Building an ITAD Program: What Your Company Needs To Know By: Integrated Communications & Technologies
Contents 3 4 6 7 8 9 Introduction Understanding The Concepts of IT Asset Disposition Evaluating by Asking Questions Choosing an ITAD Provider Conclusion About The Author 2
Introduction Electronic waste (e-waste) is a problem for every company, big or small, as IT equipment often breaks, becomes outdated or obsolete, or is simply no longer needed. This old equipment has to go somewhere, and laws and common sense dictate that it should not simply be thrown in the trash. Electronics that end up in a landfill can be very harmful to the environment and human health by leaching toxins, heavy metals, and other dangerous substances into the air, ground, and water supply. Additionally, improperly thrown out electronics run a high risk of a data breach if they aren t properly wiped before being re-used or thrown out. Because of this, the disposal of e-waste is regulated by a number of different laws. Unfortunately, it s not always easy to keep up with these regulations. No matter what industry your company is in, you need to have a policy for dealing with old electronics responsibly an IT asset disposition program. There are many benefits to having clear, concrete, and effective policies in plans for disposing of old technology, including: Avoiding fines and cleanup fees from improper e-waste disposal Compliance with state and federal laws Reducing the need for harvesting new materials to make electronics Contributing to the preservation of the environment Helping to improve global human health Improving company image Avoiding a data breach Recovering value from used but working equipment (IT Asset Recovery) Salvaging value from precious metals in electronics So how do you set up a program for responsibly handling your company s e-waste? It s a multistep process that begins with understanding the concepts surrounding e-waste disposal. 3
Understanding the Concepts of IT Asset Disposition If you are trying to create a program for disposing of unwanted equipment, you will need to know what the basic concepts behind the process. Let s define some of the core concepts of IT asset disposition to help you plan your approach more effectively. What is ITAD? IT asset disposition (ITAD) is a phrase that may seem complicated, but in reality, ITAD just describes a process: the process of disposing of unwanted, broken, or obsolete equipment safely and securely, in an eco-friendly way that minimizes costs and losses and protects confidential data. Effective IT asset disposition varies for each individual company, and may include reselling or repurposing equipment, equipment donation, data destruction, and recycling. Many organizations also need solutions for packing up, removing, and transporting the equipment during this process. What is the Chain of Custody? Your company s electronics contain sensitive data, and while the amount of data may vary depending on your industry, you do not want any of this information getting into the hands of hackers and data thieves. This is why a secure chain of custody is important for ensuring data is tracked and destroyed properly. Chain of custody is the documentation ( paper trail ) showing who was in charge of the equipment at each stage of the process, ensuring accountability and proper disposition of the data and equipment. It is especially important during the transport process, which is when data is typically most vulnerable. Depending on the security needs of the data to be disposed of, secure transport may simply mean documentation and transport in sealed packaging, or anything up to an armored vehicle and even a bonded driver. How Does Data Security Relate to Retired IT Equipment? Whether it s proprietary company data, client financial information, or personal data, every company has sensitive information to protect information that is often located on office IT equipment. When preparing to retire this equipment, how do you keep that information safe? Simply deleting the files is not enough doing so only deletes the reference to the file so the computer can easily find it not the file itself. Anyone who knows what they re looking for can access the data, and a mere 1 gigabyte of data can contain a staggering amount of information, whether it s located on a server, computer, USB drive, CD, or even a printer. Most companies do not have the resources or knowledge to dispose of secure data effectively and in compliance with data security regulations, and must utilize the services of a responsible, certified IT recycling service to provide data destruction. Effective methods include nondestructive (software-based) wiping, which keeps the equipment in usable condition for resale, or destructive (physical using electromagnetic fields or shredding), which is used for equipment that will be recycled. This ensures that no unauthorized persons will have access to your sensitive data. 4
Understanding the Concepts of IT Asset Disposition (Cont.) What is Reverse Logistics? Once again, we come across a term that sounds more technical than it actually is. Reverse logistic refers to the supply chain in reverse: taking a product from its final destination of use, such as in an office, and taking it at least one step back in the supply chain process. This might mean: De-installation, packaging, and removal of equipment at an office, retail center, or school Transporting the equipment for refurbishment or recycling Destroying sensitive data Resale or donation of the equipment when possible Recycling broken and extremely outdated equipment and salvaging the components Reverse logistics essentially breaks down the ITAD process into a series of steps steps that may vary depending on the needs of the business that is disposing of the equipment. Reverse logistics help companies by reducing the costs associated with asset disposition and ensuring equipment is disposed of in a responsible, compliant way. What Certifications and Standards Exist? Technology moves into obsolescence at such a breakneck pace these days, that regulations have had to quickly adapt to keep up with the growing e-waste problem worldwide. In the United States, the EPA (Environmental Protection Agency) and other organizations enforce strict guidelines and best practices for recycling e-waste and minimize environmental impact, imposing stiff fines on businesses that do not dispose of old equipment properly. Data security is also subject to regulation, particularly in certain industries, which helps protect personal privacy. NIST 800.88 are The National Institute of Standards and Technology guidelines, spelling out everything from the proper handling of secure data to safe disposal methods. The Health Insurance Portability and Accountability Act (HIPAA) is an industryspecific agreement that protects the privacy of patients data, and it s important for companies to be aware of any regulations like these that could affect the ITAD process. New regulations are emerging all the time, as the consequences of improper e-waste disposal become more apparent and continue to negatively affect global communities and the environment. Laws surrounding the export of e-waste, best practices for recycling, and data security are constantly evolving, and it can be difficult to keep up with the current regulations without the help of an expert recycler. 5
Evaluating by Asking Questions Now that you know the basics of IT asset disposition, it s time to start putting that knowledge to use in planning your company s strategy for retiring electronic equipment. Your first step is to evaluate your current processes, needs, and resources to help you develop a costefficient and compliant plan. Here are some questions to ask yourself: 1) Your Current Process a. What happens to old IT equipment once it s no longer needed? b. Is there any type of written policy currently in place for IT asset disposition? c. What is the company budget for asset disposition? e. What are the requirements for equipment to be retired and sold/recycled? 2) Your Equipment a. What type of equipment needsto be disposed of? b. How often is equipment replaced? c. How old is the equipment? d. Where is retired equipment stored? e. What condition is retired equipment in? 3) Scope a. How many locations/offices need to dispose of old equipment? b. Will international recycling be necessary? c. What is the volume of the retired equipment? d. How often will asset disposal be necessary? 4) Compliance a. What is the current process to destroy data on retired equipment? b. Which departments play a role in disposing of IT equipment? c. What are the current policies (if any) on data destruction d. Are there any environmental goals within the company? e. Are there are any specific standards in the industry (i.e healthcare) Once you and your team have explored these questions and come up with some answers, it s time to organize those answers into a document that can be refined, improved, and worked into your new ITAD program. For a more in-depth analysis of your company s current policies, request our 48 question survey that will help you refine your goals further. 6
Formulating a Plan Once you ve decided what your needs and goals are based on the answers you compile, it s time to determine how you are going to execute that plan. Most companies do not have the staff, time, expertise, or equipment to handle the process themselves, so finding a reputable IT asset disposition provider is typically the next step in the process. Choosing an ITAD Provider So why should you work with a certified ITAD provider? Simple. They know the industry best practices, regulations, and handle retired equipment on a daily basis. It is often more efficient and cost-effective to hire an expert than to take your employees away from their work to figure out the components of responsible IT asset disposition. In addition, a knowledgeable IT provider will know when it is a good idea to try and resell or repurpose equipment or simply recycle it. Peace of mind is one of the top benefits of working with a responsible IT recycler. But how do you choose a company to work with? To avoid hiring an irresponsible, non-compliant, or simply inexperienced company to partner with, consider these factors: 1) Certifications You may be surprised to learn that there are no laws that require electronics recyclers to be certified. The EPA does encourage certification, but working with an uncertified recycler is common and dangerous. There are two major certification types recyclers can seek in the United States: R2 (Responsible Recycling) and e-stewards. You should only consider working with an ITAD provider who maintains one of these certificates, as they denote compliance with regulations related to environmental and recycling practices, data security, and even worker safety. 2) Data Security Data breaches are common these days, and you don t want your company to be the next cautionary tale. Responsible ITAD providers are diligent about documenting the chain of custody for data every step of the way, providing secure transport, and using appropriate methods for destroying the data permanently, in accordance with industry standards such as NIST 800.88, DOD 5220.22M(E) 3-Pass, and the DOD 5220.22-M(ECE) 7-pass. 3) Capabilities and Procedures Obviously, a qualified IT recycling company will need to have the proper equipment and facilities to process equipment in a compliant, environmentally-friendly way. However, aside from the basics, you may need to consider some other factors as well. If your company will need not only domestic recycling services, but international as well, you will need to choose an ITAD provider who has the ability to arrange for overseas disposition as well. If you anticipate selling some of your unwanted equipment, you should ensure that these products will be stored safely until they can be sold and shipped. 7
4) Rates Choosing an ITAD Provider (Cont.) Of course, cost is an issue when disposing of old computers, but you also need to take into account that choosing a cheap but uncertified IT recycler over a reputable company could end up costing a great deal more in fines and damage to reputation than the initial cost of the service. Think about value over overall costs, and go with a provider who will help you minimize your losses and protect you from violations. When evaluating costs of ITAD providers, take into account how they charge: is it per pound? Per piece? Per pallet? The pricing structure that will be most economical for your company s needs will depend on the type and condition of your equipment. 5) Accountability A quality ITAD provider will assume responsibility for your equipment, keeping documentation every step of the way and ensuring that both the data and hardware of your retired equipment go through a secure chain of custody on the way to their final destination. Responsible companies will assume liability for your e-waste, giving you peace of mind and the knowledge that your company s old IT equipment will not contribute to the growing crisis of e-waste in landfills. Conclusion: Make Your Policies and Stick With Them By now you ve probably figured out that IT asset disposition shouldn t be an afterthought, but a priority. Just like trash and normal recycling, IT asset disposition is just another cost of doing business. However, it s a cost that supports your company and your community in preserving the planet and keeping confidential information safe both of which your organization can be proud. Because of this, it s important to make your policies concrete and stick with them. Make a document you ll refer to again and again, and form a partnership with an ITAD provider you can trust you ll never again have to deal with a pile of old equipment sitting in storage. 8
About The Author Susannah Bruck is a freelance writer and editor from the Seattle area, who has worked on diverse projects ranging from blogs to plays. A long term writer for ICT Asset Recovery, she s been diving into topics ranging from electronics recycling to sustainability and data destruction. She frequently writes non-fiction and marketing pieces behind the scenes as a ghostwriter, but is also a fiction writer, with a short story appearing in Jeopardy magazine. She is always excited to tackle new subjects and projects, and isn t afraid to dive into research when it s (nearly always) necessary. A recovering English major, she currently resides in Cambridge, MA. For more than 20 years our team at ICT has mastered the industry's best practices in IT equipment disposal and asset recovery, in secure e-waste management and overstock solutions for corporations, government agencies and non-profit organizations worldwide. All practices are fully compliant with regulation and standards, providing our customers reliable, secure and transparent ITAD services.