The Looming ITAD Black Swan
The term ‘Back Swan’ was popularized by Nassim Nicholas Taleb when he described how unexpected events can have catastrophic consequences. Examples of Black Swans include the 2008 financial crisis, Hurricane Katrina, and the terrorist attacks of September 11th.
Businesses face their own Black Swans. The London Whale cost JPMorgan Chase at least $6.2 billion.
While a Black Swan is a surprise at the time it occurs, with the benefit of hindsight experts usually conclude the event “was bound to happen.”
Don’t be the Turkey
Naturally, a Black Swan depends on the perspective of the observer. As Taleb explained, a Black Swan for a turkey is not a surprise to its butcher. Our objective should be to “avoid being the turkey.”
I predict a Black Swan will result from IT asset disposition (ITAD), but not for obvious reasons that spring to mind. My mission is to ruin this prediction by raising awareness of the vulnerability.
Data privacy concerns and environmental compliance are common worries with ITAD. Recent enforcements have grabbed headlines. Home Depot was hit with a $27 million fine improper disposal of hazardous waste including electronics.
While the size of the Home Depot settlement seems staggering at first, it was not a Black Swan. Black Swans are unexpected and expensive.
Being fined for dumping waste is not surprising. Nor was the consequence catastrophic. The penalty for Home Depot was slightly more than one day of profit for the Atlanta-based retailer.
The cost of a data privacy class action can be catastrophic. Privacy lawsuits have financial impact that can be orders of magnitude larger than environmental penalties.
The impending ITAD Black Swan will come from a data privacy class action, but with a surprising twist. The surprise for the unsuspecting turkey will be the nature of the complaint.
The ITAD Black Swan will not come from an isolated data security breach. The impact will result from the claim of willful neglect or the allegation of a cover-up.
Aggressive plaintiff attorneys are eager to demonstrate deep-pocketed defendants systematically ignore regulatory requirements that put personal information at risk. As discussed in previous posts, an ITAD Reporting Gap exposes organizations to claims of inadequate safeguards and systematic negligence.
It is hard to predict what might trigger an ITAD Black Swan. Several different circumstances could easily cause a company’s ITAD Reporting Gap to be discovered:
- a former employee gets caught stealing customer data using an unreturned laptop they didn’t know was missing
- a HIPAA investigation is launched after disgruntled employee blows the whistle on a company’s ITAD Reporting Gap
- ITAD information is subpoenaed as corroboration in a broader claim of negligence
The massive exposure comes from lax governance of ITAD. Imagine an attorney making the following argument:
“Your Honor, the defendant cannot account for thousands of computers. The defendant presumed a lost computer posed no risk. Regulatory requirements were ignored. Risk assessments were not performed. Rather than considering a lost computer a potential security incident, the defendant systematically swept the problem under the rug. The defendant is guilty of willful neglect, breach of implied contract, and unjust enrichment.”
The key point, easily-discoverable information makes ITAD an easy target for an informed attorney. The wider the ITAD Reporting Gap, the bigger the exposure.
An ITAD Black Swan is looming. We can ruin this prediction by raising awareness of the vulnerability.
Executives are encouraged to rethink their approach to ITAD. Companies unprepared to demonstrate compliance with regulatory obligations open themselves up to expensive judgments.
If it turns out my prediction proves accurate, at least your company can avoid being one of the turkeys.