Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

2/12/2007
07:40 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Data Destruction, at Your Disposal

Regulatory pressure, data leakage force enterprises to look at more secure disposal practices

So what do you do with those old PCs and servers when you buy new equipment?

Some organizations out them in storage, delaying the inevitable, while others donate, auction, landfill, or recycle the equipment. Most companies still take responsibility today for wiping their own hard drives clean of data, although not always safely and thoroughly, which leaves data vulnerable to falling into the wrong hands. (See Second-Hand Drives Yield First-Class Data and A Garbage Can for Hard Drives.)

The number of expired and outdated technology assets is eye-popping: There were around 40 million PCs and laptops alone retired last year, according to IDC estimates. Those numbers are likely to be a lot higher in the next year or so, as Vista deployments come along, especially considering the average lifespan of a laptop is two years; a desktop machine, three; and a server, three to five years, according to Gartner.

But with more regulatory (and environmental) pressures, and data leakage paranoia at an all-time high, companies are starting to look at adopting more secure, streamlined disposal practices.

Memorial Hospital of Rhode Island this fall outsourced the disposal and recycling of its IT equipment with NextPhase, a division of Converge, a $500 million reseller of electronic components and technology products. "We box it up into big [crates] and they send a shipping company over" to pick them up, says Dennis Owens, director of environmental services for the hospital. "We get reports on all items taken, and a short time later a report on the residual value, and we get a certificate of destruction that shows it's been safely destroyed in their possession."

NextPhase remarkets and recycles used equipment, as well as securely wipes and "sanitizes" data from disks and machines, and passes on any remarketing profits to its customers in the form of savings on their shipment fees, etc.

"As a hospital, we always thought about regular and medical waste," Owens says. "Little did we know, this [problem] was creeping up on us."

Regulatory pressures were another big influence. Aside from the obvious HIPPA constraints on the healthcare organization, state law in Rhode Island recently outlawed dumping technology hardware in landfills.

"Most of our assets were ready to retire, so this offered us an option to recycle and get value for it residually," Owens says. "A little of it's resellable, most of it gets recycled and we share the benefits of that and it gets subtracted from our shipping and handling fees."

So far, Memorial Hospital retains its old hard drives internally. But a stray disk drive once got inadvertently sent along with the other equipment to NextPhase, which then had to destroy the drive for the hospital.

The hospital has the option of having NextPhase take over that job at some point full-time. "At whatever point we want to remove them, we would send to NextPhase and have them destroy them," notes Owens.

Owens says the hospital considered some traditional recycling companies as well. But the hospital wanted to be sure it was guaranteed its equipment was disposed of safely and properly.

"We had to make sure it was handled properly and didn't come back to haunt you. We didn't want things appearing in a foreign country" or something like that, he says.

NextPhase remarkets about 30 percent of the equipment it receives, and destroys or disposes of 70 percent, notes Chris Adam, director of NextPhase services for Converge. The company last week launched an online asset management tool for its customers; it already provides a portal for them to track the progress of their pickup, recycling, disposal, and repurposing, as well as of their data erasure.

Adam won't disclose NextPhase pricing, which depends on the customer, but notes that Gartner estimates a cost of $60 per asset for disposal. Gartner recommends that enterprises outsource their IT asset disposal with a third party for cost, professional, regulatory, and security reasons.

Aside from NextPhase, companies like Redemtech and Intechra, fall in this space, as well as vendors like HP and IBM, which also offer disposal services.

And the market for disposing of computer equipment and data will only grow, with 60 percent of U.S. consumers still keeping their retired computers at home for now, according to IDC. "There's a gigantic consumer market" for disposal, says David Daoud, an IDC research manager.

"One-third of U.S. organizations and government claim to have a data destruction policy, but it remains to be seen how you destroy your hard drives," Daoud says. "You need to have formalities and processes in place to guarantee you are compliant to regulations and your internal processes are securing the data... It's not wise to dedicate your own IT staff to do that."

Frances O'Brien, a vice president with Gartner, says there's been a lot of venture capital activity in the third-party disposal market, as well as roll-ups and consolidations. "The opportunities are going to expand -- what about all the cellphones and electronic equipment like iPods."

Data-wise, it makes more sense to contract with a trusted outside source, she says. "It's more than deleting and reformatting fields," she says. "Those directories and files and still there."

And it's really an asset management -- not just disposal -- issue, she says. If you don't know for sure how many PCs you own or are trashing, that's a problem. Properly tracking the equipment from purchase, deployment, and retirement is crucial. Someone at the loading dock might decide to grab one of those retired PC to take home to his kids, for instance, and suddenly you don't know where that machine, or its residual data, has gone. "It happens all the time," she says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • IDC
  • Gartner Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    How to Think Like a Hacker
    Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
    7 SMB Security Tips That Will Keep Your Company Safe
    Steve Zurier, Contributing Writer,  10/11/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-17667
    PUBLISHED: 2019-10-17
    Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HTML injection via the Site Name (aka SiteName) field.
    CVE-2019-17666
    PUBLISHED: 2019-10-17
    rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.
    CVE-2019-17607
    PUBLISHED: 2019-10-16
    HongCMS 3.0.0 has XSS via the install/index.php servername parameter.
    CVE-2019-17608
    PUBLISHED: 2019-10-16
    HongCMS 3.0.0 has XSS via the install/index.php dbname parameter.
    CVE-2019-17609
    PUBLISHED: 2019-10-16
    HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter.