Need to get rid of your old and outdated IT equipment?
Easy. Call an ITAD company to take it away for you. IT asset disposition (ITAD) providers exist to remove and dispose of obsolete or unwanted IT equipment. They serve as the solution to your company’s e-waste problem. But, ITAD companies are not just garbage collectors, nor should they be. Responsible ITAD companies undertake operations with a focus on security first.
The best ITAD companies take responsibility for IT assets in a secure manner at every step of the process, leaving an audit trail and providing an authentic certificate of destruction. They help your company to eliminate the risk of data breaches and leaks by physically destroying or wiping data-bearing assets and accounting for every single piece of equipment.
Unfortunately, not all ITAD companies operate with the same degree of integrity or expertise that is required to meet the demands of businesses operating in today’s digital world and regulatory environment.
The Evolving ITAD Industry: From Garbage Collectors to Data Guardians
The ITAD industry was built around the need for organizations to dispose of their unwanted IT assets. In other words, the industry grew from the simple need for someone to take out the trash.
Companies and individuals tend not to think twice about the outgoing trash and usually view e-waste as a matter of getting it “out of sight, out of mind”. As long as e-waste was removed from the office or data center the job was considered done.
Today, handing over your company’s e-waste to just anyone is not good enough as it represents a huge business and information security risk. The world has changed and organizations are exposed to digital risk at every turn. The process of IT asset disposal and data center decommissioning is no exception when it comes to the potential for data leaks and breaches.
For too long, IT asset disposal and the data center decommissioning process has been over-looked and under-secured when it comes to risk management and mitigation.
Regulatory Compliance and Enforcement is Driving the Change to Security-Focused ITAD
Companies have a multitude of regulatory compliance requirements to stay on top of. The need for organizations to comply with data and information security standards is one of the biggest drivers shifting the focus of the ITAD industry from a garbage collection industry to a security and compliance-focussed industry.
Outgoing data-bearing assets loaded with corporate secrets and private customer data represent a huge risk if not disposed of and destroyed according to strictly enforced standards. The civil and criminal penalties for non-compliance with regulations, such as HIPPA, HITECH, PCI, FISMA and GDPR, are significant and far reaching. In addition to the potentially crippling financial ramifications, organizations risk their brand reputation and customer/client/patient trust.
The Long Road To Recovery
It can take months, even years to recover from loss of business, the financial fallout and PR nightmare following a breach and subsequent violation judgement. Some businesses simply cannot recover and must shut their doors, in some cases permanently. Businesses cannot afford to leave themselves open to any data exposure risk or neglect their compliance obligations.
While compliance requirements around the handling of data has been around for some time, the policing and enforcement has significantly ramped up of late. The regulatory enforcement agencies are now actively policing for compliance violations and have sent the clear message to companies that they are clamping down on non-compliance and are serious about enforcing the rules.
Take for example the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The OCR is the government organization responsible for enforcing the HIPAA Privacy and Security Rules. When it comes to protecting patients protected health information (PHI), the OCR has signaled that it takes healthcare data loss and theft seriously and that lack of meaningful risk management will not be tolerated.
A number of organizations have already paid the price for non-compliance with standards of the HIPAA Security Rule with settlement amounts that have ranged from $400,000 to in excess of $3.2 million.
Companies are Taking Security More Seriously
Organizations that are subject to comply with HIPAA, HITECH, PCI, FISMA, and GDPR, etc. are paying attention. Many are starting to care a whole lot more about reducing their digital and cyber risk and protecting their data-bearing assets in order to avoid hefty financial penalties and reputation damage.
HIPAA Civil Penalties For Violations
HIPAA Criminal Penalties for Violations
As with the HIPAA civil penalties, there are different levels of severity for criminal violations. Covered entities and specified individuals who “knowingly” obtain or disclose individually identifiable health information face a fine of up to $50,000, as well as imprisonment up to 1 year.
Penalties for offenses committed under false pretenses can be increased to a $100,000 fine, with up to 5 years in prison.
Offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment up to 10 years.
With such serious consequences for violation, companies are understandably taking action to ensure compliance.
Digital Transformation and The Race to The Cloud
The other major driver is the accelerated pace of organizations migrating to the cloud (Amazon Web Services/AWS, Microsoft Azure, Google Cloud, IBM, etc.). Cloud used to be relegated to development environments – but not production workloads – due in large part to security concerns, particularly as pertains to compliance.
However, now that cloud providers have demonstrated that they meet and/or exceed compliance standards and are providing simple tools to report back to audit providers, more organizations are comfortable with migrating larger workloads to cloud environments. In fact, it is forecast that 83% of enterprise workloads will be in the cloud by 2020 and cloud adoption is largely being driven by compliance.
An example of this is the growing number of healthcare providers, payers, and IT professionals subject to HIPAA that are using AWS’s utility-based cloud services to process, store, and transmit PHI. A few of these healthcare companies include CDC, Bristol-Myers Squibb, Siemens Healthcare.
As organizations move to the cloud, they are abandoning the old way of managing data, with on-premise workloads predicted to shrink from to 27% of all workloads by 2020. This means that organizations are decommissioning their data centers and getting rid of their hardware at a faster pace.
What Exactly Does Your ITAD Company Do With Your Old Equipment?
The ITAD industry is quickly evolving. Now more than ever, there is a demand for professional, security compliant IT asset disposal services. This demand is being driven largely by the need for companies to ensure compliance and the faster rate of cloud migration.
Companies that take their security and compliance obligations seriously know that they must take every precaution to avoid data breaches and undue exposure of data.
Many companies don’t conduct due diligence on the ITAD companies they contract out. But, as with all third-party operators, organizations should conduct background checks and verify the company’s track record and understand the security of their operations. The capabilities, the integrity, the core competencies and transparency should all be taken into consideration prior to engaging with an ITAD operator.
It would be wise to know exactly who you are handing over your sensitive data to and to have 100% confidence that your IT assets are destroyed or disposed of. The stakes are too high for companies to not care when it comes to security and the increased pressure to comply with security and data privacy regulations. If your ITAD company does not focus first and foremost on security and audit compliance, then it is simply a glorified garbage operator or used equipment reseller.
Blindly handball your IT assets with valuable data over to folks whose sole skill is garbage disposal means your data is at risk of ending up the hands of a competitor or nation-state, or on the side of the road. Chances are your company won’t want to make news headlines like this one: Major Bank Loses 12 Million Customers’ Data in the Most Embarrassing Way Possible