ITAD Horror Stories

If it’s October, Halloween is just around the corner. So, what could be a better time to curl up with a few “tales of terror” stories about I.T. Asset Disposition (“ITAD”) gone wrong? How about organizations that had comprehensive ITAD plans in place, but somehow things went from bad to scary? Read on…because even the most uber conscientious I.R. professional could have been the victim in one of these real-life horror stories.

Everyone loves a good horror story every so often, but when it comes to real life, we want to know if there’s a monster lurking under the bed. Here are a few I.T. Asset Disposition (“ITAD”) stories gone wrong. We hope it will provide you with some insights, so you know what to
avoid, and who to watch out for when the lights go out.

1. Major soft drink company: This household-name company prided itself on having a sterling model of I.T. security disposition standards and safeguards. And then, in 2014, 74,000 employees and vendors had their SSN#s, driver’s license I.D.s and credit cards jeopardized. The cause? Fifty-five laptops were stolen by an employee who was assigned to dispose of the equipment properly. The reason? The investigation revealed that some of the data belonged to a recently acquired bottling company that did not have the same strict adherence to ITAD encryption. [Source: www.crn.news; “Laptop Breach a Common Failure of Encryption Basics”]    

2. A major insurance company:
In 2009, fifty-seven unencrypted hard drives containing audio customer calls of more than 1 million policyholders were stolen. To make matters worse, they were being stored in an unsecured back closet. This office had become lax in adhering to an ITAD plan, making them an easy target. And the price was high. The insurance company paid $1.5M in penalty fees and was forced to implement a lengthy corrective action for HIPAA violation. But that’s just for starters. As a result of the breach, the company paid $17 million in the investigation, notification, and mitigation steps. A portion of that amount—$6 million—went toward data encryption. [Source; www.hhhs.gov; “HIPAA for Professional Enforcement Examples”]

3.   A Midwestern state: In 2007, a state agency intern was entrusted with the overnight safe keeping of a data tape. Not smart—because the tape was stolen from the intern’s car. Even worse, this was a backup tape containing personal and banking information of 1.2 million individuals and other businesses. As a result, the state paid an estimated $3M to notify the victims of the data breach and to provide identity-theft prevention services to them. Although there was a cybersecurity policy in place, it was not understood or followed. [Source: www.dispatch.com; “Data Theft Kept Quiet”]

These ITAD tales of terror were brought to you by haphazard adherence to an ITAD plan. To implement and maintain a successful ITAD program, it starts with a comprehensive understanding of ITAD certifications.

 

ITAD – the who, what, where

As mentioned previously, ITAD stands for I.T. asset disposition and represents a documented process for the disposal of obsolete or unwanted equipment in a safe, ethical, and environmentally responsible manner. The central mandate is to decommission I.T. devices and their contents effectively. A proper ITAD policy includes the critical need to control the data that is stored on the equipment, its disposition, removal and transfer.

Roots of e-Waste 

The Resource Conservation and Recovery Act (RCRA) is our nation’s primary law governing the disposal of solid and hazardous waste. RCRA was signed into law on October 21, 1976, to address the increasing problems the nation faced from our growing volume of municipal and industrial waste. RCRA was an amendment to the Solid Waste Disposal Act of 1965, which was the first statute that specifically focused on improving solid waste disposal methods. So, when e-waste started to become an issue, the stage was set for serious consideration and acceptance. [Source: epa.gov website]

In 1991, the first electronic waste recycling program, SWICO, was implemented in Switzerland. It started with the collection of old refrigerators but expanded to cover all devices. In 1993, the New York Times published the first-ever report on computer recycling and electronic waste. The front-page story detailed the pioneering work of a small recycler, Advanced Recovery Inc. They were trying to dismantle computers, even if most wastes were landfilled safely. Several other companies emerged in the early 1990s, chiefly in Europe, where national ‘take back’ laws compelled retailers to use these companies.

However, many countries started exporting their burgeoning e-waste problem to countries that turned a blind eye to environmental legislation — a cheap solution. The cost of recycling computer monitors in the U.S. is ten times more than in China. Demand in Asia for e-waste began to grow when valuable substances could be extracted during the recycling process.

The 2000s saw a significant increase in both the sale of electronic devices and their growth as a waste stream. This gave rise to landmark legislation both here and abroad. The Waste Electrical and Electronic Equipment Directive (WEEE Directive) became European Law in 2003 and covered all aspects of recycling all types of appliances. This was followed by the California law of 2005; the Electronic Waste Recycling Act. Today ITAD is a $15 billion industry worldwide and is growing at 10%+ per year. [Source: IT ASSET DISPOSITION (ITAD) Market; “Global Forecast to 2022, MarketsandMarkets”]

The real cost of ITAD non-compliance 

Today, there are numerous local, state, and federal regulations. Twenty-five states currently have legislation that dictates how to dispose of or recycle e-waste. In at least one state, the careless disposal of one P.C. could cost a company well over $10,000 in fines. There are even regulations in the U.S. covering specific industries such as healthcare and financial services. [Source: www.nojitter.com; “Discarded I.T. Can Hurt You”]

The key to maintaining compliance is understanding that ITAD is not a one and done deal. Regulations and requirements are continually evolving as new environmental concerns grow in proportion to the increasing amount of e-waste. Having a knowledgeable ITAD partner will maximize data security, lower Total Cost of Ownership (TCO), minimize business risk, and ensure that environmental ethics are consistently upheld. But collaborating effectively with your ITAD partner requires a working knowledge of the relevant industry certifications. In other words, the more you know about ITAD, the less risk you face for non-compliance of disposal. And that’s a high price to pay, not just in penalties but also in damage to reputation and trust from all stakeholders.

What’s in ITAD anyway?

Adding to the complexity of ITAD certifications is the evolution of environmental, employee protection, safety material management and security standards. The following overview will serve as a primer to help you better understand and evaluate this form of third-party assurance.

But for those I.R. professionals who want to navigate those complexities strategically, I will be presenting a ‘deep dive’ on ITAD certification at the 2020 Investment Recovery Spring Seminar and Trade Show in Scottsdale.

Recycling certificates alone are worthless

I hope that got your attention. ITAD vendors often issue a “certificate of recycling” documenting that the material they received was handled in compliance with all environmental laws and standards. However, what does it really mean?

The risks of non-compliance

Many unethical vendors claim ITAD adherence, but in reality, they don’t. The news is full of reports of irresponsible and unsafe practices by these companies. By choosing the wrong ITAD partner, you could be putting your organization at risk. So how can you be confident that your ITAD vendor is the ethical kind? Read on.

Third-party certifications—The Big Three

Look for a certified ITAD provider. In other words, a vendor who has been certified in three major categories: International management standards, ITAD Best Practices, and Data Security Standards.

1. International management standards

ISO 9000: Quality management and quality assurance standards developed and administered by The International Organization for Standardization (“ISO”). It is not specific to any industry.

ISO 14000: Environmental management standards to help organizations stay compliant.

OHSAS 18001: Occupational Health and Safety Assessment Series helps organizations monitor and improve occupational health and safety performance.

2. ITAD best practices 

These standards were specifically developed to address the ITAD industry and govern a variety of operational areas.

e-Stewards: Recognizes electronics recyclers adhering to the most stringent environmentally and socially responsible practices. Currently, 91 facilities have received this certification globally.

Responsible Recyclers Certification (“R2”): Processes, safety measures, and documentation requirements for businesses that repair and recycle used electronics. Over 900 facilities globally are currently R2 certified.

Recycling Industry Operating Standard (“RIOS®”): Systematic framework for recycling plants to achieve measurable continual improvement based on ISO 9001, ISO 14001, and OHSAS 18001 platforms. There are 160 RIOS-certified facilities globally.

3. Data security standards 

Data Security Standards typically mandate the following:

• Facility security controls—including badge access, CCTV, and alarms

• Employee criminal background checks and random drug screening

• Logistics security— including Bills of Lading, sealed trucks, and photos of cargo

• Business continuity plans

ISO 27001: Requires an Information Security Management System (“ISMS”) ensuring adequate security controls are in place to protect sensitive information.

NAID AAA: The National Association for Information Destruction (“NAID”) provides auditing services to its members for media destruction and/or computer hard drive sanitization.

Other standards                      

Several ancillary standards may add insight into your ITAD vendor relationship.

Asset Disposal and Information Security Alliance (“ADISA”): ADISA standards cover all phases of ITAD, and members must pass bi-annual site audits.

WEEELABEX: Sets standards and monitors ten categories of Waste Electronic and Electronic equipment (WEEE)

Transported Asset Protection Association (“TAPA”):
Sets international security standards for high-value theft.

Microsoft Authorized Refurbisher (“MAR”):
Certifies and audits companies who install M.S. products into refurbished computers.

 

Avoid the “Tales of Terror” scenario

While third-party certifications can provide additional assurance of an ITAD provider’s compliance, you should also do your own due diligence. I look forward to sharing actionable information that every I.R. professional could add to their skill set. Because choosing the right ITAD partner is too important to rely solely on third-party certifications. After all, it’s your reputation and resources on the line.