Risk is quantified by considering the potential impact of an event and weighing it against the likelihood of that event occurring. Today, IT asset disposition (ITAD) is considered low risk – the odds of a retired computer being the cause of an expensive breach are assumed to be slim.
This assumption justifies a modest investment and a relaxed management approach. Associated data security safeguards are assumed to adequately mitigate ITAD risks, and encryption has become a justification for disregarding chain-of-custody procedures.
Unfortunately, ITAD is becoming a plaintiff lawyer’s dream come true and risk managers are encouraged to rethink their approach to ITAD in order to appropriately safeguard themselves.
Lawsuits are becoming the norm
Multiple punitive class-action lawsuits are becoming the norm following the disclosure of data breaches. In one example of many, a final count revealed that 140 lawsuits were filed against Target in the wake of their 2013 data breach.
The biggest risk of ITAD is not data security per se. The biggest risk is related to governance. Aggressive plaintiff attorneys are eager to demonstrate that deep-pocketed defendants ignored regulatory requirements and easily-discoverable information makes ITAD a prime target.
Companies that are unprepared to defend their ITAD programs and demonstrate their compliance with regulatory obligations open themselves up to expensive judgments and fines.
How does this change the risk factor of ITAD?
Suppose your company suffers a data privacy breach. Now imagine a litigant citing poor ITAD management as evidence in a negligence claim, either as a primary claim or as corroboration in a broader claim of negligence …
Your Honor, the defendant cannot account for retired computers. Regulatory requirements were ignored and risk assessments were not performed. The defendant made a presumption that a lost computer posed no risk. Rather than considering a lost computer a potential security incident, the defendant systematically swept the problem under the rug. The defendant is guilty of willful neglect, breach of implied contract, and unjust enrichment.
Simply put, ignoring incidents can undermine your legal defense. Class-action status can be granted when plaintiffs demonstrate actionable injury and negligence. ITAD evidence can be subpoenaed to demonstrate willful neglect.
Most mature companies have necessary safeguards in place to address conventional risks associated with ITAD, but these alone are not sufficient.
Mitigating risks with ITAD
From a risk management perspective, the prudent ITAD strategy is a two-pronged one:
- Have a process that minimizes losses
- Have a defensible process for IT disposal in order to mitigate the risks associated with class-action lawsuits
Losses are a fact of any system. Airlines mishandle 1-in-155 bags. Freight companies lose shipments. Claims are filed in 20% of moves. The post office loses mail.
Likewise, losses are an aspect of ITAD. New research from Compliance Standards LLC, revealed 22% of retired computers cannot be accounted for by serial number. Similarly, another study found that four-out-of-five ITAD projects had unaccounted assets.
Why aren’t losses detected? A common approach for dealing with a missing asset is to consider the asset “retired” in their system of record, thus allocating said asset to an ITAD vendor. Unfortunately, the practice of allocating assets to a third party is akin to willfully ignoring losses and savvy plaintiff attorneys have discovered this practice.
The most effective way to minimize losses is with the use of disposal tags. There is a reason airlines tag luggage and movers tag boxes – it works. Tags are a far better way to track assets compared to serial numbers.
Disposal tags assist with establishing chain-of-custody with ITAD vendors – an important element in having a defensible IT disposal process. Companies using disposal tags are able to account for 98.4% of their assets – a significant improvement over the average 78% when only serial numbers are used.
Defensible IT disposal
Two attributes characterize a defensible IT disposal process: validated chain-of-custody and documented data destruction. The aforementioned disposal tags assist with establishing chain-of-custody with ITAD vendors but they alone do not comprise a complete solution.
Companies also need an effective system to collect, analyze, filter, process, and review ITAD information. Companies can no longer rely on informal efforts to satisfy management, investigations, regulatory, and litigation requests.
Companies achieve defensible IT disposal by leveraging purpose-built tools. Centralized management allows for control and visibility of the ITAD management function without hampering local disposal activities. It is also the critical audit point for compliance.
Documenting and validating is not only prudent because it mitigates litigation risk, but it also ensures that company’s policies and precautions are being followed. Luckily, the marginal cost to document and validate is negligible.
Evaluate your ITAD risk
Risk managers are encouraged to rethink ITAD management practices and ensure they can answer the following questions:
- How would we know if a loss occurred?
- What incentives exist to report a loss?
- Does any employee have the ability to hide a loss?
- When were employees/contractors last trained on ITAD processes and procedures?
- How would our ITAD program be viewed under direct examination?
Retired IT assets are gone but not forgotten. Without defensible IT disposal, ITAD is a liability. Easily-discoverable information about ITAD can create enormous exposure for unprepared organizations.
For help assessing the risks associated with your existing IT asset disposition program, contact Retire-IT.