6 ITAD Tips Too Important to Ignore

Selecting a new IT asset disposition (ITAD) vendor can be daunting. No vendor will align perfectly to a single client. A successful ITAD program is built upon a proactive and informed client working with a competent vendor. If accomplished, clients will have confidence in knowing their IT and electronic devices are processed in a secure and environmentally responsible manner. To ensure a seamless and favorable transaction, it is recommended to evaluate your ITAD program with the following considerations:

1. Maintain a complete and accurate list of IT assets.

Many clients use their IT asset management software or their ERP inventory system to generate an initial list of assets in need of retirement. This becomes the master list used in their ITAD program. IT assets not on the network are not detected by the software. Unless this list is validated with a complete physical inventory and cross-checked thoroughly for inconsistencies, errors are introduced before the ITAD process begins. Without validation, it is almost impossible to fully reconcile asset tracking through final disposition. Corporate Risk Managers should have access to an accurate and dynamic inventory of when and how each IT asset is disposed of and data destroyed. Common tracking identifiers used in cross referencing inventory include make, model, serial number and asset tag.

2. Prioritize vendor selection.

Years ago, formalized selection processes for disposal of IT assets were rare and vendor vetting was mostly non-existent. Few questions were asked and most companies were satisfied with any service with the ability to quickly haul away their retired IT equipment. Gartner, a leading IT market research firm, released their first “Magic Quadrant for North America Information Technology Asset Disposition” report in 2010. Since then, we have seen ITAD vendor selection processes mature.

Most large organizations today issue a detailed RFP to evaluate ITAD vendor capabilities and strengths. RFP data generally includes information regarding compliance, data security, sustainability and value recovery. It is recommended to not focus on only one capability because you could consequently compromise another. As an example, prioritizing value recovery can compromise data security, compliance and sustainability goals.

Compliance

Over the years final disposition of IT assets and digital data has taken on new significance to Corporate Officers, Risk Managers and compliance teams within organizations. IT assets inherently contain hazardous materials and ensuring all is responsibly managed and disposed of is critical to a successful ITAD program.

Industry standards, such as the Responsible Recycling (R2) and WEEELABEX standards, provide baseline assurance in the evaluation process. In recent years, there has been added interest in how the manufacture and disposal of electronics impacts a circular economy evaluation.

Data security requirements for disposing of IT and electronic devices have continued to develop since the United States created regulations such as HIPAA, GLBA, FACTA and PIPEDA forcing industries to think about controls, accountability, processes and security. The EU’s General Data Protection Regulation (GDPR) is one of the latest to make an impact on increasing regulatory requirements for international businesses.

As a result, most Corporate Risk Managers today require a defined plan outlining how data will be systematically destroyed with an audit trail. Audit trails show disposition routes, mass balance reporting, and certificates of data destruction and responsible recycling.

Data Security

A single instance of compromised data can be devastating for a company. Ensuring security of all data bearing assets is important. While no studies exist on the percentage of companies that allow data-bearing IT assets to leave their premises, Sims Lifecycle Services (SLS) estimates about 65 percent of clients require data destruction while assets are still in their custody. This percentage has increased significantly in the last three years.

The increase in attention to on-site data destruction services comes as no surprise. It is one of the highest levels of security services on the market. Aside from on-site destruction services and security certifications, it is helpful to understand a company’s security management structure. Internal communications, trainings, assessments, and continuous site analysis will provide more of an indication of the level of attention a vendor is giving to data security on a daily basis.

Sustainability

As most companies are starting to incorporate circular and carbon-reduction processes into their business models, IT asset lifecycle will feature as part of the journey. Your ITAD vendor should be able to help you conscientiously reduce waste, reclaim raw materials for remanufacturing, increase reuse levels and incorporate considerations for the entire lifecycle of a product into the design process.

Industry experts suggest companies who will make it in the future will be those that “partner effectively with the entire circular supply chain to optimize collections, efficiently process material and find sustainable homes for the recovered commodities. Working with a single provider can reduce logistics, and is often more carbon efficient than multiple suppliers due to having a large global network.

Value Recovery

The cost of a secure and responsible ITAD program is seldom budgeted in advance which leads many companies to seek revenue-neutral options.

If a company depreciates their assets on their books to zero they also will not hold a value on the books for them, even though they may have value when resold on the second hand. This in some cases can leave an ITAD program to be self funding or net positive. In order to do this, consider the following:

• Do not delay resale. When it comes to value recovery of IT assets, timing is everything. Moore’s Law is an observation of how quickly technology evolves stating that “processor speeds, or overall processing power for computers will double every two years”. Focus on IT innovation coupled with short refresh cycles are contributing factors in why IT assets can quickly depreciate in value.

• Minimize your risks. When commodity prices are low, there is less financial buffer for vendors to support revenue-neutral programs. In these cases, the chances of a low-cost vendor taking shortcuts increases. Low-cost options could risk inadequate protection from a security breach, environmental disaster (i.e. e-waste dumping) or non-compliance (i.e. not having required documentation in an audit). Value recovery is important but for larger, public companies is a secondary consideration after data security and compliance.

• Understand your vendor’s resale channels and strategies. A vendor who maintains active and varied resale channels (wholesale and retail) is preferred. When reselling IT equipment you earn the best value when you master the five Ps: Price, product, promotion, placement and people. Not all vendors consider resale strategies and understand best practices for maximizing opportunities on various resale channels. This can have a big impact on value recovered for clients. Analytics and pricing software is used by vendors can help inform these important decisions.

• Outline each vendor’s chain of custody. Moving IT assets from your facility to an ITAD processing center, and finally to buyers in secondary markets is a cost driver to be considered. Work with a vendor who efficiently manages logistics and is mindful of how these costs will directly impact revenue shared with you, as a client.

3. Understand lag times.

Problems with irresponsible disposal of IT assets can surface long after an asset has been removed from a company’s live environment. This lag time can be the cause of major data and compliance threats. Data stored in an uncontrolled environment is only accumulating risk. The lag time between when a company removes an asset from their live environment and when downstream violations are identified, can be problematic for regulatory compliance audits. When an IT asset is removed from your facility for IT asset disposition or recycling, your company is still at risk if it is improperly managed. The links below document how irresponsible ITAD and recycling vendors have put corporate clients at risk.

Data on resold hard drives:

March 17, 2020

German Military Laptop Sold on eBay Included Classified Missile Information

April 25, 2019

Blancco reveals 42 percent of used hard drives sold on eBay are holding sensitive data

March 24, 2017

Personally Identifiable Information Found on 40 Percent of Used Devices in Largest Study To-Date

June 28, 2016

Resold Hard Drives on eBay, Craigslist are often still ripe with leftover data

August 20, 2013

A $1.2 Million Photocopier Mistake: Health Plan Settles with HHS in HIPAA Breach Case

E-Waste illegally exported:

May 21, 2019

Thailand to ban imports of e-waste as Southeast Asia nations fear they are new dumping ground

February 19, 2019

UK worst offender in Europe for electronic waste exports

April 19, 2018

The world is sending tons of illegal, e-waste to Nigeria

June 2, 2016

The US is still dumping some of its toxic e-waste overseas

4. Ensure legislative compliance and audit-ready reports.

Mistakes can be made as IT assets are moved, packaged or transported. This multi-step chain of custody introduces risks and vulnerabilities that need to be effectively managed. Ensure your chain of custody is clearly defined, documented, secure and as streamlined as possible.

If one stray hard drive turns up during an audit or shows up years later in an unexpected place, your company’s ability to demonstrate consistent processes and attention to detail will be jeopardized. This might also greatly affect liability assessments.

Demonstrability

For audit purposes, it is critical to have defined processes to demonstrate discipline, due diligence and best practices in how IT assets are handled and data destroyed. Documentation (i.e. inventory reports or certificates of data destruction) provides proof that processes were followed and data was responsibly destroyed.

Statement of Work

When onboarding a new vendor, a written statement of work (SOW) often details how equipment is processed. This can be an important part of any corporate audit, as it demonstrates the use of a vendor who operates in a systematic and repeatable manner.

A vendor should be committed to ensuring a seamless service transition by making your onboarding experience a positive one. Particularly when managing multiple entities across the globe, vendors should be able to demonstrate their tried and tested onboarding process which might include an understanding of,

• Tax and financial considerations (when working internationally),
• Transboundary movements of equipment,
• Varying environmental, data security and privacy legislation, and
• Other international variations.

Transparency

Once your processes are defined and documented, ensure accountability of the process and have an understanding of how you will manage it. Find a vendor who offers full transparency. A web portal option can be used to search for any asset at any time, and view an item’s status. If assets have been processed, a quick search using an identification number (i.e. serial number or asset tag) should provide details on the service, location and certificates if needed.

5. Maintain full accountability and make it integrated.

Final retirement of technology assets involves several departments within an organization, each with unique requirements. Partnering with a vendor who can support all of the organization’s needs in a streamlined manner can impact efficiency. Department requests might include:

• Proof of data security (IT department)
• Complete audit trails of IT assets during disposition (Accounting)
• Total value recovered from retired IT assets (Upper management)
• Assurance of environmental and security risk protection (Corporate risk managers)
• Estimated sustainability and environmental impact (Corporate sustainability managers)

An ITAD partner with broad capabilities can reduce administrative overhead, simplify vendor relations, assist in hitting environmental targets, and improve overall accountability. Vendor selection should consider immediate and future corporate requirements.

6. Create and implement a standardized program, then optimize.

For large companies many ITAD programs were initiated as site-specific processes. Today national and global companies are eliminating these fragmented regional programs, and consolidating and standardizing to a single program managed holistically and consistently.

Most publicly-traded companies set and enforce requirements for the management and tracking of IT assets within their corporate environment. This discipline supports secure and documented destruction of digital data, and ensures IT assets are reconciled in accounting and IT records.

Change is never easy so you can expect resistance from local teams, however a competent vendor can take the lead and offer solutions that deliver tangible business value. The goal should not be to replicate individual programs with a single vendor.

It should be to reimagine how you are handling the assets, leverage efficiency gains and improve your solutions, responsibly and efficiently. Benefits of a competent single vendor to manage a national or global program will typically include:

• Accountability of how IT assets are disposed of,
• Assurance that offices aren’t shortcutting systems and bypassing protocols,
• Reduction in logistics costs as handling is standardized and streamlined,
• Consistency in audit trails,
• Standardized invoicing and settlements,
• Guidance in laws and requirements affecting retired IT assets,
• Repeatable processes and audit trails due to defined roles and responsibilities,
• Competitive pricing from reselling IT assets in volume, and
• Bargaining power and favorable terms.
• Working with a strong IT asset disposition program can help your company ensure data security, brand protection and maximum IT value recovery.