Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:40 AM
Connect Directly

Data Destruction, at Your Disposal

Regulatory pressure, data leakage force enterprises to look at more secure disposal practices

So what do you do with those old PCs and servers when you buy new equipment?

Some organizations out them in storage, delaying the inevitable, while others donate, auction, landfill, or recycle the equipment. Most companies still take responsibility today for wiping their own hard drives clean of data, although not always safely and thoroughly, which leaves data vulnerable to falling into the wrong hands. (See Second-Hand Drives Yield First-Class Data and A Garbage Can for Hard Drives.)

The number of expired and outdated technology assets is eye-popping: There were around 40 million PCs and laptops alone retired last year, according to IDC estimates. Those numbers are likely to be a lot higher in the next year or so, as Vista deployments come along, especially considering the average lifespan of a laptop is two years; a desktop machine, three; and a server, three to five years, according to Gartner.

But with more regulatory (and environmental) pressures, and data leakage paranoia at an all-time high, companies are starting to look at adopting more secure, streamlined disposal practices.

Memorial Hospital of Rhode Island this fall outsourced the disposal and recycling of its IT equipment with NextPhase, a division of Converge, a $500 million reseller of electronic components and technology products. "We box it up into big [crates] and they send a shipping company over" to pick them up, says Dennis Owens, director of environmental services for the hospital. "We get reports on all items taken, and a short time later a report on the residual value, and we get a certificate of destruction that shows it's been safely destroyed in their possession."

NextPhase remarkets and recycles used equipment, as well as securely wipes and "sanitizes" data from disks and machines, and passes on any remarketing profits to its customers in the form of savings on their shipment fees, etc.

"As a hospital, we always thought about regular and medical waste," Owens says. "Little did we know, this [problem] was creeping up on us."

Regulatory pressures were another big influence. Aside from the obvious HIPPA constraints on the healthcare organization, state law in Rhode Island recently outlawed dumping technology hardware in landfills.

"Most of our assets were ready to retire, so this offered us an option to recycle and get value for it residually," Owens says. "A little of it's resellable, most of it gets recycled and we share the benefits of that and it gets subtracted from our shipping and handling fees."

So far, Memorial Hospital retains its old hard drives internally. But a stray disk drive once got inadvertently sent along with the other equipment to NextPhase, which then had to destroy the drive for the hospital.

The hospital has the option of having NextPhase take over that job at some point full-time. "At whatever point we want to remove them, we would send to NextPhase and have them destroy them," notes Owens.

Owens says the hospital considered some traditional recycling companies as well. But the hospital wanted to be sure it was guaranteed its equipment was disposed of safely and properly.

"We had to make sure it was handled properly and didn't come back to haunt you. We didn't want things appearing in a foreign country" or something like that, he says.

NextPhase remarkets about 30 percent of the equipment it receives, and destroys or disposes of 70 percent, notes Chris Adam, director of NextPhase services for Converge. The company last week launched an online asset management tool for its customers; it already provides a portal for them to track the progress of their pickup, recycling, disposal, and repurposing, as well as of their data erasure.

Adam won't disclose NextPhase pricing, which depends on the customer, but notes that Gartner estimates a cost of $60 per asset for disposal. Gartner recommends that enterprises outsource their IT asset disposal with a third party for cost, professional, regulatory, and security reasons.

Aside from NextPhase, companies like Redemtech and Intechra, fall in this space, as well as vendors like HP and IBM, which also offer disposal services.

And the market for disposing of computer equipment and data will only grow, with 60 percent of U.S. consumers still keeping their retired computers at home for now, according to IDC. "There's a gigantic consumer market" for disposal, says David Daoud, an IDC research manager.

"One-third of U.S. organizations and government claim to have a data destruction policy, but it remains to be seen how you destroy your hard drives," Daoud says. "You need to have formalities and processes in place to guarantee you are compliant to regulations and your internal processes are securing the data... It's not wise to dedicate your own IT staff to do that."

Frances O'Brien, a vice president with Gartner, says there's been a lot of venture capital activity in the third-party disposal market, as well as roll-ups and consolidations. "The opportunities are going to expand -- what about all the cellphones and electronic equipment like iPods."

Data-wise, it makes more sense to contract with a trusted outside source, she says. "It's more than deleting and reformatting fields," she says. "Those directories and files and still there."

And it's really an asset management -- not just disposal -- issue, she says. If you don't know for sure how many PCs you own or are trashing, that's a problem. Properly tracking the equipment from purchase, deployment, and retirement is crucial. Someone at the loading dock might decide to grab one of those retired PC to take home to his kids, for instance, and suddenly you don't know where that machine, or its residual data, has gone. "It happens all the time," she says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • IDC
  • Gartner Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    FluBot Malware's Rapid Spread May Soon Hit US Phones
    Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
    7 Modern-Day Cybersecurity Realities
    Steve Zurier, Contributing Writer,  4/30/2021
    How to Secure Employees' Home Wi-Fi Networks
    Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-05-06
    The "gitDiff" function in Wayfair git-parse <=1.0.4 has a command injection vulnerability. Clients of the git-parse library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.
    PUBLISHED: 2021-05-06
    Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.
    PUBLISHED: 2021-05-06
    Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and ex...
    PUBLISHED: 2021-05-06
    Mixme is a library for recursive merging of Javascript objects. In Node.js mixme v0.5.0, an attacker can add or alter properties of an object via 'proto' through the mutate() and merge() functions. The polluted attribute will be directly assigned to every object in the program. This will put the ava...
    PUBLISHED: 2021-05-06
    Improper input validation of octal strings in Python stdlib ipaddress 3.10 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. IP address octects are left stripped instead of evaluated as valid I...