IT asset disposition or ITAD is one of the most important considerations for a company or individual. Disposing of e-waste improperly is damaging to the environment, but it also puts you at risk of data theft. Restoring equipment to factory settings is not enough to keep thieves from accessing old files, passwords, and photos.
Deleting files and clearing your trash only removes the easy link to those old files. They’re still on the computer’s hard drive where thieves can retrieve them. You must wipe data before you recycle, sell, or donate your electronics.
The safest and most responsible way to dispose of unwanted or obsolete electronics is by hiring an ITAD provider. This isn’t a decision to rush. You want to partner with the best ITAD company, or you could end up in bigger trouble than you’d expect.
Morgan Stanley learned this the hard way when the company hired a firm to decommission its old electronic equipment in a data center that was being shut down. Not only did they fail to keep an inventory of what customer information was on the electronics being decommissioned, but one of the ITAD vendors they worked with didn’t properly wipe data before the computers left the bank’s data center. Those computers contained unencrypted files containing consumers’ financial information. It led to fines and penalties of $60 million.
You have to do your due diligence in choosing an ITAD provider that follows the applicable rules and regulations. To do this, you need to understand how to evaluate and select an ITAD provider before e-waste leaves your business.
What Compliance Measures Must You Follow?
It would be best to understand the rules and regulations your company must follow in terms of data security and privacy.
- Anyone in a medical field, whether it’s a hospital, medical office, medical billing company, or healthcare insurance company, has to follow the Health Insurance Portability and Accountability Act (HIPAA).
- Banks and other financial institutions follow the Fair and Accurate Credit Transactions Act (FACTA) and Gramm-Leach Bliley Act (GLBA).
- Schools and educational institutions must follow the Family Educational Rights and Privacy Act (FERPA).
- Corporations have to follow the Sarbanes-Oxley Act (SOX).
Some rules also apply to businesses that do business in or with certain states or countries. If your business is in or does business with California or Californians, the California Consumer Privacy Act (CCPA) applies to you. Companies in Europe or dealing with Europeans must follow the General Data Protection Regulation (GDPR).
Those are the main regulations and rules, but others may apply to you. You need to know this information. If you don’t, you need to choose an ITAD provider that knows what measures you need to take. ERI offers free assessments of your required level of compliance. We’ve helped businesses and organizations within the government, banking/finance, healthcare, media/entertainment, retail, telecom, utilities, and many others.
Does the ITAD Provider Have a Solid Reputation?
Research the ITAD provider’s reputation. Back in 2016, a Washington state e-waste company was fined $444,000 after finding they were sending e-waste to Asia instead of processing it in the U.S. as they claimed. You can often find stories about these fines on the Basel Action Network.
Look at the companies that the ITAD provider works with. It helps to know this as you can scan the news and see if that company has ever had information stolen during or after disposing of unwanted electronics. It also helps you get a better understanding of the trustworthiness of an ITAD provider. For example, ERI works with Best Buy, Staples, Verizon, and many others. Staples and Best Buy are two of the trusted ways for consumers to recycle their unwanted electronics.
Can Data Be Destroyed On-Site? What Data Sanitization Measures Are Taken?
If you’re nervous about shipping your items to a processing plant, consider on-site data destruction. Companies like ERI are happy to come to your business with a destruction vehicle. Upon their arrival, a list of items is created. Inventorying includes recording all of the serial numbers of the different electronics. You’re also given a steel-plated, locking bin to place the electronics into until they’re processed.
Who Is Responsible for IT Asset Reporting?
Ask if the ITAD provider takes inventory before data destruction is completed or if you need to first. Some e-recyclers will create a checklist of items and serial numbers for you. You may want to keep your own list, too. It never hurts to be extra proactive, plus you’ll have a list for comparison when you sign off on the items that are being sent to the processing location.
Does the ITAD Provider Help You Recover Financial Value to Your Unneeded Electronics?
Find out if the company helps you recover the value of any items. They may qualify for a refurbishing program if they’re in reasonable condition or have usable parts collected and sold as used parts. Remarketing helps you recoup some of the money you’re spending on replacements.
Who Handles All Stages of the Processing Steps? Are Background Checks Required?
Don’t choose an e-cycler that doesn’t require background checks on its employees. You’re trusting a company with your electronics, so you should be concerned by who is handling them during transportation, processing, etc. Some plants will have different levels of background checks depending on the worker’s role. You want to partner with a company that runs criminal history checks and random drug tests. You also want to make sure that the employees sign confidentiality agreements.
There’s one more thing to ask. If you require high-security services, are there trained security personnel? Does the company work with you and allow your contractor and government representatives when demilitarization is required?
How Are Items Transported? Are You Offered Tracking During Shipping?
Find out if the company uses third-party carriers for transporting recycled electronics. If so, is there a tracking system in place? Ideally, you want drivers to be SmartWay Certified and to go through background and security checks. You also should be offered real-time tracking from the minute your items leave your business. ERI uses a tracking and management portal known as Optech, allowing you to know exactly where your IT and electronic assets are at every moment, even if it’s the middle of the night. You never have to question if your items have been destroyed or have even arrived.
For Items Being Remarketed, How is Data Destroyed?
You have some electronics that still have value. You want to ensure that the data is destroyed before the parts or equipment is refurbished and sold. Find out if you are responsible for data destruction or if the company offers it. Some companies state in the fine print that it’s your responsibility to do this step. Ask how the e-recycler destroys the data. ERI provides four levels of data destruction ranging from the data destruction following NIST 800-88 Rev1 guidelines to demilitarization services that follow NSA/CSS Storage Device Sanitization Manual guidelines.
Do You Get a Certificate of Destruction?
At the end of the ITAD process, you should have a certificate proving the e-recycling firm destroyed the items. If you don’t get this certificate, you don’t want to work with that company. You want to have this in hand just in case any data breach occurs. It’s your proof that you took every step required of you.
What Happens After Data Destruction? Does Anything Go Overseas or to Landfills?
Verify that the ITAD provider does not send anything overseas or to a landfill. One way to do this is by looking for e-Stewards certification. E-Stewards certification goes to companies that follow the rules to protect the environment. It involves responsible recycling, never dumping components into a landfill, and not sending items overseas to countries.
Certification is a 10-step process that starts with recycling companies reading and agreeing to the e-Stewards Standard. The general principles are:
- Protects the clients’ data and privacy
- Protects the workers’ health and safety
- Abides by fair labor practices
- Properly disposes of e-waste
- Conforms with international laws at all times
- Makes certain toxic waste never goes to a developing country
- Ensures that contractors and others you work with follow the same criteria
- Agrees to unexpected, random audits and GPS tracking
What Certifications Does the ITAD Provider Hold?
Ask about the certifications held by the ITAD provider. At the very least, you want to partner with a firm that holds Responsible Recycling (R2), e-Stewards, ISO, and National Association for Information Destruction (NAID) certifications. These companies focus on protecting the environment, protecting their customers, and protecting their workers.
The companies agree to random, unscheduled audits to get these certifications, so you know they’re always following responsible practices. Even during the COVID-19 pandemic, these audits continued to happen through real-time virtual walkthroughs of the company’s different departments.
Everything listed above helps you choose the best ITAD provider. Trust in the fact that ERI is the best e-recycler for your needs.
What makes us the best? ERI holds e-Stewards certification. We also hold R2, ISO 9001, 14001, and 45001, and NAID AAA certifications and were the first to have e-Stewards, NAID, and R2 at the highest possible levels of compliance. With eight locations across the U.S., we serve every state. We can process all CRTs, flat panels, and ITAD assets in-house. We also offer local data destruction. Call us at 1-800-ERI-DIRECT to discuss your data destruction and ITAD needs.