Picture this: You just upgraded and replaced your computer systems. You invested thousands of dollars on equipment, and you spent countless hours evaluating every feature and function of the hardware, but you barely considered what to do with the decommissioned computers. Since you need to protect your data, and you are concerned for the environment, you just keep the equipment. Consequently, it is now in a storage room, creating a business risk. Sound familiar?
When disposing of IT assets, businesses must implement proper IT asset disposition processes to protect themselves from potential data breach and environmental risks.
A data breach costs a company real money! The Ponemon Institute, an independent researcher specializing in data protection and information security, estimates the total cost of a data breach at $202 per record lost due to fines, remediation expenses, reduced productivity and lost customers. Extrapolating, a lost hard drive with 10,000 records on it could cost a business more than $2 million.
Additionally, the number and magnitude of data breaches continue to grow. In 2010 alone, the Open Security Foundation has reported on 222 corporate data breaches impacting approximately 14 million records. Many breaches were not the result of hackers, but rather poor data protection protocols. Gartner Group research has found that, “many companies still do not take enough care in securing data when they retire surplus assets… as a result many organizations are put at risk each day for failure to comply with their privacy and security requirements.”
When removing IT equipment from production, businesses can take three simple steps to protect themselves against a potential data breach:
* Know the rules. In addition to federal legislation such as HIPAA, FACTA, SOX, GLB and SOX that regulate data propagation, forty-six states have enacted laws governing data breach notification. Businesses must understand them all.
* Implement a comprehensive data security plan. This plan must include a component specifying when and how data is destroyed.
* Validate adherence to the plan. Another Ponemon study found that 75% of data breaches were caused by negligent employees. Businesses must audit their procedures to ensure employee compliance.
In noting “cleaning up e-waste” as one of the EPA’s top international priorities, EPA Administrator Lisa P. Jackson wrote, “the electronics that provide us with convenience often end up discarded in developing countries where improper disposal can threaten local people and the environment.” While a data breach will hurt a specific business, the environmental impact from improper electronic disposal is even more staggering. For example,
* The EPA estimates that more than 41 million computers were discarded in 2007.
* Of the 3.16 million tons of e-waste generated in 2008, the EPA estimates that only 13.6% were recycled. More than 80% of the e-waste entered our landfills!
* As of 2007, according to EPA estimates, more than 235 million electronic devices were still in storage.
Unfortunately, because Georgia has not passed legislation governing electronics recycling, it has become the responsibility of the asset owner to recycle the materials. To ensure that electronics do not pollute the environment in the U.S. or abroad, businesses must select a responsible recycling partner. Some characteristics of a quality recycler are:
* They understand their downstream recycling partners.
* They maintain internal controls for tracking various commodities.
* They are up-to-date on industry best practices and are involved in industry organizations.
* They allow you to visit and audit their facility.
* They maximize “reuse” over “recycling.”
* They provide reports demonstrating performance.
Current trends suggest additional legislation to penalize data breaches and protect the environment is coming. Recognizing this situation, businesses must act now to formalize their IT asset disposition process – protecting both themselves and the environment.
This is an article originally written by ecycle's Brad Mencher for the Intelligent Office Newsletter
Local: (770) 205-2299