Risks in Education: Disposing of Used Technology

Today’s educational programs rely heavily on computers and other electronic devices. When IT equipment is ready to be retired, many institutions have limited budget and time to securely resell or properly recycle hundreds of systems on their own.

What are the Risks?

According to Verizon’s 2019 Data Breach Investigations Report (DBIR),  more than one third (35%) of all breaches in the education vertical were due to human error. Based on 2017 findings, the average U.S. cost per lost or stolen record in the education sector was $245, which is much higher than the worldwide per-record cost in education of $200. The average total cost across all segments is $7.35 million, up almost 5% from 2016. Along with the cost of a data breach, compliance with environmental and data privacy legislation is also a risk.

REAL RISK STORIES

• A St. Paul, MN college paid over $32K for the cleanup of computers found in a lake they thought were recycled in 2006. The recycler who was not certified, had claimed their equipment was recycled.
• A Sioux Falls, SD college found one of their used laptops sold on Amazon in 2016 without the hard drive being wiped. Prior to the incident, they had no policy in place for tracking devices or using a certified vendor and did not know how the laptop ended up online.

To protect student information, maintain compliance with FERPA (the Family Educational Rights and Privacy Act), and get the most value back from retired technology, schools and other educational institutions must take the following risks into consideration when upgrading or retiring devices:

• Maximize Budget and Recover Value: With typically large volumes of equipment being retired at once, educational institutions need a cost effective solution that may potentially put money back into their budget. Service providers that have resale experience with a good, proven reputation can ensure fair market value is being recovered. Data security certifications like R2:2013 (R2) and e-Stewards are important to guarantee all data is securely destroyed before any devices are resold.
• Data Security and Proper Destruction: To comply with FERPA and prevent a breach of private student information, a well-documented security policy should be implemented to identify and manage any device that may contain data. This policy should be consistent with the currently recognized security standards outlined in NIST SP 800-88 Guidelines for Media Sanitization, Revision 1, which includes proper methods of hard drive data destruction when equipment is ready to be retired.
• Due Diligence of All Vendors: Along with data security needs, educational institutions must also comply with local, state and federal regulations regarding environmental, health and safety measures. Certifications like R2 and e-stewards help identify qualified vendors who implement proper policies and standards when managing technology devices to ensure all legislative requirements are adhered to throughout the entire chain-of-custody.

Based out of Sioux Falls, SEAM specializes in certified, compliant and secure data destruction, IT asset recovery, resale, and environmentally sound recycling of computer equipment. Serving schools and educational institutions across the upper Midwest. Contact us for a free quote.