WHITE PAPER

LEVERAGING IT ASSET DISPOSITION TO STRENGTHEN DATA PROTECTION

IN TODAY’S ENVIRONMENT, ORGANIZATIONS CANNOT AFFORD A WEAK LINK AT

ANY STAGE OF THEIR DATA MANAGEMENT STRATEGY. THIS APPLIES NOT JUST TO

DATA CREATION AND STORAGE, BUT ALSO DATA DESTRUCTION. MANY IT AND

BUSINESS LEADERS MAY BE UNAWARE OF THE MYRIAD DATA PROTECTION RISKS

THAT CAN OCCUR AT THE END OF THE DATA LIFECYCLE. THIS ARTICLE DISCUSSES

THOSE RISKS AND HOW TO MITIGATE THEM THROUGH A BEST-PRACTICES

APPROACH TO IT ASSET DISPOSITION.

Business and IT leaders are under intense pressure to secure and protect data at every stage of its lifecycle. The average cost of a data breach has risen to $4 million, and the average cost of each lost or stolen record containing sensitive or confidential information is $158.1

Beyond costs, a breach can inflict significant collateral damage to the business, resulting in fines or other penalties for failure to meet regulatory requirements. In addition, a breach can cause irreparable harm to brand reputation and customer goodwill, while creating potentially serious morale and productivity problems for employees.

To limit risk, organizations are embracing solutions and strategies that protect, preserve and manage data at every stage of its lifecycle. One of the biggest challenges comes at the end of an IT asset’s life, when organizations must ensure that specific actions are taken to prevent breaches as data-bearing equipment is retired.

Business and IT leaders are increasingly turning to IT asset disposition (ITAD) services as a way to ensure protection. The ITAD market is growing at a compound annual rate of nearly 10% and is expected to reach more than $20 billion

1 “2016 Ponemon Institute Cost of a Data Breach Study,” Ponemon Institute and IBM, June 15, 2016

by 2022.2 While that growth is being fueled primarily by increased spending on data protection, companies that invest in ITAD are also able to achieve ancillary benefits such as value recovery and environmental compliance.

This paper discusses the importance of ITAD in protecting data and meeting compliance requirements. It also addresses ITAD’s positive impact on the environment and in generating value from the remarketing of retired IT assets. Finally, the paper describes the capabilities to look for in an ITAD service provider in order to maximize protection and minimize risk.

END-OF-LIFECYCLE RISKS

Organizations are generating more data than ever and using a wider range of devices to create, store and manage it. To satisfy regulatory compliance and business requirements, all organizations should adhere to a best-practices data management strategy that protects data throughout its lifecycle. This is especially crucial today, with the proliferation of email communications, social networking, cloud computing and mobile collaboration tools.

Data destruction is a particularly important aspect of data

2 “IT Asset Distribution (ITAD) Market Worth 20.09 Billion USD by 2022,” Marketsandmarkets, Dec. 15, 2016 /02

management that cannot be overlooked. Organizations must ensure that practices and processes for data destruction are secure, reliable and compliant. If data is kept beyond its designated destruction date, it could impact compliance or e-discovery readiness. The same holds true if data is destroyed too soon.

One of the biggest end-of-lifecycle risks comes at the point of destruction, when physical equipment such as disk drives, personal computers, tape drives and laptops are retired. All of the data on those devices must be destroyed or sanitized, and the organization may be required to provide evidence of a secure chain of custody for the entire process.

Without the proper processes and procedures in place, organizations run the risk of having things go wrong during the disposition phase. Even worse, IT teams may not be aware if a problem has occurred and thus would be more susceptible to a breach. Potential disposition challenges include:

>> Negligence: It is costly and time consuming to destroy data, which provides an incentive for some ITAD providers to cut corners when disposing of or remarketing equipment.

>> Human error: Employees at an ITAD service provider can’t tell if data has been sanitized simply by looking at the media on which it resides. Equipment could be remarketed with data still on it.

>> Improper handling: If the chain of custody is not verifiable, there is no way of knowing for sure whether equipment has been diverted to a secondary market or landfill.

>> Environmental damage: If the ITAD provider doesn’t handle disposal in an environmentally compliant manner,

customers face incremental risk for fines, other penalties or reputational harm.

>> Missed opportunities: The secondary market for used IT equipment has been estimated at $1 billion. If an ITAD provider does not possess extensive remarketing capabilities, customers won’t be able to generate revenue from their end-of-life assets.

MAXIMIZING PROTECTION, COMPLIANCE AND VALUE

Most organizations have neither the in-house expertise nor the resources to ensure that they are adhering to ITAD best practices. It is critical to work with a reputable third-party provider to ensure that all data-bearing devices are physically destroyed. Alternatively, all data must be fully sanitized before any assets are remarketed.

The following represent the important factors to consider in evaluating potential ITAD providers:

>> Strict adherence to best practices in managing retired IT equipment. Disposition processes must be highly regimented and consistent, with secure and reliable service for all sites. Customers should also have access to alternative destruction methods and locations: bulk or serialized media destruction and on-site or off-site destruction capabilities. For example, some organizations, such as defense contractors or healthcare institutions, don’t want any data-bearing devices to leave the premises—thus requiring an on-site data destruction solution.

>> Assurance of compliant, environmentally sensitive disposal. The provider should guarantee that all IT assets are disposed of in an environmentally friendly /03

/04

manner that meets local, state and federal requirements. The provider’s operations should adhere to widely recognized certification standards established by credible industry organizations, such as e-Stewards, R2 and RIOS. These standards not only protect the environment and minimize liability, they also generate goodwill in the community and among customers.

>> Secure chain of custody—from asset collection to certificate of destruction. In order to ensure that all information is completely destroyed, an ITAD service provider should use proven logistics and asset tracking to identify and manage equipment at every stage of the disposition process. The provider should offer centralized reporting to verify that the chain of custody has been maintained and that all data on all equipment has been properly destroyed. This capability will be important in helping to meet compliance and e-discovery requirements.

>> Revenue-generating opportunities through IT asset remarketing. Remarketing IT assets could be a significant revenue opportunity if handled properly. Many unwanted technology assets have remaining end-of-life value. Research indicates that remarketing and value recovery services represent the largest portion of the overall ITAD market.3 In order to take advantage of these vast potential opportunities, decision-makers should choose a provider that maximizes value recovery by ensuring that each asset is tested, graded and refurbished. If there is material end-of-life value, the equipment should be remarketed; if not, it should be recycled using best practices.

3 Ibid.

SITAD: IRON MOUNTAIN’S SECURE APPROACH TO IT ASSET DISPOSITION

Given the importance of IT asset disposal, it is imperative to work with a provider that is a proven leader in protecting and securing IT assets. It is also critical to use a provider that takes a holistic approach to data lifecycle management, because end-of-lifecycle data destruction should be part of a strategy to protect and secure information at all stages.

In evaluating potential partners, Iron Mountain will stand out as the ITAD service provider that consistently provides industry leadership and expertise in all of the areas that are most critical to a successful ITAD strategy, including best practices in data lifecycle management, environmentally compliant disposal, secure data protection and secure chain of custody, IT asset remarketing, and flexible service options.

Iron Mountain has a long history and strong reputation as a Seven-Sigma provider of purpose-built logistic management systems and expertise for full lifecycle IT asset management. In addition, Iron Mountain offers customers the opportunity to customize their ITAD program to meet their unique needs—including program design, customer care and ongoing management. Key benefits of Iron Mountain’s SITAD services include:

>> Data destruction and media disposal: Iron Mountain utilizes an auditable, documented and repeatable process to prepare, transport and destroy hard drives, backup tapes and other data-bearing media either on site or at a secure off-site processing facility.

/05

>> E-waste recycling: Iron Mountain is an e-Stewards Enterprise that follows the strictest guidelines for environmental compliance, including a no-overseas and no-landfill policy.

>> IT asset remarketing: Organizations can convert legacy laptops, PCs and other hardware into a new revenue stream while maintaining information privacy and helping the planet. Iron Mountain leverages its extensive reseller database to ensure that customers receive the most competitive pricing for remarketed equipment.

>> Secure transport and chain-of-custody asset tracking: Secure transport protects data and assets from collection through arrival at the processing plant. Iron Mountain InControl™ scanning and tracking technologies ensure a complete chain-of-custody audit trail from collection through processing.

>> Certificates and reports: From the SecureSync® web portal, customers can download certificates of data deletion, certificates of asset recycling and destruction, and reports on compliance with environmental standards.

CONCLUSION

Companies of all sizes in all industries must do everything possible to protect their data and avoid breaches. A holistic data lifecycle management strategy is

a necessary part of any data protection plan, and IT asset disposition is integral to ensuring that data is safe and secure right until the end of its lifecycle.

There are specific challenges in dealing with end-of-lifecycle IT assets, particularly in recycling or remarketing equipment that may contain sensitive information. Most organizations lack the in-house knowledge or resources to maximize protection, ensure compliance and generate revenue from their end-of-life IT assets.

It is therefore important to work with a reliable and reputable provider of secure ITAD services. The supplier should ensure chain of custody, data security and compliance with all industry and environmental laws and regulations. The ITAD service provider should also offer guaranteed fair market value for remarketed assets.

When it comes to secure IT asset disposal, Iron Mountain is a proven leader and widely acknowledged expert provider of all aspects of data lifecycle management. To learn more, please review the following resources.

Iron Mountain Secure eWaste and IT Asset Disposition (SITAD)

Gartner Market Guide for IT Asset Disposition

SITAD: How It Works Infographic

© 2017 Iron Mountain Incorporated. All rights reserved. Iron Mountain and the design of the mountain are registered trademarks of Iron Mountain Incorporated in the U.S. and other countries. All other trademarks are the property of their respective owners.

ABOUT IRON MOUNTAINIron Mountain Incorporated (NYSE: IRM) provides information management services that help organizations lower the costs, risks and inefficiencies of managing their physical and digital data.

Founded in 1951, Iron Mountain manages billions of information assets, including backup and archival data, electronic records, document imaging, business records, secure shredding, and more, for organizations around the world. Visit the company website at www.ironmountain.com for more information.