How confident are you that your discarded end-of-life IT assets aren't going to come back to haunt you? Consider this:
Last year, two discarded bank computers, containing hundreds of customer files including account numbers and balances, were listed for sale on eBay. Also last year, a former Morgan Stanley vice president sold his old BlackBerry on eBay for $US15; it still had a trove of confidential internal e-mails and a company directory.
As these widely reported horror stories demonstrate, improper disposal of old equipment poses huge security risks.
And data security isn't the only worry. Environmental concerns about widespread dumping of potentially toxic, used IT equipment is creating major potential legal and publicity hazards for enterprises looking to dispose of e-waste, as it is sometimes known. E-waste can have concentrations of lead, cadmium, mercury, and other harmful chemicals.
In short, the disposal of end-of-life assets has become a ticking time bomb for many enterprises. "There's a tsunami of used, obsolete PCs that is going to hit the marketplace, a huge backlog of assets that has not been dealt with," explains Kathy Ferguson, business unit executive at IBM global asset recovery services. She says that many enterprises are dealing with the problem by "shoving product into the cupboards and the hallways".
About one billion units of computer equipment will become potential scrap between now and 2010, according to the International Association of Electronics Recyclers. And enterprises can no longer count on selling off their used assets at a profit, because the pace of innovation has cut the resale value of used computer equipment in half, according to Robert Houghton, president of Redemtech, a technology recycling firm. "The old practice of asking a broker to take the stuff away (for free), wipe the drives, and give me a certificate of liability no longer works," Houghton says.
What's an enterprise with end-of-life assets to do? If you plan ahead, you can minimize your data security risks, your environmental liabilities, and your costs.
Ensure data destruction
Avoid getting burned by industrial espionage or privacy lawsuits by completely destroying all data before disposing of IT assets. Healthcare and financial services enterprises must comply with laws, so the stakes in those fields are even higher.
One extreme approach favoured by those who have been burned in the past, according to Gartner research director Frances O'Brien, is to simply remove and destroy all drives before handing machines over to a disposal or recycling vendor, or before reselling them. But for most enterprises, completely overwriting the data according to stringent guidelines such of which require overwriting each disk sector four times, should be sufficient.
"Data destruction takes time and a specific process," says Tod Arbogast, senior manager at Dell asset recovery services. Simply scrambling or deleting the file allocation table isn't sufficient, he adds, nor is rewriting each drive sector just once, because the data can still be reconstructed. The more secure four-pass method takes more time, Arbogast says, but can be accomplished economically by daisy-chaining PCs together to rewrite multiple drives simultaneously. Another tip: some disposal firms randomly send wiped PCs to data recovery specialists to verify that their data destruction processes are bulletproof.
Minimize environmental liabilities
The best approach is to perform due diligence on how your disposal vendor handles environmental compliance and what hazardous materials handling certifications it has -- such as the International Organization for Standardization's Environmental Management System standard 14001. Also learn what its downstream vendors are doing, because your liability is not necessarily limited once the equipment has changed hands several times.
The technology for recycling electronic equipment is improving, according to Dell's Arbogast. Most destruction and recycling of raw materials is done by physically grinding components and separating raw materials. However, Gartner's O'Brien notes that electronics recycling is a limited option because there's not enough of a market for the resulting recycled materials -- so you're more likely to be dealing with environmental issues surrounding disposal than recycling.
Think cradle-to-grave TCO
Rather than assuming there's a paying market for your used equipment, experts recommend taking a hard look at disposal costs as part of the asset's total cost of ownership.
A recent Gartner study found that per-PC disposal costs could vary greatly depending on disposal method, including resale proceeds. But vendors say most enterprises don't really have a handle on what their true disposal costs will be, especially the cost of managing the logistics of equipment removal and disposal. "Our No. 1 competitor is internal programs," says one vendor, "but most customers have no idea how much it costs them."
The best way to manage disposal is to start planning for those costs when you acquire assets. Prices are all over the map for outsourced disposal but figures don't include internal administrative and labour costs. "It's when do you retire it, how do you retire it," says Gerri Gold, vice president of corporate development at HP financial services. "All those things need to be integrated together in a total solution," Gold says.
When you decide to upgrade, get the old equipment out the door as fast as possible so you can recapture the maximum resale value, Ferguson says, rather than having it sit around in storage where it will surely lose all value.
Leverage process automation
To minimize your costs, establish enterprise-wide processes for handling asset retirement and disposal. "You need to set a corporatewide strategy," IBM's Ferguson says, "an efficient process for deciding if an asset has value or needs to be scrapped, getting the most cash if there's value, or disposing of it in an environmentally safe manner." Other options that could be part of your overall strategy include internal redeployment, sales to employees, and charitable donations -- although the latter programs can be costly and time-consuming. And charities may want software and support to come with used equipment.
"You want to try and take the labour out of [asset disposal]," O'Brien adds, and recommends using asset management software to handle documentation of such end-of-life issues as asset mix and condition, status, chain of custody, and important details such as software license removal. "Know what you own in the first place," O'Brien says, "and understand that different equipment comes out of service at different points in time for different reasons, and you may need multiple paths for [disposal of] that equipment."
Logistics and equipment removal is another area where process is key, Arbogast explains. "Often customers aren't really in tune with where their assets are located, or the specs of the equipment, so they need on-site inventories," he adds.
Choose the right vendors
Vendor selection is a critical issue in disposal. In addition to strong environmental, data security, and operational processes, enterprises should look for robust audit trail, asset tracking, and reporting capabilities.
Disposal vendors include large OEMs such as Dell, Hewlett-Packard, and IBM -- who have developed disposal programs as part of their leasing ventures and are now starting to market them more aggressively. O'Brien recommends conducting extensive due diligence, including scrutinizing hiring processes (do they do routine background checks?), subcontractor selection, and available indemnifications they can offer you. "Look at their insurance policy -- if it's $3 million to $5 million and I'm a $50 billion company, that won't cut it," she explains.
And because shipping is one of the biggest cost components of disposal, O'Brien recommends choosing a vendor that has locations relatively near where your equipment is located.
But with vendor selection, as with the data security and environmental aspects of disposal, it all comes back to cost vs risk. O'Brien sums up the challenge of disposing of end-of-life assets: "At the end of the day, you have to look at how much risk you want to assume."