Dispose of your it assets safely with these 7 easy steps

IT Asset Disposal: What Is It?

In the most general sense, IT asset disposal is defined as: "A process of safe and responsible management of retired electronics according to a strict data security protocol that is tracked and certified."

Reaching this goal is no easy feat. ITAD companies provide fully tracked, chain-of-custody services for the disposal, remarketing, and recycling of IT assets. By implementing the right IT asset disposition procedure with the right vendor, you can maximize the value of each device while minimizing the impact on the environment.

As an alternative to throwing your old laptops, computers, printers, fax machines, etc. in a dumpster and hoping for the best (leaving yourself open to the risk of data breaches), it's a service that can save you from substantial privacy breach expenses.

A number of large corporations, including Sutter Health and Emory Healthcare, have faced lawsuits involving data breaches that exceeded $1 billion and $200 million, respectively.

After ordering new office equipment, you decide to store retired IT equipment in the back room for a few months in order to make space for the new equipment. Doesn't that make sense?

Of course not!

You run the risk of equipment "disappearing" from your possession, leaving you open to severe fines should a data breach occur without implementing a proper IT asset disposal procedure...

Let's look at the IT asset disposal best practices that will keep you protected from career-sucking fines and possible jail time in this article.

These 7 IT Asset Disposal Procedure Best Practices will protect you

1. Remove redundant devices immediately when deemed redundant:

You should begin the disposal process as soon as your register flags a device for replacement. There are two main reasons for this:

• Remarketing your IT assets becomes less feasible as your IT assets stay in service longer.
• The data is more likely to be lost or stolen if a device accidentally gets misplaced during changeover.

Ensure the entire process starts and ends with proper documentation, tracking, and a full chain of custody by enlisting your IT team or hiring a professional IT asset disposition service provider.

2. Track your devices comprehensively to prevent $Billions in fines:

The paper trail is no longer sufficient. You should label every device that is taken out of service with a serial/tracking number and a barcode as soon as possible. Although you could manage this in-house, you're better off using the professional services of a certified ITAD disposal vendor. This is a requirement of the ITAD process.

What are its advantages?

In the event that your devices - which can store sensitive information - were to get lost, you may be subject to hefty fines.

The study found that more than 80% of corporate IT asset disposal projects were missing at least one asset - 15% of these containing potentially sensitive data.

In 2011, US healthcare provider TRICARE contributed to these statistics when it failed to track the destruction of a backup tape, which was later found in public hands and caused over $4.9 billion in damages.

The right steps should have been taken from the start!

3. Don't store retired devices in a storeroom, but in a secure location:

Do not let your team store devices in drawers or underneath desks. Have an ITAD vendor take care of off-site management for you or create a secure, lockable facility on site.

Don't let your assets grow legs - as they tend to do. From 2005 through 2015, devices such as laptops, tablets, and smartphones accounted for 41% of all data breaches.

It's important to check all devices into a secure holding location as part of your IT asset disposal process to prevent devices from being lost or stolen. Ideal holding locations should include:

• Have a full enclosure and two points of entry.
• Utilize a secured entry with limited access - two-step verification is preferred.
• Record every device movement in the space, both digitally and on paper. Labels and tracking software must be used to do this.

A good IT asset disposal program and equipment replacement program will reduce the risk of data theft in many cases.

4. Utilize appropriate measures to destroy data:

Just pressing "delete" in your operating system is not sufficient. A simple "un-deletion" can be accomplished without any of these specialized methods...

• By overwriting existing data with at least three passes, data is erased or overwritten. DoD 5220.22-M may be used for highly confidential data wiping.
• A degausser is a device that uses magnetic charges to de-magnetize a hard drive or tape to a magnetically neutral state - void of information.
• Destroying the equipment is the safest option. Shredding and destruction of hard drives, computers, and electronic equipment on-site to a defective or "dead" state.

Data destruction methods can be chosen based on your requirements, and in some cases, your industry:

The HIPAA and HITECH laws regulate protected health information (PHI) at the United States Department of Health and Human Services (HHS).

Financial Sector - Institutions that hold data may be held liable by the SEC, Office of Comptroller of Currency, Federal Reserve Board, FDIC, Office of Thrift Supervision, or National Credit Union Administration.

While 47 of the 50 states and the District of Columbia have their own data breach notification laws, IT asset managers can abide by the majority of these laws by following these best practices when disposing of IT assets:

• All data on devices must be destroyed to 100%. Consider a vendor for secure IT disposal if you are not able to do this.
• For all unwanted IT equipment, obtain a certificate of data destruction. You should use a professional if you can't arrange this on your own.
• Make sure that the software you use is approved by the CESG.
• Make sure the vendor is certified by the National Association of Information Destruction (NAID). A vendor certified by NAID is considered to have completed due diligence in the eyes of regulators.
• Microshredding devices can be used to destroy SSD drives to 2 mm particle size (recommended by the NSA), since degaussers are harmless to SSDs.

5. Utilize certified compliance reporting software:

In order to prove your compliance to overseeing bodies such as HIPPA, PCI, SOX, FCC, FDA, etc., detailed documentation is imperative.

When an IT asset is disposed of, it may go through several different tracking and reporting processes because it is not managed by an end-to-end ITAD vendor or internally.

If an audit is triggered, you need a certified compliance report that can be stored in your back office systems.

6. Remarket your assets to achieve significant returns:

Resale value generally applies to IT assets (such as PCs, laptops, cellphones, and servers) that are less than three or four years old. You can use data from your IT asset disposal procedure to predict the market value and book value of your assets, allowing you to plan proactively for either remarketing or recycling.

As long as your equipment is deemed to have commercial value, you can remarket it, which entails refurbishing, upgrading, and reselling it to capitalize on the recoverable value. Old technology can be resold, sold to employees, or donated to schools or foundations.

7. Use Certified Equipment Destruction & Recycling When Remarketing Isn't Viable:

What happens to retired IT assets if remarketing isn't an option? How are the materials being recycled, and are they being recycled properly, or are they being sent to a third world country where children are breaking them down for scrap - an environmentally harmful process that may jeopardize your organization's reputation.

Recycling best practices for IT assets include:

• It is advisable to use a qualified data destruction and recycling vendor that can provide you with a Certificate of Electronic Equipment Destruction (CEED), demonstrating and certifying that you followed the right procedure to dispose of your assets, which is not only the responsible thing to do, but can also help you avoid penalties in the future.
• It is always best to use a registered disposal provider approved by the Environment Protection Agency.
• All IT equipment should be tracked comprehensively.
• Get hard copies of evidence of how your equipment was disposed of - where it was sent, which parts were reused, which were recycled.
• Make sure all your waste is disposed of at an authorised facility. Waste must be treated by an Approved Authorised Treatment Facility (AATF) or by an Authorised Treatment Facility (ATF).
• Keep a Waste Transfer Note (WTN) for every item of e-waste that leaves your premises for a minimum of 2 years.

Don't forget that the data still remains on the devices. It is still possible for a major data breach to occur if the data has not been properly destroyed. There are two options for destroying data: in-house (not recommended) or outsourced.

BayTech Recovery offers comprehensive and innovative IT solutions. In addition to providing custom services, BayTech Recovery builds long-term relationships with the clients it works with.