Not all IT Asset Disposition Companies (ITADs) Are Created Equal
IT Asset Disposition (ITAD) is the process of reusing, recycling, or disposing of retired IT equipment in a secure and environmentally friendly way.
As businesses contend with the reality of shorter technology lifecycles, more frequent hardware replacement events, information privacy regulations, software licensing rules and corporate responsibility towards environmental, social and governance (ESG) standards, the need for safe and secure IT equipment disposition has become more critical.
There are plenty of ITAD companies that will remove, resell, or destroy data center equipment for enterprises. Unfortunately, not all ITADs have skilled technical and project experts to run complex decommission projects that are safe and compliant.
If you’re contemplating a decommission or a tech refresh project, this article will help you understand the modus operandi of ITADs so you can separate wheat from chaff and select a reliable ITAD partner.
- Understand the ITAD Model
Too many ITADs are simply looking to profit from the sale of hardware and offer removal au gratis simply to acquire the assets and expedite the sales. They may even offer to securely destroy data and responsibly recycle the waste. Sounds like a pretty good bet, right? Yes, but only if you have completed all of the turn-down procedures to ensure any/all physical and logical dependencies as well as information security measures have been satisfied.
This is because their teams used to physically remove the equipment are not experts in data centers or their production or application environments. As a result, they have no appreciation for or understanding of operating within a production environment. They are prone to missing details or skipping important steps in the process, and they may be unaware of the intricacies and interdependencies, leading to unwarranted downtime or security lapses.
One of the ways to ascertain whether your ITAD has the capability to understand infrastructure interdependencies is to see if they have expertise in building data centers, if they offer “remote hands” services, or if they do data center and virtual machine migrations. With expertise that extends beyond ITAD, they are much more likely to understand production environments interdependencies and as such much more likely to complete the project safely, with minimal downtime or outages.
- Look for Useful ITAD Certifications and Beyond
It is very common for ITAD companies to use terms like “certified data destruction” to increase their credibility, but the truth is, this is often difficult to verify. One reason for this is that, at this time, there is no single data protection law at the federal level in the U.S. Instead, there are a myriad of oblique federal and state regulations that require protection measures. Destruction standards, such as the NIST SP 800-88, Rev 1, only recommend end states without specifying methods, while the NSA/CSS Policy Manual 9-2 is hyper-specific in terms of methods and tactics but requires devices and approaches to data destruction that are not readily available to most enterprises.
As such, enterprises must carefully scrutinize any service provider’s credentials, including certifications such as i-SIGMA “NAID AAA” and data breach protection coverage. However, they should also inquire about their data destruction processes and policies, such as their data breach notification policies, processes they have in place to ensure confidentiality of data through all stages of the destruction process, including handling, transporting, storing materials, destruction and disposal, and the scope of the contract.
Ensure that the company you partner with is process-driven and provides clear documentation, records and chain of custody.
- Ensure Safe & Secure Data Destruction
One of the most significant risks for enterprises is that sensitive data is lost, stolen, or otherwise released during a data decommission process. All hardware and equipment, even the seemingly inconspicuous and inconsequential drives that no one knows about, have the potential to store sensitive data that must be properly protected, handled, or destroyed. Recently, a community health center in Massachusetts came under intense scrutiny when improper data destruction compromised more than 100,000 protected health information (PHI) of customers.
These incidents are, unfortunately, not rare. A study conducted by the National Association of Information Destruction found that 40% of storage devices re-sold on regular commercial channels had personally identifiable information (PII)!
If your ITAD vendor is not sophisticated enough to undertake proper disposal and destruction of all IT assets, provide attention to detail or is inexperienced in managing complex decommissioning projects, a mistake in the process can have serious financial and ongoing consequences.
Ensure that the ITAD you partner with explains their data destruction process and issues audit-proof certificates by description, function and serial number.
- Understand The Asset Buyback Process
A trusted, certified and expert ITAD partner can ensure a greater residual value when you are looking to dispose of depreciated assets. Most ITADs, however, are highly transactional and don’t necessarily know enough about the equipment they are reselling/disposing or how to sell or dispose of it in a way that gets the maximum value.
Similarly, perhaps your project involves equipment that is fully depreciated and some that is off-lease but the residual buyout is greater than the fair market value and you need to return it to the leasing company. This procedure is littered with fine print to ensure that the equipment you return gets flagged for deficiencies and you get billed for it regardless of the cost and expense you took to ensure proper packaging and shipping. A vendor that understands the process well can help you avoid the “after-charging.”
- What is Responsible Recycling?
There are really only three options available for retired hardware assets: refurbish and reuse (internally or donate), recycle, or recover/resell. Refurbishing old hardware for internal use is time and cost-intensive compared to buying brand new hardware. This leaves businesses with two financially-viable options: resell or recycle.
We’ve talked about resale options above, but how do you know that your hardware is being responsibly recycled? Let’s take a moment to understand hardware recycling. A piece of hardware that is completely depreciated can either be thrown away and eventually find its way into a landfill or its components can be sold, leaving a very tiny carbon footprint. For example, steel, copper, gold, silver and other rare earth elements that reside in your hardware are very valuable to recyclers and can be recovered. This leaves a very tiny fraction of the original hardware that ends up in a landfill.
The statistics are staggering: Only 23 percent of enterprises look to resell IT equipment, while a full 26 percent dispose of it without attempting to recycle
A responsible ITAD company is likely to be R2-certified and work with certified downstream partners to ensure that your hardware components are recycled responsibly through all stages of the process.
In most cases, enterprises will not have the expertise to oversee and implement a decommissioning project on their own. There are countless details and too many potential opportunities for failure for IT departments that do not have experience with these types of projects. Therefore, it is best to work with a trusted partner who has experience completing similar decommissioning projects.
When seeking a partner, look for a company that emphasizes an ongoing relationship, has expertise in full lifecycle infrastructure management, and understands how the project fits within the organization’s strategic objectives and business goals. As mentioned above, many ITAD companies claim to be capable of decommissioning a data center, but you should ensure that they bring more than just the ability to rip out and resell the equipment. An ITAD that has expertise beyond just IT asset disposition is most likely to understand the intricacies of ITAD and do it safely and securely.