Why is IT asset disposition (ITAD) one of the most important considerations for any organization? It’s because improperly disposing of e-waste is damaging to the environment and puts you at risk of data theft. Restoring equipment to factory settings is not enough to keep someone from accessing old files, passwords, or photos.
The safest and most responsible way to dispose of unwanted or obsolete electronics is by hiring an ITAD provider. And….you want to be sure to partner with the right ITAD company or you could end up in more trouble than you might expect.
For example, Morgan Stanley learned this the hard way when the company hired a firm to decommission its old electronic equipment in a data center that was being shut down. Not only did they fail to keep an inventory of what customer information was on the electronics being decommissioned, but one of the ITAD vendors didn’t properly wipe data before the computers left the bank’s data center. Those computers contained unencrypted files containing consumers’ financial information and it led to fines and penalties of $60 million.
How do I go about selecting an ITAD partner?
You have to do your due diligence in choosing an ITAD provider that follows the applicable rules and regulations. To do this, you need to understand how to evaluate and select an ITAD provider before e-waste leaves your business.
What compliance measures must you follow?
If there are rules and regulations your company must follow in terms of data security and privacy, it’s best to understand them so you know what to look for. At OceanTech we destroy data in compliance with the following laws and regulations:
HIPAA (Health Insurance Portability and Accountability Act) – Is the process by which covered entities need to protect and secure a patient’s healthcare data or Protected Health Information.
PCI (Payment Card Industry Security Standards) – Protects against identify theft and credit card fraud.
Sarbanes-Oxley Act of 2002 – Is a federal law that established sweeping auditing and financial regulations for public companies. Lawmakers created the legislation to help protect shareholders, employees and the public from accounting errors and fraudulent financial practices.
GLBA (Gramm-Leach-Bliley Act) – Requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.
BSA (Bank Secrecy Act) – The Currency and Foreign Transactions Reporting Act of 1970—which legislative framework is commonly referred to as the “Bank Secrecy Act” (BSA)—requires U.S. financial institutions to assist U.S. government agencies to detect and prevent money laundering.
Patriot Act – Section 312 of the USA PATRIOT Act requires U.S. financial institutions to perform due diligence with regard to accounts established or maintained for foreign financial institutions and private banking accounts established or maintained for non-U.S. persons.
Identity Theft and Assumption Deterrence Act – Is enforced by the Federal Trade Commission, and makes the theft of personal information with the intent to commit an unlawful act a federal crime in the United States with penalties of up to twenty-five years imprisonment and a maximum fine of $250,000.
FDA Security Regulations (21 C.F.R. part 11) – Electronic records and electronic signatures are treated the same as paper records and handwritten signatures. Regulated companies with any documents or records in electronic format must comply with the regulation.
Family Educational Rights and Privacy Act (FERPA) – Is a federal law that affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records.
These are the main regulations and rules, but others may apply to you. You need to know this information and if you don’t, you need to choose an ITAD provider that does.
The method your company uses to dispose of its retired IT equipment – which can include recycling, remarketing, or a combination of the two – can be a hidden source of risk. Is your IT asset disposition (ITAD) program allowing sensitive data into the outside world? If it is, or you’re not sure, it might mean your company is not fully compliant with industry regulations.
The four steps to regulatory compliance in IT asset disposition are:
- To understand the implications of each industry regulation for asset disposition (as outlined above)
- To develop ITAD data security processes that are compliant with the regulations and document them.
- To make sure everyone who literally touches the IT asset disposition process understands the process and requirements.
- To be prepared to prove you have followed the compliant process if challenged in an audit.
Documentation is necessary. All the effort your team puts into compliance will be wasted if you can’t show you’ve done the work. For IT asset disposition, that means being able to document the disposition and data erasure/destruction status of each piece of equipment, generally by serial number, with all the details required by your industry’s regulations.
OceanTech offers free assessments of your required level of compliance. We’ve helped businesses and organizations within the government, banking/finance, healthcare, media/entertainment, retail, telecom, utilities, and many others.