Aside from the ethical and environmental implications of simply using the dumpster and/or shipping stuff overseas to third-world operators, there are serious legal issues every CIO must consider when getting rid of old gear. Like ensuring no personal data is on the hard drive.
Some companies have even been held ransom by people that have found data on equipment improperly disposed of, said Gartner Analyst Frances O'Brien. Of course, management insists they are just buying back gear that should have been disposed of properly, but they are paying a premium for the privilege, she said.
"I've talked to a lot of clients that have actually had to pay ransom to get their PCs back because they were disposed of with data on them," she said. "They don't want it to be in the press so they're paying. They don't want to bring the FBI in because they don't want to see 'Big Bank USA's' name in the press because client data got out."
Ransoms aside, PCs in particular need to have the OEM operating system installed because of the licensing agreement, said Jenny Blank, director of Enforcement at the Business Software Alliance. But data and applications that did not originally come with the unit must be scrubbed.
Scrubbing personal data has become even more important with the passage of the Health Insurance Portability and Accountability Act and Graham-Leach-Bliley, both of which call for enhanced protections of personal information used in electronic commerce, said Lauren Roman, vice president of Marketing at eWaste recycler United Recycling Industries. By the same token though, Sarbanes-Oxley calls for the tracking of all data threads material to the bottom line. Is that data leaving the company via the back door?
Hazardous waste regulations also must be adhered to or the original purchaser of the gear can be held liable. Asset tags need to be removed so equipment is not traceable back to the company of origin. And, if the tags are not, what questions does this raise about the processes and procedures used to cleanse the equipment of data?
Currently, the U.S. Environmental Protection Agency (EPA) does not fine companies for improper disposal of eWaste. But, under the federal Resource Conservation and Recovery Act, companies can be held liable for the toxins, such lead, cadmium, mercury, etc., found in all IT equipment. At the state level, where EPA likes to leave the regulatory work, more and more stringent legislation is being passed to control the proliferation of IT equipment in the waste stream.
There are currently 50 or so pieces of legislation under consideration in 24 different states, said O'Brien. This is because the problem of eWaste is expected to get worse, not better in the coming years. According to the EPA, over the next five years, some 250 million computers will be retired.
So, what do you do? Storing truck loads of gear is a common practice, said Roman, but, this is only a temporary and potentially costly measure. Eventually, something will have to be done with all that gear. And if the guys cleaning out the storage areas just dump it, the company is still liable.
Donating's Good. Right?
Another common method of disposal is charitable donations, said Bill Pogue, a senior systems engineer at Aztec Systems, an IT consultancy and services company. But, just because charities will take just about anything, if they can't use it the problem of disposal does not automatically transfer to them. What ends up in the river or dumped in open field somewhere can, and does, come back on the original owner of the equipment, he said.
Leasing equipment, as many large companies do, doesn't necessarily negate the problem either. Most lessors charge for disposal services and the OEM license and data issues are still ever present, said Glen Jodoin, vice president of Operations at GreenPages, an IT lifecycle management company.
Nor does responsibility for scrubbing data and adhering to licensing agreements transfer to a third-party vendor automatically, said BSA's Blank. "You can't take the operating system off and put it on your new machine and give away the hardware without an operating system," she said.
What you can do is ask a lot of questions, said Jodoin. Find out about the processes and procedures your contractor will use to scrub data and dispose of gear. Are they just a broker that ships equipment overseas? If they don't charge for their services, they probably are. Do they remove asset tags? They should. Do they use software that wipes drives down to just the DOS? They shouldn't.
"Any company should be investigating who they are using for this because this is becoming a bigger and bigger issue as we throw away millions of PC's," said Jodoin. "But, keep in mind, there is nothing free. I guarantee you when HP (Hewlett Packard) is putting their leases together, in their lease rates included is the cost of disposing of (the equipment)."