IT companies generate a ton of waste. Because of the nature of computing and the systems that are required, each device’s lifecycle ends with a consideration of disposal, refurbishment, or reselling, and each of these considerations has a bevy of concerns.
ITAD, or IT Asset Disposition, is the business and conceptual approach built around dealing with these concerns. Mastering ITAD, regardless of level of data, is extremely important, and should be considered a vital part of any data management process.
Today, we’re going to take a look at ITAD, and what it all actually means. We’ll look at the issues that cause these considerations to pop up, and some of the processes that must be put in place to master data disposal for proper ITAD.
ITAD is an extremely important topic for any data provider because of the caveats considered in end-of-life data management. When data devices such as servers and hard drives enter the end point of their lifecycle, consideration should be immediately given to what happens to that data, and what happens to the physical footprint that data occupies.
There are three general practices within ITAD that are given consideration - disposal, refurbishment, and reselling.
Disposal is just that - the physical destruction of a disk. While this is often the gold standard for sensitive information, it comes with many environmental concerns. Hard drives contain heavy materials and metals that could pose a substantial risk to wildlife, and thus need to be disposed of via special methods. You can’t simply “throw away” certain devices - foregoing the ethical and moral arguments, this would result in huge business fines, and in some states, may even result in a stripping of the license to operate a business.
Refurbishment sounds like a better solution in the face of those concerns, but it too comes with its own issue. How do we store the data while we are refurbishing the items? How do we ensure proper refurbishment processes and predict the length of lifecycle? If we use a third party solution, how do we ensure private data is properly secured and breaches to not occur?
“Well,” many businesses say, “we’ll just resell the items then! No destruction costs, and if we just wipe the drives, we’re fine!” The problem with that line of thinking is that it’s somewhat unrealistic. You can’t donate broken drives, and you’d have an even harder time selling them. Even if they are broken down, you need to look at how the data was erased.
Did the drive break down before being sold? The data is still on the platter. Did you erase the data before selling it? Are the customers aware of the state of the drive? If not, this might be an illegal sale, opening the company up to indemnity and liability issues in addition to false advertising.
There are obviously some huge concerns here. Thankfully, IT has been around long enough that there are some general guidelines that can be followed to ensure proper ITAD management.
Disposing of physical data constraints requires some intimate knowledge of local laws. Businesses need to reach out to their local waste management facilities, and inquire as to the process of technical equipment destruction.
If at all possible, businesses should use professional ITAD or data destruction specialists. Machines designed to crush hard drives, extremely powerful electromagnets capable of wiping and destroying media, and even pulverizing shredders for ROM or other solid-state memory solutions exist, and can aid in ensuring proper and legal disposal of data.
The most important process of data disposal is auditing. Before data is marked for its end of lifecycle deletion, it must be audited. Any data currently in use, requested by governmental entities, or needed for establishing clerical or administrative records for accounting or other legal purposes should be maintained. Proper auditing should result in a drive that is wiped of non-essential data using a secure solution such as [Clarabyte](https://www.clarabyte.com), and then destroyed in an ecologically sound way.
Refurbishment has a whole other set of concerns. Disposal has a legal concern because of what it does to the environment - refurbishment has a concern as to what it does to your data. Ensuring data is properly backed up is paramount to this process.
Take a theoretical instance of a client database. At the end of the lifecycle, the hardware storing the database, a single copy is created on a local server. During the refurbishment process of the hard drive, the single backup fails, causing physical destruction to the backup disk. Because no proper backup process was adhered to, you’ve now lost the records of literally everyone you were storing locally on your database.
Thus, refurbishment needs to be treated as if the hard drive is being destroyed, but with the intent of data preservation. Backing up the data, both in encrypted form and in local encrypted form for access is vital, as any issues in this step can result in huge data losses without it.
More to the point, even if perfectly refurbished, the new disk should not be treated as a primary source. Refurbished hard disks may fail in secondary, unrelated ways to the initial repair, and as thus, these disks should be considered for tertiary backup disks or volatile uses, such as temporary virtual machines or other such solutions.
While this might seem extreme, you’re dealing with sensitive data here - you can’t be too extreme.
Whereas legal concerns hover around data disposal, reselling has a concern of data leak. Data being leaked is often an accidental instance - when you resell an item without properly checking the contents of the drive or erasing the digital content, you’re willfully leaking this data - you are causing your own breach.
These breaches are ethically and morally a problem, but they also incur hefty legal fees. HIPAA violations can result in a cumulative cost of $1.5 million per year for single statue, multiple incident violations. Federal leaks can result in loss of contracts and charges of negligence.
Thus, data should be preserved where legally required, and annihilated when not. The drive should be restored to what is considered a “zero state”, the state in which the hard drive is completely wiped to a string of 0 binary bits, over multiple passes, completely unformatted and unmarked.
By doing this, you should erase any forensic data left behind, in addition to the actual data on the disk. Simply formatting will not do - destruction must be total and permanent. Of note is the fact that the sold materials must be marked in the condition that they are truly in. To aid in this, proper records of maintenance, data deletion, and other processes are very useful (removing, of course, any personally identifiable or confidential information).
A Common Solution - Clarabyte
In all of these solutions, one common thread is repeated - the assurance of proper data destruction. Clarabyte offers perhaps the most powerful methodology for ensuring this data is securely wiped. By adhering to several specific legal and policy requirements, including HIPAA, Sarbanes-Oxley Act, and others, Clarabyte offers an easy methodology to ensure data is fully and completely destroyed.
By adhering to these common concepts and tips, and utilizing a program such as Clarabyte to wipe data, compliance with all legal, ethical, and moral considerations can be assured, and thus, ITAD mastered.