How much thought has your company put into the end-of-life for your company’s electronics? Many companies don’t consider the value of strong ITAD policies until they face fines for data breaches.
CNET surveyed Americans about their old electronics and found that 31% put them in basements, closets, storage rooms, or other out-of-the-way places because they don’t know what to do with them. Another third trade them in when buying new electronics. Worse, 19% throw them out.
As a business owner, it’s often simpler to store old electronics in a storeroom or off-site locker than to decide what steps to take. However, this is a costly mistake. Donating, selling, or losing electronics to theft without first securely erasing the data can harm your company’s reputation. Additionally, you could face heavy fines and legal actions due to potential data breaches.
Multi-location enterprises struggle with consistent ITAD execution for several reasons. At the core are problems with coordination, failure to understand the need to comply with both federal and local regulations, and failure to properly vet ITAD partners.
A Breakdown of What Happens With ITAD Executions
IT Asset Disposition (ITAD) involves the collection and processing of IT assets that are being retired due to age, inactivity, or damage. It’s a multi-stage process.
Inventory – Assets being recycled must be logged in an inventory that includes the item’s serial number, status, and location until pickup.
Logistics – When moving IT assets from your business to a secure recycling site, they must be packaged in secure containers and loaded onto trucks equipped with GPS tracking. Every asset tag is scanned as it’s loaded to establish the chain of custody.
Data Sanitization – Once at the facility, any devices with data, such as HDDs or SSDs, undergo data destruction in accordance with NIST 800-88 standards or better. This may include software that overwrites sectors until it is impossible to recover data, or physical destruction in industrial shredders. Optional data destruction may occur at your company’s location before items are loaded onto trucks.
Evaluation – Once data is destroyed, your ITAD partner assesses the items to determine whether any have value through refurbishment or remarketing. You can get some money back with items that go back into the market.
Recycling – Items that are recycled get broken down so that the glass, plastic, and metal are used to make new things.
Documentation – After your IT assets have had their data wiped and are prepared for resale or recycling, a certificate of data destruction (CoDD) is issued. The CoDD provides proof that you complied with all regulations and protects you against future lawsuits or penalties. You also receive a statement showing any residual value in the IT assets, which helps cover the cost of the ITAD service.
Six Challenges With Multi-Location ITAD Processes
While ITAD can seem straightforward at first glance, multiple locations complicate ITAD executions. Too many moving parts and a lack of cohesive plans can derail your company’s intentions.
Budgetary Concerns
In many companies, the headquarters are larger than the branch offices. Larger offices have more money available, but the security needs of a smaller branch are just as essential. Plus, a branch might only have a dozen computers to pick up, while headquarters has hundreds.
The cost of getting a truck for the smaller shipment is high. That causes branch managers to store electronics until there is a huge supply in need of processing. For years, your company has data sitting on hard drives in an unlocked supply room or closet. Anyone could take something without your knowledge.
That higher cost is also a problem if the manager can’t afford the quoted price. To save money, the manager brings items to the town’s recycling facility. There’s no CoD. If there’s a data breach, you lack proof that you followed regulations. You’re exposed to class-action suits, legal fees, and government penalties.
Different Time Zones
Your headquarters is in New York, but you have offices in California, Illinois, Japan, England, and Canada. When offices are in different time zones, coordinating ITAD events becomes difficult.
Your IT team in New York receives a call from the scheduled carrier, reporting that the driver arrived at the loading dock in Japan and found no one there. The Japanese team had left for the weekend, so no one was around to answer that question because of the 14-hour time difference. The New York team won’t know what happened or where those devices are until Tuesday.
Inconsistent IT Infrastructures
Another problem is that a company’s IT infrastructure is only as good as the people organizing it. Fifteen years ago, a new manager came in and ordered 25 brand-new laptops. The old laptops were placed in an unlabeled box, buried under other boxes in the supply room.
Years later, that manager is gone. During an ITAD pickup, the vendor finds those laptops. No one knows what’s on them or whether they should even be removed from the office. The original job is now complicated with equipment that didn’t appear on the inventory list.
Lack of Expertise
The IT team in one office possesses more knowledge than the one IT worker in a rural office. The solo IT worker has never been through an ITAD execution and struggles to follow the procedures. If that worker makes a mistake, it could be costly to your entire company.
A smaller office might not even have an IT department. Employees perform a factory reset on their machines before bringing them to a recycling facility, thinking that’s enough. Now, you have a number of devices gone and no CoDD in return.
Limited Local Resources
Take that same rural office. The available local resources are limited. The nearest ITAD facility is hundreds of miles away. Every mile a truck drives, there’s the potential for loss. If the truck crashes on wintry roads or is stolen at a truck stop, there’s the risk of lost shipments.
There’s also the cost of transportation when items are going out of state rather than to a location in the same state. Shipping costs increase rapidly as the trip takes more time and covers more miles. It becomes tempting to choose the only local company, which puts your data at risk of improper handling.
When you choose the local company, it can create a poor chain of custody. That company isn’t e-Stewards or R2v3 certified. They don’t follow the required procedure and only know state regulations. You don’t have any proof that data destruction was completed correctly.
Poor Chain of Custody
One of your locations had 10 laptops aside for data destruction and recycling. Those laptops were never scanned. No one knows where they are. Did they get left behind in your building somewhere? Did they make it onto the truck and get lost?
The chain of custody is important for tracking an item’s location at any given moment. If something goes missing, it may be safe, but can you prove it? You must report the possible theft of data to all customers, local authorities for a police report number, and the FBI’s IC3, the Office of Civil Rights (healthcare), or the SEC (public companies).
The Value in an ITAD Provider’s Formal ITAD Frameworks
With a formal ITAD framework in place, your company is protected from risk. The vendor you choose is accountable for the ITAD process. You have proof that you did everything legally required on your end for your end-of-life electronics.
Choosing a certified, responsible ITAD vendor is your first step in establishing ITAD execution. ERI holds numerous certifications, including the important R2 and e-Stewards certifications. We offer facilities nationwide to keep your shipping costs as low as possible. We also offer data destruction services at your different places of business if needed.
Reach us online or by phone to tell us about your multi-location business’s ITAD needs. We work with you, even if it means coming to your office, and ensure your ITAD framework aligns with the legal requirements for your federal, state, and city regulations.