The need for risk management and compliance in IT asset disposition management is focused on two areas: control of data and personal information, and environmental compliance for asset disposal. These two items involve both significant financial risk and exposure, as well as a potential public relations disaster for a non-complying firm.
The risk associated with protection of information, both personal information of employees and customers, as well as information connected with corporate intellectual property requires a two-fold plan. The first key element is keeping good physical control of the storage mechanism containing the data. The second is applying a data destruction mechanism that is both complete and verifiable.
Control of the physical assets starts at the point of disposition. There are a number of logistics mechanisms that can be used to minimize this risk depending upon the sensitivity of the data and the level of investment the company determines to make in physical security of the data. The most expensive approaches to physical control involve bringing in outside expertise for erasure prior to allowing the data storage devices to leave the premises. A second method of physical control is full chain-of-custody shipping. A key evolving element in this risk mitigation process is control and disposition of personal communication and entertainment devices such as cell phones and tablets that may contain key corporate data.
Safe and proper erasure of data storage devices varies by the type of device. Cellular phones, tablets and traditional IT equipment such as desktops and laptops. The plan for data erasure must also include physical destruction mechanisms for devices that are inoperable or media that cannot be properly erased. The varied operating systems of cellular phones and tablets require special procedures to insure proper data erasure. There should also be verification mechanisms to insure all storage media is erased thoroughly and effectively.
The process of vetting potential ITAD vendors for environmental compliance has been simplified in recent years by new certification programs such as R2. Although these certification programs provide a mechanism for initially vetting vendors, they should not be the only mechanism used to understand the environmental and health compliance risks in selecting an IT asset disposition vendor. It is important to develop a process to apply the organizational internal health and compliance goals and metrics to the vendor providing the ITAD services. For many organizations, the metals in electronics equipment such as lead and mercury represent some of the most hazardous materials that will be disposed. Insuring that this is done correctly and documented completely is essential. A sophisticated ITAD vendor will have an environmental compliance package that answers many, if not all, of the initial screening questions.
In addition to reviewing this documentation, a site visit should be seriously considered. There are many aspects of the disposition process that can only be investigated during an onsite inspections. Many organizations contract this work to an environmental expert. The site inspection should include verification of shipping and receiving procedures, separation of hazardous materials, housekeeping and record keeping.
A growing aspect of ITAD vendor compliance is managing the various laws that regulate a producer’s responsibility for collection and recycling consumer equipment. The various state laws have created a patchwork of regulation that is neither consistent nor simple. The fees and reporting requirements in states such as New Jersey and Illinois can be quite complex. Outsourcing this work to an ITAD vendor can be an effective mechanism to ease the burden on the organization for understanding and managing compliance issues.