Data Destruction, at Your Disposal

Regulatory pressure, data leakage force enterprises to look at more secure disposal practices

So what do you do with those old PCs and servers when you buy new equipment?

Some organizations out them in storage, delaying the inevitable, while others donate, auction, landfill, or recycle the equipment. Most companies still take responsibility today for wiping their own hard drives clean of data, although not always safely and thoroughly, which leaves data vulnerable to falling into the wrong hands. (See Second-Hand Drives Yield First-Class Data and A Garbage Can for Hard Drives.)

The number of expired and outdated technology assets is eye-popping: There were around 40 million PCs and laptops alone retired last year, according to IDC estimates. Those numbers are likely to be a lot higher in the next year or so, as Vista deployments come along, especially considering the average lifespan of a laptop is two years; a desktop machine, three; and a server, three to five years, according to Gartner.

But with more regulatory (and environmental) pressures, and data leakage paranoia at an all-time high, companies are starting to look at adopting more secure, streamlined disposal practices.

Memorial Hospital of Rhode Island this fall outsourced the disposal and recycling of its IT equipment with NextPhase, a division of Converge, a $500 million reseller of electronic components and technology products. "We box it up into big [crates] and they send a shipping company over" to pick them up, says Dennis Owens, director of environmental services for the hospital. "We get reports on all items taken, and a short time later a report on the residual value, and we get a certificate of destruction that shows it's been safely destroyed in their possession."

NextPhase remarkets and recycles used equipment, as well as securely wipes and "sanitizes" data from disks and machines, and passes on any remarketing profits to its customers in the form of savings on their shipment fees, etc.

"As a hospital, we always thought about regular and medical waste," Owens says. "Little did we know, this [problem] was creeping up on us."

Regulatory pressures were another big influence. Aside from the obvious HIPPA constraints on the healthcare organization, state law in Rhode Island recently outlawed dumping technology hardware in landfills.

"Most of our assets were ready to retire, so this offered us an option to recycle and get value for it residually," Owens says. "A little of it's resellable, most of it gets recycled and we share the benefits of that and it gets subtracted from our shipping and handling fees."

So far, Memorial Hospital retains its old hard drives internally. But a stray disk drive once got inadvertently sent along with the other equipment to NextPhase, which then had to destroy the drive for the hospital.

The hospital has the option of having NextPhase take over that job at some point full-time. "At whatever point we want to remove them, we would send to NextPhase and have them destroy them," notes Owens.

Owens says the hospital considered some traditional recycling companies as well. But the hospital wanted to be sure it was guaranteed its equipment was disposed of safely and properly.

"We had to make sure it was handled properly and didn't come back to haunt you. We didn't want things appearing in a foreign country" or something like that, he says.

NextPhase remarkets about 30 percent of the equipment it receives, and destroys or disposes of 70 percent, notes Chris Adam, director of NextPhase services for Converge. The company last week launched an online asset management tool for its customers; it already provides a portal for them to track the progress of their pickup, recycling, disposal, and repurposing, as well as of their data erasure.

Adam won't disclose NextPhase pricing, which depends on the customer, but notes that Gartner estimates a cost of $60 per asset for disposal. Gartner recommends that enterprises outsource their IT asset disposal with a third party for cost, professional, regulatory, and security reasons.

Aside from NextPhase, companies like Redemtech and Intechra, fall in this space, as well as vendors like HP and IBM, which also offer disposal services.

And the market for disposing of computer equipment and data will only grow, with 60 percent of U.S. consumers still keeping their retired computers at home for now, according to IDC. "There's a gigantic consumer market" for disposal, says David Daoud, an IDC research manager.

"One-third of U.S. organizations and government claim to have a data destruction policy, but it remains to be seen how you destroy your hard drives," Daoud says. "You need to have formalities and processes in place to guarantee you are compliant to regulations and your internal processes are securing the data... It's not wise to dedicate your own IT staff to do that."

Frances O'Brien, a vice president with Gartner, says there's been a lot of venture capital activity in the third-party disposal market, as well as roll-ups and consolidations. "The opportunities are going to expand -- what about all the cellphones and electronic equipment like iPods."

Data-wise, it makes more sense to contract with a trusted outside source, she says. "It's more than deleting and reformatting fields," she says. "Those directories and files and still there."

And it's really an asset management -- not just disposal -- issue, she says. If you don't know for sure how many PCs you own or are trashing, that's a problem. Properly tracking the equipment from purchase, deployment, and retirement is crucial. Someone at the loading dock might decide to grab one of those retired PC to take home to his kids, for instance, and suddenly you don't know where that machine, or its residual data, has gone. "It happens all the time," she says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights