New Report Supports Positive Trends in IT Hardware Purchases

Cascade Asset Management’s Fourth Annual Benchmark Report provides strong statistical evidence that the hardware remarketing sector showed a strong rebound in 2017; these trends are expected to continue this year. The Madison, WI – based ITAD organization reported that sales of assets grew by over 18% in 2017, with clients refreshing their equipment at an accelerated pace.  The trend supported increased average resale prices for both laptops (7.3%) and desktop PCs (13.4%).

According to the research survey, more than two thirds of responders indicated that they anticipate equal or increased IT hardware purchases in 2018, an increase of about 10% over 2017.  According to study author Neil Peters-Michaud: "While there continues to be a rapid adoption of mobile devices in the workplace, our clients don't plan on giving up their workstations any time soon. Retirement of desktops and laptops is staying fairly consistent, but there is an increase in the disposition of smart phones and the data center equipment that supports them."

Another key finding concerned asset tracking, with 88% of enterprises reporting that they track all laptops, desktops and servers through their lifecycle. However, another interesting statistic suggests that although many organizations perform data destruction on hard drives before they leave their premises, over half 56% did not handle onsite data destruction themselves, but rather outsourced the process. A surprising 11% reported that they continue to rely on hitting the hard drive with a hammer.

Respondents also ranked the value of various certifications, including NAID security certification (44.4%) and e-Stewards Standard for Responsible Recycling (42.2%)..

The Cascade report was compiled from data collected through a November 2017 survey representing organizations with more than 160,000 employees, an evaluation of more than 259,000 refurbished and recycled assets, in combination with a review of related industry research.

Moving Beyond DoD 5220.22-M:

The Data Wipe “Standard” That Would Not Die

Not a day goes by that we don't come across yet another reference to sanitizing hard drives in compliance with the Department of Defense Standard Dod 5220.22-M. Otherwise known as the data erasure standard that never was..

The DoD 5220.22-M standard for erasing or wiping data from a hard drive emerged early on in the evolving electronic data destruction business. A classic case of echo chamber knowledge distribution, the de facto adaption of this process was more of a marketing phenomenon than it was the result of any official policy supported by the Department of Defense.

DoD 5220.22-M specifies a process that overwrites data on a hard drive with random patterns of ones and zeros. The fact that the DoD 5220.22-M protocol required three overwriting passes made it seem all the more secure, as did the implied Department of Defense imprimatur. At some point, this pseudo standard took on a life of its own as third-party computer recycling and refurbishing companies, IT asset disposition (ITAD) firms and other types of organizations asserted DoD compliance on websites and marketing collateral.

DoD 5220.22-M was never approved by the Department of Defense for civilian media sanitization, and even more importantly, the DoD never intended for it to be a standard for classified data. The DoD is not in the business of certifying data destruction standards and has no mechanism for policing any given company's procedures. For its own classified data, the DoD requires a combination of wipingdegaussing and/or physical destruction.

Continue the story here or download our paper.

Carefirst Data Breach Case Moves Forward Following Key Ruling

Appeals Court Says Consumers Can Sue Organizations That Fail to Protect Data

In a case that is likely to have far reaching consequences in privacy law enforcement, the Federal Appeals Court in Washington, DC has ruled that a consumer class action suit seeking compensation for faulty security practices can proceed. The ruling overturned a July 2016 decision by a Maryland district court, which had found that the plaintiffs had failed to demonstrate sufficient standing in their case against healthcare insurers CareFirst Inc. and CareFirst of Maryland Inc.

The case was triggered by a data breach reported in 2015, which affected 1.1 millions current and former members of the healthcare networks.  Originally filed by plaintiffs Pamela Chambliss and Scott Adamson, the lawsuit claims that the insurer should be held responsible for failing to protect their personal data.

The case read as follows: “As customers of CareFirst, Plaintiffs allege that they had a reasonable expectation that their confidential personal information would remain private and confidential. Due to CareFirst’s failure to secure the personal information at issue, Plaintiffs claim that they and the class members ‘have lost or are subject to losing money and property.”

The Maryland ruling was based on a lack of evidence that the data had been misused. In their decision, the justices wrote: “Their theory of harm relies solely on the actions of an unknown independent third party. It is thus not clear ‘whether future harm from a data security breach will materialize,’ but also uncertain ‘when such harm will occur.’”

However, the higher court seemed to indicate the absence of damage did not necessarily mean that the case was invalid.  "No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm," the justices wrote in their opinion.

Class-action lawsuits are often filed after healthcare provider security breaches, but have in the past had a high bar of proof. The latest ruling is significant because it represents a departure from previous cases, which tended to turn on whether any actual damage had occurred.  

Phil Stamnas Joins DestructData as Director Technical Services

Product Lifecycle Expert to Spearhead Growth in New Business Services

Dover, NH - DestructData, Inc. has announced the appointment of Phil Stamnas as Director Technical Services.

Stamnas brings ten years of experience working directly with engineering and product management professionals to develop and deliver software and hardware products from inception to release. He also has extensive experience in both technical sales and networking solutions support, including switches, routers, wired and wireless components. Stamnas’ broad range of expertise embraces field, service, quality assurance, product support, systems engineering, compliance and monitoring and analytics.

According to DestructData founder and president Michael Lawlor, Stamnas will be instrumental in developing new business opportunities for DestructData, including expansion of onsite data destruction and data center services, as well as client training.

“His experience with product lifecycles is key to his skills with both prospects and customers when dealing with mission critical procedures, policies and products,” said Lawlor.

Mr. Stamnas will operate out of the company’s headquarters in Dover, NH.

Challenges of IT Asset Disposition

By Ann Hughes, Director of Sales and Marketing for MRK Group Ltd.

Anyone who has created a corporate IT Asset Management program, or is contemplating one, will tell you that it is challenging to create a successful program. We will explore some of the issues in doing so.

Who should be involved in this process? Who are these stakeholder groups and why do they matter? Do they have competing interests? Let’s explore this. There are several that are obvious. IT Asset Management owns the program and interfaces with all groups, and conveys their requirements to Procurement. Procurement is often responsible for the RFP if the company decides to go this route. Environmental and Risk Management will want to ensure that equipment does not get exported to an undeveloped country where environmental laws are lax or processed in some manner at home which potentially can create an environmental nightmare.

There are environmental regulations that come into play with electronics. Electronics contain heavy metals such as cadmium, lead and mercury that are highly toxic. The environmental group in particular will want to ensure that the equipment is handled properly and not go to a landfill. The last thing your company needs is bad press when it is discovered that your equipment is involved in an EPA cleanup operation.

As data security is the biggest driver of IT Asset Disposition, Risk Management, Compliance and Security are major stakeholders. There are many regulations to consider such as HIPAA, HITECH, PCI, etc. Data breaches are extremely expensive. According to the Ponemon Institute, the average cost of a data breach in the US is $217 per record, and $6.53 million per incident. The largest cost of a breach is loss of business. Other losses may include damaged brands, loss of trade secrets, personnel records, financial information, etc.

Risk assessments play a part in company decisions. Will data erasure before shipping to an ITAD vendor be appropriate or will encryption of devices be sufficient? Is onsite hard drive destruction mandatory? What is the chain of custody? How is equipment staged/stored prior to going to the ITAD vendor? What are the logistics in moving the equipment? The vendor can be a very useful partner and be utilized as a secondary verification of data erasure.

Additional stakeholders will include Finance and Accounting. They require certain data that ITAM can provide when assets are properly tracked. At the time of purchase, assets may come with a maintenance plan. Companies will like to forgo paying maintenance fees on assets they no longer own. Assets no longer owned will also need to be removed from the books in order to eliminate remaining tax liabilities.

Determining what to do with equipment is another challenge. Risk must be balanced against financial considerations. Allowing the ITAD vendor to resell equipment will lower costs and can yield large sums that pay for the entire asset disposition program with funds remaining. Extreme risk aversion will lead to unnecessary costs. For example, is a 7 pass DOD compliant erasure necessary or will a 1 pass be sufficient? Due to the high density of the drives, 1 pass will be sufficient in most cases. Recycling only will yield to higher costs due to continuing low commodity values. Revenues will not be generated to offset the costs of proper handling of assets.

Selecting a vendor can be the biggest challenge of all. According to recent news articles, there have been many electronics recycling and IT asset disposition companies in the past several years who have gone bankrupt, been indicted for fraud, tax evasion, illegal storage and illegal export of equipment. These include firms that have been R2 and e-Stewards certified, industry certifications completed by a third-party for those in the IT Asset Disposition industry who manage end of life computer and other electronic equipment. Both certifications do issue revisions to strengthen the standards and close loopholes to weed out these bad actors.

It is important to look at firms that adhere to Best Practices of the ITAD industry. These are companies dedicated to removing data and environmental risks inherent in final disposition of end of life equipment.

Let’s take a look at what Best Practices means. These will be vendors that protect all data and avoid any data breach. They will include not only hard drives in your typical PC, laptop or server but include hard drives in copiers. Their data erasure processes are compliant with NIST 800-88 and Department of Defense. These types of firms have the capacity to erase multiple drives at a time and have a process for drives that fail such as shredding and serial number capture. They will remove asset tags and any company identifying marks prior to reselling of assets. The vendor will be able to provide FMV (fair market value) for equipment. Their Certificate of Destruction will tie directly to the equipment processed.

When evaluating firms, look for one that is transparent and freely shares information. If it is not forthcoming with answers to your questions, it may not be the best choice. Look for some give and take so that there is a mutually beneficial relationship. This will go a long way when special projects or pricing is needed outside the scope of a standard contract.

Due diligence is a necessity. Various questions need to be asked. What is the company ownership? How long has the company been in business? Has the company been acquired? What is the management turnover? Some of these play into the type of service you will receive. You will experience continuity of service when there is less turnover and disruption. Take a look at the facility. Is work being performed in multiple buildings at the site? Are there multiple sites across the country? What type of security is present? Look for 24/7 surveillance and restricted access.

It is important to also know what types of materials are being handled. Are there hazardous materials in the building, and are the proper permits in place? Who are the downstream vendors? All R2 and e-Stewards certified companies will have evaluated their downstream vendors and know how those various materials are handled.

Other questions include the types of services offered, such as inventorying, data destruction, recycling, remarketing, redeployment, donations, end of lease services and logistics. What are the data security policies of the vendor? What type of training is there for the employees on equipment, tools and processes that they use? There should be a written EH&S plan in compliance with OSHA regulations.

The ideal way to perform due diligence is to personally visit the vendor. Be prepared with questions and perform an onsite audit.

Success comes with preparation. When various stakeholders are involved, due diligence is performed and open dialogue is maintained, the chances of succeeding greatly increase.

This article originally appeared in ITAK.