Getting rid of retired computer equipment requires planning. On the one hand, you want to be “green” and keep potentially hazardous materials out of landfills. On the other, you have to dispose of computer equipment so none of your organization’s data is compromised.
If you don’t plan carefully and thoroughly vet any contractors you get to help you with this important task, you could end up with a major problem.
Your choice of IT asset management software can help you prevent a disaster like one that happened in the UK last summer.
The National Health Service (NHS) in Surrey, UK, was hit with a £200,000 (around US$327,440) after someone bought a used computer on an auction site and found more than 3,000 patient records on it. Back in 2010, the NHS switched to a new data destruction company to scour and destroy their old computer equipment. But apparently they didn’t do the necessary follow-through to confirm that the information was deleted securely.
The agreement the NHS had with the company sounds ideal. The data destruction company took the old equipment off their hands for free, and could sell salvageable materials after hard drives were destroyed. The end result was essentially the sale of patient information online, the scenario that would give a HIPAA compliance specialist in the US nightmares. The NHS reclaimed another 39 computers from the data destruction provider, and three of them still had sensitive personal information on them.
Improper IT asset disposal usually doesn’t result in the end of civilization. Usually.
In hindsight it’s easy to see what a potential disaster this arrangement was. The data destruction company thought that crushing the hard drives was sufficient to erase the data, but that was not the case. Disposal specialists have to use accredited erasure software or a degausser to permanently erase data. And it wasn’t a highly trained computer forensic specialist who found the sensitive data; it was an ordinary person buying a used computer online. To safely and securely dispose of retired computer equipment, you need to take these steps:
For functioning hardware: Purchase reputable, accredited erasure software that meets government data erasure standards. This software should wipe all traces of data and provide verification reports and an audit trail.
For non-functioning hardware: Purchase or rent a degausser. Degaussers work on magnetic media including hard drives by moving the media through a degaussing field. This realigns magnetic particles on the media, erasing all data previously written on it.
For contracting IT asset disposal: Thoroughly research any asset disposal service you consider working with. The company should have proper security clearance and should provide proof that they comply with security requirements like those for HIPAA (healthcare), Sarbanes-Oxley (accounting), Gramm-Leach-Bliley (banking), and the FACT ACT (Federal Trade Commission).
Sure, it’s fun to have one of these around the office, but it doesn’t count as a secure way to erase retiring IT hardware.
How Your IT Asset Management Software Can Help
Every device that stores data should be in your IT asset management database. This includes desktop workstations, laptops, smartphones, and BYOD devices. Each asset should have an assigned “owner” who is primarily responsible for the device. If a device disappears and is not reported, your company policy should spell out clear penalties. You need to include BYOD assets in your IT asset management program so that if someone leaves their smartphone on a beach in Bali, you can at least ensure it can no longer access your network.
Another important point about BYOD equipment: make sure employees know that before they upgrade their personal iPhone or iPad that they use for work, they notify the IT service desk so the device can be blocked from the company network and to ensure that no company data remains on the device. Have clear policies in place spelling out what end-users should do and what the penalties are for not complying.
The last known location of every asset should be recorded in a field in your IT asset management program. When an asset is disposed of, a field should specify which IT technician disposed of it. Attaching disposal records (including emails confirming that the storage media was wiped or destroyed) to your database is important for maintaining an audit trail.
When you get rid of assets, whether by destroying or recycling them, remove company identifiable markings, but leave serial numbers on. Should an asset eventually turn up under non-standard circumstances (like in a police evidence locker), you will still be able to look them up in your IT asset management program and have documentation of what was done to them.