As companies deploy new technology into their organizations, they are faced with the real problem of what to do with their old and outdated IT assets. It is no longer acceptable for companies to throw out old technology or simply pass them along to a third party. With businesses moving toward greener technologies and state legislatures across the country taking up new pieces of e-waste legislation, corporations need to create a plan on how to ensure both local and federal compliance pertaining to IT asset disposal.
Something many companies find surprising is that transferring title of your old IT assets does not allow the liability attached to those assets to transfer as well. The liability problem that companies face is twofold; first, they must work to comply with the standards set forth by the federal and state government regarding environmental regulations and data security standards, and secondly, they must realize the responsibility they have to protect the environment from a potential crisis in regards to hazardous substances contained in their old IT assets, commonly referred to as e-waste.
Just because an IT asset has been taken for disposition or recycling by a service provider, it does not mean that 100% of the liability has been taken on by the provider itself. This is an area of confusion for many businesses that believe that once an IT asset is out of their physical possession they are no longer liable for what happens to those assets. While ownership of old electronics can be transferred, the liability cannot, so the business that originally owned an IT asset can be liable if that asset ends up in the wrong place due to improper disposition. It is also important for IT assets to be sanitized before the disposition process, which means removing identifying tags and sensitive data, whether the assets are to be recycled, donated, or remarketed.
Shredded hard drives in prep for disposition
A key issue for businesses to keep in mind is their individual tolerance of risk. This comes into play both from an environmental and data security standpoint. If a company were to simply toss its unwanted IT assets into a dumpster or landfill, it would show a higher tolerance of risk considering those assets could ultimately pollute water supplies, not to mention the likelihood that the offenders would face stiff fines and possibly jail time. From a security standpoint, unwanted IT assets have hard drives that store proprietary information on businesses, partners and consumer data such as social security numbers and credit card numbers. Corporations that place business or consumer data at risk, is the ultimate act of irresponsibility. In addition, once the press finds out about the illegal activity, the company's corporate image is likely to take a hit as well.
For businesses with a lower tolerance of risk, and a desire to maintain compliance with applicable regulations, proper IT asset disposal or remarketing services are easy-to-find.
The rapid expansion of technology has created some very sophisticated methods of
tracking and controlling IT assets; however, this technology hasn't necessarily made it any easier for companies who are looking for the perfect solution to their IT asset disposition problems.
While it is important to be able to control these assets from the beginning of the technology life cycle, many companies fall into the habit of not completing the circle and do not plan for the compliant disposal of end-of-life IT assets. While it's always nice to upgrade the technology in the workplace, what to do with the asset at the end of its useful life cannot be ignored.
With an increasing number of environmental and security issues, IT operations usually do not have the time or resources to focus on end-of-life issues for their IT assets. IT executives are constantly facing increasing complexities and challenges each day, so why worry about some old IT assets?
The problem with this philosophy is quite simple. Enterprise companies need to protect themselves from liability and the environment from destruction. Just as they owe it to their customers to ensure all data has been properly protected, they owe it to the environment to ensure that potential toxic materials are disposed of properly too. Ignoring the dangers contained in e-waste will expose them and their company to potential liability. Damages come in the form of monetary penalties and through loss of brand equity and consumer confidence. The consequences can be disastrous for an organization.
Companies today must navigate an ever increasing environmental and privacy regulatory landscape. Here are several examples of these regulatory requirements and some of their associated penalties:
- Sarbanes-Oxley, HIPAA (criminal penalties of up to $250,000 and/or 10 years imprisonment per violation of patient security information)
- Gramm-Leach-Bliley (penalties of up to $100,000 per violation for financial service/customer information)
- Tariff-funded recycling in the states of CA and ME
- Anti-landfill laws in the states of MA, NJ, and MN
- State privacy laws on protecting citizens' personal information including HIV status, genetic data, video rentals, library borrowing, bank records, cable viewing, polygraphs and employment records, and
- WEEE, Basel Convention, RCRA, and CERCLA
Additional pending legislation in more than 20 states is likely to increase the dollar amounts of fines for those in violation of state or federal laws.