Dead data poses risks

Steve Hill explores an often forgotten risk area – confidential data left on redundant PCs.

It is estimated that by 2004 there will be 315 million redundant PCs throughout the world. Some of these will be recycled, reconditioned or re-used. Recent research shows that only 22 percent of redundant PCs are recycled and 22 percent of IT managers admit that they do not clean hard drives before equipment leaves the organisation.

Over the last few years there has been much debate in this area - but little action. However, pressure to reduce the number of PCs which are scrapped has never been greater. New EU legislation such as the Waste Electrical and Electronic Equipment Directive (WEEE), the high penalties of the data protection act, and pressure from taxpayers and environmental groups, are all forcing a change in behaviour.

Another major factor is impact on the bottom line. Contrary to common perception, irresponsible PC disposal is costly. Given that only 2 percent of PCs need to be land filled, can businesses afford not to dispose of their PCs responsibly?

There are three key drivers for change in this area:

WEEE
The WEEE directive is the first piece of legislation to be introduced to lay down guidelines for PC disposal. The directive puts the onus on equipment manufacturers to take responsibility for the management and recycling of redundant electrical and electronic equipment. This alleviates the pressure placed on ‘end user’ organisations and disperses responsibility for PC disposal more evenly.

There is some debate as to whether responsible PC disposal should be mandatory, but evidence shows that it is in organisations’ own best interests to dispose of PCs safely and securely.

Playing safe
Irresponsible PC disposal can pose serious security concerns for an organisation. For example 22 percent of PCs are recycled through donations to charities, schools, family and friends. While the type of gesture may seem environmentally responsible, it can pose serious security threats. If PC hard drives are not cleaned, sensitive information can be spilt into the public arena. Many organisations invest thousands to protect themselves from viruses and security breaches to protect crucial, sensitive data. But investment in security programmes may well be in vain if PCs are disposed of carelessly.

Morgan Grenfell, now part of Deutsche Bank, learned the hard way when Paul McCartney’s private banking details were recovered from PCs decommissioned by the company. Morgan Grenfell had failed to wipe data from the PCs before they were passed on to a third party. More recently, confidential customer information, stored in memory chips belonging to a high street bank, was discovered by a group of students experimenting with memory chips from PCs which had been donated for research by the bank.

Managing misconceptions
It’s a widely held misconception that PC recycling is too costly - in fact 28 percent of IT managers say that PC recycling is too expensive. In reality, PC recycling is cost effective and can actually be profitable for an organisation. Only 2 percent of PCs need to be landfilled - the other 98 percent can be recycled or reused. Therefore if assets are disposed of securely and effectively, equipment can be sold on rather than being scrapped.

So how can businesses ensure that they are approaching PC disposal in the right way?

Best practice?
The first thing organisations must do is implement a policy that clearly outlines what responsible PC disposal actually entails. It is vital to find a ‘sponsor’ from within the organisation who will ensure that the policy is delivered. This sponsor will then take responsibility for overseeing who will carry out the work.

Equipment disposal should largely be left to a specialist, not a member of the IT department, who will not have the time or the necessary experience to ensure the safe disposal of PCs. A third party reputable disposal agent, or asset recovery specialist is a sensible option.

Unfortunately, not all agents are reputable. At present, there are some unscrupulous companies offering PC disposal who exploit the lack of opportunity and lack of regulation in developing countries. In parts of Africa and Asia, unskilled workers are poorly paid to take apart redundant PCs. Some parts are sold on but most add to the ever growing mountain of discarded equipment.

Action is being taken to stop this. The Basle Action Network (BAN) names and shames companies who undertake this unethical type of work. Member countries of the Basle Convention have agreed to ban the export of hazardous waste from countries of the Organisation of Economic and Co-operative Development (OECD) to poorer, less developed non-OECD countries.

But organisations using the services of asset recovery companies also have a responsibility to ensure they are using legitimate specialists.

A reputable asset recovery company will have clear procedures in place and will issue full reports, tracking all pieces of equipment from the time of disposal until the point when they are recycled, reused or resold. It will also provide a certification of data destruction. The full traceability of parts, equipment and residual materials is crucial and allows organisations to highlight their commitment to responsible corporate citizenship.

In fact, many businesses use these reports to demonstrate their responsible approach to equipment disposal in their annual reports and corporate literature.

And for those organisations who wish to donate their old equipment to worthy causes, this must also be done responsibly. Asset recovery companies can ensure that PCs go through best-practice security procedures in order to guarantee that no sensitive or confidential information can be leaked out into the public arena.

In order to comply with new legislation and to ensure that they are seen as environmentally and socially responsible, organisations need to prioritise strategies to manage PC disposal.

Responsible PC disposal can only bring benefits to the organisation. By pre-empting the introduction of the new legislation, organisations can ensure safe, secure disposal of their assets and the protection of their customer.

Those organisations which are currently leading the way in this area must shout about the good work they’re doing in order to raise standards and help to encourage best practice PC disposal across every sector.

Steve Hill is with Synstar.

•Date: 28th November 2003 •Region: UK / Worldwide.•Type: Article •Topic: ISM
Rate this article or make a comment - click here