Behind The Scenes Of An ITAD Specialist

Moderator: Hi, I'm Paul Gillin for Iron Mountain. We tend not to think about garbage very much. As long as someone takes trash away and disposes of it responsibly, we don't much care how they go about it. But when it comes to IT assets, that can be a dangerous way to think.

Today's laptops, PCs, cell phones and even thumb drives can contain vast amounts of sensitive information, information that in the wrong hands can make organizations vulnerable to everything from reputation damage to criminal liability. Mike Susmark, vice president of compliance at Ingram Micro ITAD, a company that specializes in IT asset disposition, tells us more.

Mike Susmark: There are a number of risks associated with the inadvertent disclosure or breach of sensitive information. Direct financial risk in the form of regulatory fines is one example. HIPAA fines can range from $100 to $50,000 per violation. It can add up to millions of dollars. Other risks include damage to a company's brand reputation and a loss of trust from customers and potential new clients. or Some other hidden costs that are often not considered are the costs of investigation and corrective action to reduce the chance of additional disclosures or breaches.

Moderator: That's where ITAD comes in. It's a disciplined approach to disposing of computers and other data-carrying devices in a way that ensures that critical information is never at risk of being lost or stolen.

E-waste is a growing problem. It's estimated that 85 percent of retired electronics are sent to landfills each year, creating 72 million tons of e-waste. That's an environmental issue, because electronics can contain toxins and other hazardous materials that can seep into the water supply. It's also a business liability problem, because information recovered from end-of-life equipment can be a goldmine to hackers and identity thieves. A professional ITAD supplier can help companies navigate the many rules that may apply to equipment disposal, depending upon their geography and their industry.

Susmark: While there are exportation laws in the US regarding e-waste, there is no federal legislation around the disposal of that e-waste. The local and state laws make it much more complicated for a customer to adhere to, especially if they have locations throughout the country. Environmental infractions and fines can also damage the customer's brand and reputation, just as with a data breach.

Moderator: Many people think that deleting information from an electronic device, or formatting the hard drive, is good-enough protection against compromise, but deleting and formatting actually don't erase much data. A determined cybercriminal can recover a lot of information even from a hard disk that's been formatted several times.

Susmark: Deleting data and formatting the media does not remove that data from the media. It's really just a way of disconnecting the access to that media from your operating system. We recommend going through over a deletion process, with verification, for drives that are going to be re-used, and ultimately destruction, such as shredding, if you want to make sure the drive is permanently destroyed.

Moderator: Iron Mountain is a leader in ITAD. Through its partnership with Ingram Micro ITAD, Iron Mountain provides secure IT asset disposition and re-marketing services. Re-marketing is the process of recovering value from older equipment by refurbishing it so that it can be resold. Iron Mountain's SITAD partner processes millions of retired computers and other electronic components each year. A look inside one of the company's 26 locations around the globe shows the careful attention the company pays to every detail of the process.

Susmark: Everything we do is focused on providing a secure and accountable service. Our facilities have state-of-the-art security systems, including CCTV coverage, access control for egress and entry and metal detection for people moving in and out of the work spaces. We also have strict control over who can access those areas, whether it's a visitor or a contractor.

All of our employees must pass a pre-screening process, including background checks, drug testing and having their driving records verified. We do random and scheduled re-screenings throughout the term of their employment. Iron Mountain provides world-class logistic security tracking access from pickup all the way to key transition points and delivery. Like everything that we do in-house from receiving through processing, warehousing, re-marketing, order fulfillment, we can track contract that asset from the time it comes in to the time it goes out and then we follow that recycled material to the final disposition. All of our processes are documented to provide an auditable workflow. We have numerous internal and third-party audits performed to verify the effectiveness of our system and to maintain compliance with our requirements and certifications.

Moderator: There are a lot of details to consider. Assets may travel many miles on their journey from the loading dock to their destination. A quality ITAD provider ensures that those assets are never in a position where they can be compromised, whether it's in an open truck, on a loading dock or in an unlocked storage compartment. Iron Mountain’s SITAD service is also about chain of custody. That means every laptop, hard drive, cell phone or other asset is tracked throughout its journey with an asset management system that provides full visibility into its precise location and status.

Susmark: Chain of custody describes that trail of accountability as material flows through our processes, from the time we touch it at the customer's location to the time it goes out to final disposition. As with any chain, it is only as good as its weakest link. A broken chain could result in the loss of assets. Those lost assets could contain data. That data could be inadvertently released, causing the issues that we discussed earlier. The assets could also be improperly disposed of, creating an environmental infraction.

Moderator: A responsible ITAD provider follows data sanitization procedures that adhere to us Department of Defense and the National Institute of Standards and Technologies guidelines for all data-bearing devices. These include multiple overwrites of the data and a magnetic process called degaussing. But sometimes even that isn't enough. The only certain way to protect against data compromise is to thoroughly destroy the storage medium, and believe it or not, even breaking a disk into pieces with a hammer isn't necessarily enough. Data can still be recovered from the fragments. Iron Mountain's SITAD partner uses powerful shredding machines that reduce hard drives to tiny bits of metal that can be recycled.

Susmark: Our hardware shredders are similar to paper shredders, only a lot more robust. Our shredders have a row of cutters that are capable of slicing through a complete hard drive, including the case and the spindle. There's some real solid metal there. The result is narrow strips of material, and that material is sent out to a smelter for reuse.

For solid state drives, we use a disintegrator. It actually does a similar process to the hard-drive shredder by cutting strips in the solid-state media, but then it goes to a secondary cutter which continues to cut it until it gets down to a particulate size of about two millimeters square. All this is done within another self-contained trading shredding system.

Moderator: The final step in the SITAD process is the issuance of the Certificate of Destruction or Recycling. It provides assurance to the customer that the destruction was complete. The need for responsible IT asset disposition is growing as millions of mobile and connected internet of things devices flood the market. Organizations need to think carefully about where their data is stored and how to protect it throughout the lifecycle of the technology they use. ITAD to add is a critical part of that equation. This is Paul Gillin