Every company eventually has to determine what to do with their used or end-of-life IT equipment. Too often, businesses aren’t sure how to handle their assets, so they end up taking up space in a data center’s closets or drawers. Others try to sell their equipment themselves, give it away to employees, or dispose of it.
None of these scenarios are inherently bad or wrong. However, you could expose your business to serious data security or environmental risks — and thus, brand risk — if you don’t handle your equipment properly when storing, selling, recycling, or disposing of it. Plus, the equipment that gathers dust in your data centers could have some residual value that your company misses out on by not selling it.
IT Asset Disposition — commonly known as ITAD — is the process of safely and responsibly handling and decommissioning unwanted, excess, or obsolete electronic equipment. Effective ITAD programs mitigate corporate risk, reduce costs, recover the greatest value from assets, and improve sustainability by ensuring that companies properly handle used or end-of-life equipment within the circular economy. At its most fundamental level, IT asset disposition is a corporate risk mitigation strategy that ensures your business remains in compliance with various laws and regulations to protect your customers and your brand’s reputation.
There are many critical steps in the ITAD process and industry best practice today is to outsource your program to an experienced ITAD provider. It is not in most IT departments’ core competency to manage the risks following best practices, and independent processes can provide a greater degree of liability protection and audit trails. More businesses now hire trusted IT asset disposition companies to ensure their organization correctly, safely, and responsibly manages their IT equipment.
Key benefits of an effective ITAD program
The benefits of an effective IT asset disposition program are far-reaching, impacting numerous areas of the business. Cross-functional teams spanning executive leadership, IT, finance, security, compliance, marketing, and corporate social responsibility (CSR) have a stake in a well-run program. The key benefits of an effective ITAD program include:
Strong data security and compliance
Data security and compliance are vital to every business today. In fact, Gartner found that data risks are the top concern among Chief Audit Executives (CAEs). It is a significant and expensive brand risk if a company leaks customer data, experiences a security breach, or violates data security and privacy laws. Not only could your company face hefty fines and serious lawsuits, but your brand could also lose customer trust — which is critical for your business to succeed. If your IT team or IT asset disposition partner does not manage its program correctly, it could expose your company to many data security and privacy risks that could permanently damage your brand.
An effective ITAD program ensures strong data security and compliance by:
- Sanitizing all data from your equipment when your company decommissions its IT assets, including removing all sensitive information about your clients, employees, and partners. Effective sanitization must follow industry standards, such as NIST 800-88, to completely overwrite, clear, or physically destroy the items – just formatting is not enough.
- Tracking every data-bearing item by serial number and providing comprehensive reporting of the decommissioning and sanitization.
- Ensuring the decommissioning process itself is secure by requiring background checks on all employees and contractors involved in the ITAD process.
- Keeping the data center, warehouse, or processing facility secure by only allowing those authorized to access to enter it and installing security cameras.
- Abiding by all state, federal, international, and specific industry regulations that apply to your business by taking the proper steps necessary to stay compliant with them.
Compliance with state, federal, international, and industry laws and regulations throughout the IT asset disposition process is essential to mitigate brand and corporate risk. Common data security and privacy laws and regulations that your ITAD manager or partner should be aware of include*:
- Gramm-Leach Bliley Act (GLBA), which applies to financial institutions
- Sarbanes-Oxley Act (SOX), which applies to corporations
- Health Insurance Portability and Accountability Act (HIPAA), which applies to healthcare, insurance, and other businesses with health information, as enhanced by the HITECH Act.
- Fair and Accurate Credit Transactions Act (FACTA), which applies to financial information and credit card transactions
- Family Educational Rights and Privacy Act (FERPA), which applies to educational institutions
- General Data Protection Regulation (GDPR), which applies to companies that do business in or with Europe or handle European consumer’s data
- California Consumer Privacy Act (CCPA), which applies to companies that do business in or with California or handle California consumer’s data
*This list is not exhaustive, and there may be other laws and regulations that apply to your business.
Environmental compliance and green IT
Companies also face significant risks related to their environmental compliance and sustainability practices. These risks are especially prevalent in how a business handles its used or end-of-life IT equipment, making environmental compliance and green IT an important benefit of an effective ITAD program. In 2019, the world generated 53.6 million tons of electronic waste (“e-waste”), up 21% in just five years. E-waste not only ends up crowding landfills, but it also contains toxic materials, like mercury and lead, that hurt people and our planet.
Today’s companies not only have a moral and social obligation to be better stewards of the earth, but they are now subject to an increasing number of local, state, federal, and international environmental regulations, including:
Your IT asset disposition program should follow all applicable environmental laws and regulations. Focusing on the circular economy demands maximizing sustainability at each step. Typically, the best and most sustainable practice includes reusing or reselling IT equipment. Extending the life of IT assets reduces the need to manufacture new ones, which minimizes the use of natural resources. Extending their life also makes working, used equipment available for individuals and organizations that cannot afford to buy new.
When the assets have reached a point no one can use them, recycling is the next best option to convert the materials back into raw commodities. Recycling also eliminates the need to mine ore or convert fossil fuels for new equipment, some of the most damaging activities for the environment. However, it’s important to be mindful of your company’s or ITAD partner’s recycling practices to ensure the assets you recycle actually get recycled, raw materials are safely harvested, and that recycling is done responsibly and in compliance with regulations. The ITAD provider’s serialized reporting should provide transparency for these activities and a reliable audit trail for compliance.
Maximized value recovery
Your company’s used IT assets often have residual financial value that you can recoup from them after you no longer need the equipment. Making repairs to your equipment before selling it can also help you maximize the value you recover. The money you earn from reselling your IT assets is a financial benefit of an IT asset disposition program. Reselling IT assets has a positive impact on your IT budget, and — if you’re trying to make a case for hiring an ITAD provider — reselling equipment can help offset the vendor’s costs.
Strong, well-developed direct sales channels are critical to recovering the greatest value for your assets by maximizing sales to end-users rather than just wholesale or through brokers. Any IT asset disposition company you partner with should have a variety of robust sales channels and a demonstrated track record of returning industry-leading value to customers. Also, ensure that the ITAD partner is transparent in the sales and fees they charge you by providing detailed reporting of each transaction.
Proper and secure IT tracking and reporting
The bow that ties together an effective IT asset disposition program is a properly tracked IT inventory that creates an audit trail to ensure compliance with data and environmental regulations and transparency in value recovery and fees. These reports are often the final deliverable at the end of the ITAD process, but they are foundational to a successful program.
An ITAD program ensures that each asset is logged in an inventory, monitored, and tracked throughout the entire disposition process. Asset tracking and reporting should be done through a sophisticated ERP system (e.g., NetSuite) to ensure proper and secure tracking and reporting. The importance of traceability and process control cannot be overstated when handling hundreds or thousands of assets, especially with the need to track them back to the originator.
Too many IT asset disposition companies and internal ITAD teams use Excel spreadsheets and think they’re good and accurate enough. Using manual spreadsheets increases your risk for errors and mistakes, which exposes your company to more significant risks. ERP systems help you create an accurate audit trail that ensures compliance with regulations and allows you to reconcile your books.
Your IT asset reporting should include information like:
- Hard drive serial numbers
- Equipment serial number and asset tags (if used)
- Details of the type, make, model, condition, and defects of equipment
- Certificates of Data Erasure, Data Destruction, and Recycling
- Final disposition choice for each piece of equipment (e.g., reused, resold, recycled)
- Sales and revenue share for each asset sold
- Record of fees charged for processing
The benefits of a well-run ITAD program can impact and alter your business’s future. The next step is to determine whether to build a DIY ITAD program internally or hire an IT asset disposition company.
DIY ITAD — and the challenges it creates
Internally designing an ITAD program requires your team to become familiar with the many steps it must follow to keep data secure and stay compliant with industry, data, and environmental regulations. Our Data Center Decommissioning Checklist provides a high-level, step-by-step overview of how to decommission your IT assets and run an ITAD program. While this checklist provides a starting point to guide you through the process, it’s vital to be aware of the risks and challenges created by an improperly managed ITAD program.
Some companies believe developing a do-it-yourself ITAD program is more financially responsible. However, this thinking doesn’t account for the financial risk associated with an ITAD program that doesn’t abide by all applicable industry, data, and environmental regulations. You can also create data security vulnerabilities that could lead to a breach during the ITAD process if you don’t sanitize data from IT assets effectively or adequately secure the data center facilities. Data breaches have significant impacts on a brand’s credibility and cost companies millions of dollars. The average cost of a data breach in the United States comes in at a whopping 8.64 million dollars.
Companies that create DIY ITAD programs should be mindful of the following risks and pitfalls throughout the IT asset disposition process.
Lack of deep IT Asset Disposition expertise
At its core, the biggest risk of a DIY ITAD program stems from internal teams not having the expertise necessary to run a compliant ITAD program. Your team’s day job is not to run an ITAD program and stay up to date on laws and regulations. ITAD is not what your company does as its core business, which means you likely won’t have the internal resources or expertise necessary to keep all of the moving pieces on track.
Industry best practice today recommends outsourcing your ITAD program to a trusted and experienced IT asset disposition company. These companies are in business to help customers through the ITAD process, which means they will know what it takes to get your company through its ITAD program efficiently, effectively, and in compliance with all applicable laws and regulations.
Improper asset management
Asset management is a critical and complex phase in the ITAD process. You must track, decommission, transport, and sanitize all of your IT assets effectively to keep your program organized and, more importantly, to establish an audit trail that proves you comply with applicable laws and regulations.
- Tracking: IT asset tracking documents which assets are in use, their serial numbers, make, and model, where they are located, how your company is using them, which licenses apply to them, and what happens when they are removed from service. Tracking is also critical after the equipment has been decommissioned to ensure an audit trail for compliance and risk mitigation.
- Decommissioning: The ITAD decommissioning process requires you to locate each asset, ensure the data is backed up, determine whether it’s encrypted, and pull the asset out of the server rack or remove it from the user environment. Internal teams often don’t have enough resources or expertise to gather all of the IT assets, track them, and securely package them — exposing you again to additional risk.
- Logistics and transportation: This phase requires your team to know whether there’s data on each asset, where the asset is, and who is responsible for transporting it. Transporting equipment from a facility to its next location (e.g., a recycler) can not only be costly but can expose your company to data security, theft, and environmental risks.
- Data sanitization: Data sanitization is one of the most critical and risky phases of the ITAD process, requiring you to remove all data from your assets. There is no margin for error in this process because, to mitigate data security risks, you must eliminate 100% of the data, on 100% of the assets, 100% of the time. Research has shown that a whopping 40% of drives enterprises think they have sanitized still contain data.
Gaps in asset reuse process
After your assets have been decommissioned and sanitized of data, it’s always best to identify ways to reuse them to maximize the circular economy. This process involves conducting testing on equipment, repairing it, and reselling it.
- Testing: Requires you to have the right tools, systems, standard procedures, and enough internal staff to test assets correctly every time. Failure to maintain testing records and quickly produce reports to identify where assets are located creates pitfalls and compliance risks for your company.
- Repair: Requires you to have the right tools and components on hand. To avoid pitfalls and risks, you’ll need systems that help you stay on top of repairs, procedures to ensure consistency, and a way to document repairs and produce reports.
- Resale: Some companies have resale channels in place, while others auction their equipment, let employees purchase it, or donate it to non-profits. The biggest downfall of internally managing the resale phase is that companies often don’t have the best and most established resale channels available to them and don’t understand fair market value for the used equipment. There are also compliance risks with resale.
Inadequate asset end-of-life process
Sometimes there is no choice but to retire end-of-life IT assets and components – they are just too old (obsolete) or too worn and damaged to attempt to reuse or resell. In this case, your company must be ready to either salvage some of the equipment’s components or recycle them and avoid disposing of them. Each process comes with inherent risks that your team must be aware of to manage a DIY ITAD program successfully.
- Component salvage: When your IT assets have salvageable components, your team must know how to disassemble the asset without damaging the component or parent asset. This process requires you to have enough people staffed with expertise to understand how to test, store, and track the components, all while keeping employees safe from potential hazards.
- Recycling: Many companies don’t have internal procedures to deal with hazardous or regulated materials (e.g., batteries and mercury). You must verify that the recyclers you send materials to are credible and certified. Proper and compliant recycling requires you to know the downstream impact of your materials on the environment. You must comply with all local, state, and federal regulations (including permitting) or face hefty fines.
- Disposal: Companies should avoid disposal at all costs, given its negative impact on the environment and circular economy. Disposal of IT assets is illegal or highly regulated in many regions.
Your company will struggle to abide by industry compliance requirements if your team is not adequately resourced with ITAD experts and does not have a sophisticated enough system in place to track assets through the entire IT asset disposition process. For this reason, a DIY ITAD program could expose your company to significant and costly corporate risk. Hiring an IT asset disposition company is often the most cost-effective way to mitigate this risk and protect your brand.
How to evaluate IT asset disposition companies
IT asset disposition companies exist because the inherent risks of the ITAD process require an intentional mitigation strategy led by experts. They specialize in helping companies through the challenges of each ITAD phase, including IT asset management, data sanitization, asset reuse, and end-of-life processes. Along the way, IT providers know what tracking, reporting, and storage requirements to follow to comply with all regulations applicable to your business.
When you work with a qualified ITAD provider, you can feel reassured that you will reap all of the benefits of ITAD we detailed above: strong data security and compliance, environmental compliance and green IT practices, maximized value recovery, and proper and secure IT tracking and reporting. Plus, since ITAD providers specialize in this service, the process should go much smoother and more efficiently than if you tried to build a DIY program internally. They benefit from efficiencies of scale, as well as built-for-purpose systems and processes.
An ITAD provider’s in-depth expertise about IT asset disposition, most importantly, helps you mitigate the corporate risk that could occur as a result of even just one gap in your ITAD process. Mitigating this risk protects your brand’s reputation from the harm that a data security or environmental infraction could cause. The cost of not doing ITAD correctly (i.e., lawsuits, fines, brand risk) is significantly more than hiring an ITAD provider.
What to look for in an IT asset disposition company
Selecting the ITAD partner that is best for your business can be overwhelming. You’re trusting this partner with a vulnerable and critical aspect of your business. Below are things to look for with each IT asset disposition company that you evaluate.
1. Data security practices
Data security is one of the most fundamentally important parts of your ITAD process. To assess whether an ITAD provider is protecting your equipment adequately and sanitizing data properly, uncover answers to the following questions:
- Which software and technology do they use for data erasure? Is this the latest and greatest available?
- Are they sanitizing data to the correct standard: NIST 800-88 or equivalent?
- Do they have the ability to erase any type of storage device, including the latest technology?
- Do they understand everywhere data may reside? (E.g., Network printer or copier with a hard drive in it, or even IOT devices.)
- What checks and balances do they have in place to ensure every device is sanitized? (E.g., ERP system, strong processes, employee training, redundant verifications)
- What security measures do they take on-premises to make sure no equipment can get out the door with data on it? (E.g., Video cameras, secured access, metal detectors)
- Do they have a shredder to physically destroy drives that they aren’t reselling?
Ask what certifications the ITAD provider has and confirm that the specific facilities and processes the provider uses (i.e., recyclers) also have those certifications. Ensure that your contract only allows the ITAD provider to work with the facilities that are certified. The most important certifications to check for include:
- R2 (Responsible Recycling): A facility-level certification that requires certified companies to have a policy to manage used and end-of-life electronics equipment, components, and materials based on strategies such as reuse, energy recovery, and disposal.
- RIOS™ (Recycling Industry Operating Standard): Applies to ensure compliance, improve health and safety across the facility, strengthen the quality of material being produced, and enhance environmental responsibility across all operations. This is equivalent to combining ISO 9001, ISO 14001, and ISO 45001.
- ISO 9001, ISO 14001, ISO 45001: These ISO standards specify requirements and criteria related to quality management systems, environmental management systems, and occupational health and safety (OH&S) management systems.
As covered earlier, safe and secure logistics is vital to protect your equipment and data. Dig into the ITAD provider’s security protocols for ensuring safe transport of your equipment. Inquire about secure packaging, GPS tracking, and whether they have sealed, dedicated trucks. Once you understand their protocols, assess whether it meets the level of risk your company can tolerate. Note that some enhanced logistics options may cost extra.
4. ERP Systems
Be leery of any ITAD provider that conducts its tracking and reporting solely in spreadsheets. These spreadsheets are clunky and prone to errors that could cost your business. Enterprise companies should expect their ITAD providers to use a robust cloud ERP (e.g., NetSuite) that integrates with the provider’s processes, financial systems, and reporting. The system should guard and detect processing errors and be flexible enough to meet your needs and future business models. An ERP system like this allows the ITAD provider to provide you with a detailed, end-of-process audit report that you can trust for its accuracy and submit for compliance. This report should detail what happened to all of your IT assets at each phase of the process.
5. Customer service built on partnership
Look for an ITAD provider who provides high-quality service based on establishing solid relationships. Any ITAD provider you’re evaluating should provide you with references to validate the company’s work and customer service at scale.
It’s also important to understand what the ITAD provider offers for quarterly and annual business reviews and what to expect during these meetings. You should expect to discuss an analysis of the products, processes, trends, and financial performance. ITAD providers that invest in developing partnerships with their customers will also provide educational updates as new regulations emerge and markets shift.
Certifications like ISO 9001 or RIOS are the first things to look for to uncover a demonstrated commitment to quality from ITAD providers. Take time to confirm that this quality runs through the entire operation through the ITAD’s process design and quality checks. ITAD providers should have strong processes and checks and balances to ensure everything is done the right way — and the same way every time.
Ask how the ITAD provider staffs the employees that will work for you. Are they temporary contractors or full-time employees? A strong ITAD provider cross-trains its employees to manage fluctuations in its business to retain a stable, high-quality workforce.
8. Background checks
It’s important to know that you can trust the people working on your ITAD process. Ask ITAD providers if they do background checks on every employee. If they do, gather more information to understand what criterion disqualifies a new hire: violent felonies? Fraud? Theft? Misdemeanors? Assess whether these criteria are sufficient for you to feel comfortable trusting your assets and data security to them.
Repairs are an important part of the ITAD process because they help you recoup greater value for your assets. Ask ITAD providers whether they fix minor defects and if they handle more significant problems that may require things like circuit board repairs and component replacement. Look for a partner that commits itself to maximizing your equipment’s life and value through its repair process expertise.
Some ITAD providers will purchase your equipment from you, and that amount will be the value you recoup from your IT assets. Others will have a consignment policy that shares revenue based on the amount the provider can sell your assets for. Consignment agreements are typically a better deal for companies. If the ITAD provider doesn’t offer a consignment option, ask how they determine their purchase value – this is an important factor as some unscrupulous companies price purchases and then apply significant deductions without transparency.
It’s also important to dig into how well established the ITAD providers’ resale markets are for the type of equipment you’re selling, as this can significantly impact how much value you recoup.
At the most basic level, IT asset disposition companies should be well-versed in all applicable environmental laws and regulations and know how to recycle and dispose of your IT equipment correctly. If an ITAD vendor claims that they have a “zero landfill policy,” learn what exact steps they take to fulfill that promise. How do they ensure nothing goes into a landfill? Do they routinely confirm that the recyclers they work with are certified? Do they verify that these recyclers are fulfilling their promise and actually doing things properly? Do these recyclers allow the export of electronic scrap to developing countries? Your ITAD partner should also be able to provide a routine report that includes greenhouse gas and waste diversion data. This report is critical information for your CSR and sustainability efforts.
Evaluating IT asset disposition companies on this criterion will help you weed out the best ITAD providers and identify a strong fit for your business.
The future of IT asset disposition
The continued proliferation of both technology and regulations will continue to drive IT asset disposition growth in the future. As you plan for an ITAD program that meets your business’s needs today, consider how it will continue to benefit your business down the road. Whichever IT asset disposition company you choose to partner with should be familiar with, thinking about, and planning for the following changes.
1. Technology advancements increase the types and variety of managed assets
We’ll continue to experience advancements in technology, including new types of data storage and hard drives. IT asset disposition companies will need to be nimble to continue mitigating risk for clients effectively, regardless of data storage type. ITAD providers will soon be handling equipment that makes up the Internet of Things (IoT) — connected devices and sprawling networks contributing to massive amounts of data. This technology will become increasingly prevalent in commercial environments, storing data not just in a business’s data system or desktop but throughout the enterprise. ITAD providers need to be ready to effectively accommodate these technologies, erase their data, and resell or recycle them.
2. Importance of the circular economy increases — and so too does ITAD’s role
ITAD has been living within the circular economy for a long time. IT providers identify ways to reuse and recycle IT assets and equipment to provide them to those who need them. The goal is to extend the life of the equipment, which is increasingly vital to a world grappling with how to be better stewards of the earth. Extending the life of IT assets and components means you need to use fewer natural resources to replace them and also means less harmful mining and manufacturing. That said, the circular economy has risks for businesses because of data and environmental vulnerabilities inherent to IT. ITAD will continue to play a critical role in eliminating that risk so that the circular economy can thrive and function healthily.
3. Additional regulations will impact ITAD
We’re living in a time of increased focus on data privacy and security. We will continue to see new regulations emerge to protect customer data and hold companies accountable for how they handle their data. For example, the General Data Protection Regulation (GDPR) implemented by the European Union impacts every company that does business with European customers or companies. Most recently, we saw California and Virginia implement consumer privacy acts. These regulations will have a ripple effect, leading to additional data security and privacy regulations – and risks.
Additionally, as the focus on climate change intensifies, we can also anticipate additional environmental regulations. Any business running an ITAD program should be aware of these changes and ready to comply with any new regulations.
IT asset disposition is an essential business practice for any company that uses IT equipment to operate. It matters to virtually every company. Whether your company safely and responsibly handles and decommissions its electronic equipment can be the difference between a well-managed ITAD program and one that exposes your business to substantial corporate risk. Trusting this process to an experienced ITAD provider will help you protect your employees, customers, and brand.
Summit 360 is an experienced IT asset management firm that has helped businesses properly and effectively reuse, resell, recycle, and dispose of IT equipment for over 20 years. We can help you play a leading role in the circular economy by keeping your technology in use longer, increasing sustainability, minimizing waste, and stretching the productive lifespan of hardware and IT equipment.
Contact Summit 360 today to learn how we can partner with you to guide you through a successful and compliant ITAD program.