Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:40 AM
Connect Directly

Data Destruction, at Your Disposal

Regulatory pressure, data leakage force enterprises to look at more secure disposal practices

So what do you do with those old PCs and servers when you buy new equipment?

Some organizations out them in storage, delaying the inevitable, while others donate, auction, landfill, or recycle the equipment. Most companies still take responsibility today for wiping their own hard drives clean of data, although not always safely and thoroughly, which leaves data vulnerable to falling into the wrong hands. (See Second-Hand Drives Yield First-Class Data and A Garbage Can for Hard Drives.)

The number of expired and outdated technology assets is eye-popping: There were around 40 million PCs and laptops alone retired last year, according to IDC estimates. Those numbers are likely to be a lot higher in the next year or so, as Vista deployments come along, especially considering the average lifespan of a laptop is two years; a desktop machine, three; and a server, three to five years, according to Gartner.

But with more regulatory (and environmental) pressures, and data leakage paranoia at an all-time high, companies are starting to look at adopting more secure, streamlined disposal practices.

Memorial Hospital of Rhode Island this fall outsourced the disposal and recycling of its IT equipment with NextPhase, a division of Converge, a $500 million reseller of electronic components and technology products. "We box it up into big [crates] and they send a shipping company over" to pick them up, says Dennis Owens, director of environmental services for the hospital. "We get reports on all items taken, and a short time later a report on the residual value, and we get a certificate of destruction that shows it's been safely destroyed in their possession."

NextPhase remarkets and recycles used equipment, as well as securely wipes and "sanitizes" data from disks and machines, and passes on any remarketing profits to its customers in the form of savings on their shipment fees, etc.

"As a hospital, we always thought about regular and medical waste," Owens says. "Little did we know, this [problem] was creeping up on us."

Regulatory pressures were another big influence. Aside from the obvious HIPPA constraints on the healthcare organization, state law in Rhode Island recently outlawed dumping technology hardware in landfills.

"Most of our assets were ready to retire, so this offered us an option to recycle and get value for it residually," Owens says. "A little of it's resellable, most of it gets recycled and we share the benefits of that and it gets subtracted from our shipping and handling fees."

So far, Memorial Hospital retains its old hard drives internally. But a stray disk drive once got inadvertently sent along with the other equipment to NextPhase, which then had to destroy the drive for the hospital.

The hospital has the option of having NextPhase take over that job at some point full-time. "At whatever point we want to remove them, we would send to NextPhase and have them destroy them," notes Owens.

Owens says the hospital considered some traditional recycling companies as well. But the hospital wanted to be sure it was guaranteed its equipment was disposed of safely and properly.

"We had to make sure it was handled properly and didn't come back to haunt you. We didn't want things appearing in a foreign country" or something like that, he says.

NextPhase remarkets about 30 percent of the equipment it receives, and destroys or disposes of 70 percent, notes Chris Adam, director of NextPhase services for Converge. The company last week launched an online asset management tool for its customers; it already provides a portal for them to track the progress of their pickup, recycling, disposal, and repurposing, as well as of their data erasure.

Adam won't disclose NextPhase pricing, which depends on the customer, but notes that Gartner estimates a cost of $60 per asset for disposal. Gartner recommends that enterprises outsource their IT asset disposal with a third party for cost, professional, regulatory, and security reasons.

Aside from NextPhase, companies like Redemtech and Intechra, fall in this space, as well as vendors like HP and IBM, which also offer disposal services.

And the market for disposing of computer equipment and data will only grow, with 60 percent of U.S. consumers still keeping their retired computers at home for now, according to IDC. "There's a gigantic consumer market" for disposal, says David Daoud, an IDC research manager.

"One-third of U.S. organizations and government claim to have a data destruction policy, but it remains to be seen how you destroy your hard drives," Daoud says. "You need to have formalities and processes in place to guarantee you are compliant to regulations and your internal processes are securing the data... It's not wise to dedicate your own IT staff to do that."

Frances O'Brien, a vice president with Gartner, says there's been a lot of venture capital activity in the third-party disposal market, as well as roll-ups and consolidations. "The opportunities are going to expand -- what about all the cellphones and electronic equipment like iPods."

Data-wise, it makes more sense to contract with a trusted outside source, she says. "It's more than deleting and reformatting fields," she says. "Those directories and files and still there."

And it's really an asset management -- not just disposal -- issue, she says. If you don't know for sure how many PCs you own or are trashing, that's a problem. Properly tracking the equipment from purchase, deployment, and retirement is crucial. Someone at the loading dock might decide to grab one of those retired PC to take home to his kids, for instance, and suddenly you don't know where that machine, or its residual data, has gone. "It happens all the time," she says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • IDC
  • Gartner Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 6/5/2020
    How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
    Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
    Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: What? IT said I needed virus protection!
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-06-07
    HESK before 3.1.10 allows reflected XSS.
    PUBLISHED: 2020-06-07
    handler/upload_handler.jsp in DEXT5 Editor through 3.5.1402961 allows an attacker to download arbitrary files via the savefilepath field.
    PUBLISHED: 2020-06-07
    Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module before 0.32 for Perl fails to verify correct ECDSA signatures when r and s are small and when s = 1. This happens when using the curve secp256r1 (prime256v1). This could conceivably have a security-relevant impact if an attacker wishes...
    PUBLISHED: 2020-06-06
    The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard.
    PUBLISHED: 2020-06-06
    showAlert() in the administration panel in Bludit 3.12.0 allows XSS.