Last week, the home improvement retailer Home Depot was ordered to pay $27 million for the improper disposal of hazardous waste, including batteries, electronics, and customer information. The state's attorney general said they will pay about $16 million in civil penalties, $9 million toward environmental protection and compliance, and nearly $2 million to cover costs.
Chain of Custody and the Disposal of Electronics
To avoid the risks associated with disposing of used electronics, companies must establish a well documented chain of custody and ensure each asset is sold or disposed of properly. This documentation is often the only defense if something goes wrong - meaning a data breach or an environmental violation like the Home Depot example above.
RISK OF A DATA BREACH: Often times organizations focus primarily on network security, firewalls, and internet protocols to protect sensitive information, but one of the biggest risks that rarely gets mentioned comes from used equipment leaving the building. Internal data destruction comes with its own risks if the process is not done properly, while outsourcing destruction forces companies to rely on a downstream vendor to ensure security. In both cases, chain of custody is critical if something goes wrong.
RISK OF ENVIRONMENTAL VIOLATION: With many vendors advertising "free recycling", it's easy to see how organizations fall victim to putting their trust in a company who sells the good stuff and dumps the parts or whole devices that hold no value. If this happens, the EPA comes after the original owner of the equipment, no matter what the recycler may have promised. A serial number can link a piece of equipment back to the original owner, who then must prove they were not guilty of the violation. This is where a well documented chain of custody can save the day.
How to Eliminate Your Risks
By implementing best practices for IT asset disposition (ITAD), companies can get rid of old equipment without having to worry about the risks:
#1 Keep an Inventory. Identify and track every single business device by serial number - from large servers down to tiny thumb drives.
#2 Destroy the Data. Follow industry destruction standards to ensure data has been removed completely. Whether performed in-house or via a third party, make sure destruction is done in accordance with NIST SP 800-88 Revision 1 and keep documentation of which devices were wiped or shredded.
#3 Find a Trusted Outlet. For secure disposal and tracking, find an ITAD company with transparent processes certified through R2 and e-Stewards. An experienced partner will be able to document the disposal process with a certificate of destruction and serial number reports to complete the chain of custody. Vendors certified to R2 and e-Stewards have been through rigorous audits and documentation procedures that comply with local, state and federal legislation and ensure all data is secure through destruction. If your equipment still holds value, many providers will be able to share resale value with you to help offset processing costs or even help turn a profit.