustainable technology practices pertain to the management, repurposing, and lawful disposition of IT hardware in a manner that reduces environmental impact and is the final component of a comprehensive IT/Electronics disposal plan.  Obsolete IT assets and other electronics are considered toxic waste and by law must be properly recycled, which conserves natural resources and reduces air and water pollution, as well as greenhouse gas emissions that are caused by manufacturing virgin materials.  Equipment that cannot be repurposed should be carefully dismantled to prevent damage to components that may be reintroduced back into the manufacturing stream since electronics are made from valuable resources and materials, which require energy to manufacture. Not only is this a critical process since electronic waste represents 2% of the trash in US landfills but equals 70% of overall toxic waste in the US alone - but prioritizing Sustainable Technology will help your organization reduce its environmental footprint and meet Corporate Social Responsibility goals.  

IT Asset Disposition practices are more time-consuming than complex. Having a strategy in place will ensure process and procedure is followed when it is time to dismantle IT equipment - even if employee responsibility shifts significantly mitigating your organizational risk of a Breach After Disposition and ensuring data compliance. 

Located in the Hauppauge Industrial Park, Pupfish Sustainability Solutions is a Full-Service IT Asset Disposition Firm operating within Long Island’s rapidly advancing technology space. Pupfish can work directly with your Managed Service provider or function as an extension of your own IT Department to develop or execute your business’s electronic data destruction and disposition strategy. 

Visit Pupfish Sustainability Solutions at www.PupfishUSA.com or call 631.403.1100 to learn more about these services, in addition to Data Compliance, Data Breach Avoidance, and e-Recycling Best Practices.