News

Dispose of IT Equipment Without Sharing Secrets

The threat of data loss, coupled with increasingly stringent environmental regulations, has IT pros rethinking their disposal methods for computer gear.

By Shawna McAlearney

January 30, 2007 — CSO —

Getting rid of obsolete IT gear isn’t as simple as it used to be. The threat of data loss, coupled with increasingly stringent environmental regulations, has IT pros rethinking their disposal methods.

"In the past, electronic equipment disposal was more of an asset-accounting issue, handled by the financial group. Now we track computing equipment from cradle to grave, recording the final disposition and using checklists to assure that data was appropriately removed," said James Kritcher, vice president of IT at White Electronic Designs in Phoenix.

It’s about time, analysts say. According to research from IDC, Gartner and the National Safety Council, about 1 billion computers will become potential scrap between now and 2010, and 150 million obsolete PCs are currently sitting in warehouses, storerooms and closets.

"I have yet to visit an end-user IT organization without the infamous IT closet full of aging equipment that probably holds critical data. But removing that data is still not seen as a pressing business issue," said Joe Pucciarelli, a research director at IDC. "Anyone relying on ignorance of the threat as a business strategy will be unpleasantly surprised."

It’s entirely possible that someone could salvage and steal data from computing equipment that is improperly disposed, Pucciarelli said. "Five or 10 years ago the risk might not have been as high, and network executives certainly weren’t aware of it," he says. "Today a company could be considered negligent if it isn’t aware of the risk of old equipment becoming compromised. The bad guys will figure out how to get through the holes and compromise corporate data."

If that happens, companies stand to lose millions. A 2006 study by the Ponemon Institute found data breaches cost companies an average of $182 per compromised record, a 31 percent increase over 2005. According to the Privacy Rights Clearinghouse, more than 330 data loss incidents involving more than 93 million individual records have occurred since February 2005.

While most IT experts are doing all they can to safeguard active systems against such breaches, they need to be equally diligent about protecting inactive equipment from prying eyes.

A data loss along the lines of what happened at University of California at Los Angeles, where a breach exposed 800,000 records, "would be crippling for us," said Chris Holbert, COO and CIO at LaunchPad Communications in Los Angeles. "Corporate intellectual property needs to be guarded. Even if it is mundane or seems outdated, it is critical and we need to ensure no unauthorized parties gain access to that company data—even after its end of life."