Data Dilemma

As businesses refresh their technologies at a faster pace, more computers, monitors and other electronic devices are being disposed of than ever before. In the past, many would simply toss these old electronics in the bin, a practice that could potentially release toxins such as lead, cadmium and mercury into the surrounding environment.

Adding to concerns is the need for companies to ensure that data on discarded computer hard drives is properly destroyed before disposal. If sensitive information is not fully removed and hard drives end up in landfills or are remarketed, proprietary data could fall into the wrong hands. Ultimately, it is the responsibility of the corporation that owns the computers to ensure data is properly removed and that hard drives are physically shredded or melted down so that sensitive information — such as intellectual property and financial or medical records — is not recoverable.

More than 20 state legislatures are currently mulling e-waste legislation proposals that aim to curb the simple dumping of e-waste into landfills and mandate the proper recycling and disposal of such products. It is important for electronics users and manufacturers to be aware of the impending changes, but waste handlers and recycling partners must also be aware of new legislation so they can properly handle e-waste.

Waste disposal and recycling partners need to give businesses a clear view of their assets at every point in the disposition process and ensure compliance with both state and federal regulations. An IT asset disposal partner should, at minimum, abide by the following guidelines:

  • Strict physical inventory control and tracking should start at the point of shipment and continue through final disposition.

  • Licensed direct-route bond carriers should be employed to transport disk drives.

  • Upon receipt at the disposal partner's facilities, disk drives should be verified, tested and assigned a unique, customer-specific control tracking number.

  • All labels and tags identifying the equipment's company of origin need to be removed.

  • Data erasure procedures should be conducted in strict accordance with U.S. Department of Defense 52220.22M standards. A certificate of erasure (COE) should be issued to the client upon completion.

  • Non-functioning drives should be physically destroyed in accordance with specific National Security Agency guidelines. A certificate of destruction (COD) should be issued to the client upon completion.

  • Periodic random internal and external quality control audits should be conducted to regularly evaluate the entire data destruction process.

  • A detailed audit trail should document the successful erasure and/or destruction of all material received.

Given the changing legislative landscape, more businesses are turning to recycling partners to handle IT asset disposal. It is important that recyclers stay up to date on e-waste legislation so that they are best equipped to serve their customers. At the end of the day, competent data disposal practices could determine whether or not a valued customer ends up in the headlines.
Chris Adam is the director of NextPhase services at Converge, a provider of IT asset end-of-life services to enterprises.