Disposal represents one of the biggest points of failure in computer asset management because companies just don't know how many assets they have, where they are located, who's using them or what specific data resides on them, says Gartner analyst Frances O'Brien."Unless you know that information you're at risk from Day One," O'Brien says.
About 30% of the nation's companies, including insurers, have no formal policy for disposal, according to the study "IT Asset Management Conference Survey Results: IT Asset Disposition," from Stamford, Conn.-based Gartner Inc.
Still, industry experts find comfort in seeing that most companies are aware of the risks of improper asset disposition, especially in light of the number of regulations facing the insurance industry.
O'Brien has seen clients take PCs out of service and put them in storage without cleaning the data from the drive. Time passes and the company loses track of the machine. Later, if the company decides to dispose of the hardware or strip it for parts, the information is exposed.
REGULATIONS IN PLAY
Managing data security and privacy risks is the most important consideration in disposing of obsolete or surplus technology, according to the Gartner report. Improper disposal of equipment puts an insurer at risk of violating privacy regulations such as the Gramm-Leach-Bailey Act or the Health Insurance Portability and Accountability Act (HIPPA).
Environmental regulations also play a role in equipment disposal, according to Jim O'Grady, who manages HP Financial Services' U.S. Technology Renewal Center in Andover, Mass., which expects to process 600,000 pieces of equipment in 2007.
"Legislation, if you read it carefully, is holding you accountable to do due diligence and to follow that waste stream, and you need to know where it's going," cautions O'Grady.
Because the federal government chooses not to regulate electronic waste disposal, the responsibility falls to the states. That results in a plethora of rules.
"There are 52 or 53 pieces of legislation spanning 26 or 27 states proposing different ways to handle electronic waste-and most of them are different," says O'Brien. "So if you're an insurer with different divisions or locations or field offices in every state in the United States, you would be subject to knowing all of the particular regulations for each of those states."
Western & Southern Financial Group Inc. considers following environmental regulations the biggest challenge when disposing of equipment. "The environmental regulations change frequently, and it can be difficult to know the latest environmental disposal requirements," says Steve Hamilton, vice president of IT Operations of the Cincinnati-based life insurance, annuities, mutual fund and investment management provider.
Riding herd over so many rules can prove costly for carriers. If inspectors find electronics in the trash, regulatory agencies can levy fines for failure to classify waste.
Handing off the problem doesn't always work, either. The United States allows shipment of hazardous waste-which includes PCs because of the toxicity of their components-so much of the e-waste is shipped to Asia, where it pollutes the land there.
"Many [disposal] companies do it and we ask [our clients] if they really want to be party to that," says O'Brien. "You probably want to ask somebody before you pick them as a partner if they will ship your equipment overseas."
DISPOSAL OPTIONS
Insurers have options when disposing of end-of-life PCs. Using disposal companies (29%) and charitable donations (23%) are the most popular methods, followed by storage and return to lessor or vendor, according to the Gartner report. Or, insurers could use a number of processes.
Western & Southern buys and leases equipment depending on various factors, which leads to different disposal methods. "Leased equipment is returned to the vendor at the end of the lease. Purchased equipment could be sold, cannibalized for spare parts, donated or disposed of depending upon its value, useful life, etc.," says Hamilton.
Use a process that creates a chain of custody from the moment the company takes the asset out of service until the moment it's disposed of, says O'Brien (see "Sample PC Disposal Decision Tree," below).
Outsourcing. Survey respondents say that convenience or ease of use is what they like most about outsourcers. As with any other vendors, watch out for companies that don't do what they say they will do, warns Gartner's O'Brien. "Picking a partner that doesn't do the job correctly is one of the biggest mistakes insurance companies can make in the disposition process," she says. "A lot of times they pick a vendor who has the lowest price. We've had clients who paid to have equipment disposed of only to find that equipment ended up someplace unsavory, such as a landfill or open field in New Jersey, because they got a good price."
Prices vary, even from a single source, because differing levels of risk require differing levels of overwrites, says Chris Adam, director of asset management at NextPhase, a Peabody, Mass.-based business unit of Converge LLC.
"Plan early, understand the landscape that you need to be accountable to and budget accordingly for those activities so that it can be calculated into the whole total cost of ownership of the asset," says Adam.
When insurers contact NextPhase about equipment disposal, Adam almost always recommends destruction of data, not overwriting, because insurer records contain sensitive data.
Obtain documentation stating you disposed of equipment properly, O'Brien says, adding that audits can fill that requirement. "We have had clients-who paid companies to dispose their equipment-do a random audit, only to find out that a machine that was supposedly sanitized wasn't," says O'Brien. "You want to make sure that the people you're hiring to do this are really doing what they say they're going to do. You can outsource the task, but you can't outsource the responsibility or the liability-period."
Donation. Another disposal option-donation-requires careful consideration. "I had a client who donated PCs and they were so happy they did that they put a little plaque on it that read 'Donated By "X" Company,' and years later driving on roads in California you'd see these plaques attached to computers," says O'Brien. "It was very easy to trace this improperly disposed equipment back to the company."
When considering donation, take into account the labor costs of gathering and delivering the equipment. "It's one thing to find a home for five PCs," says O'Brien. "It's another thing, if you're a large insurance company, to find a home for 2,000 PCs from a straight donation program."
A piece of advice from O'Brien: When working with a disposal company, have them donate the equipment on your behalf. That will soften the liability and cost issues. "Have them do all of the work; have them find the charitable organization," she says. "Now you're one level removed."
Storage. When HP's O'Grady visits new customers' facilities, he often sees equipment stored in a warehouse. "As they're telling me they didn't know what to do with [the equipment]," he says, "a finance guy walks by and says, 'Do you know how much that's costing us?'"
Cost is the downside of storage. Besides the square-footage cost, labor costs will be incurred twice: once to put the equipment in storage and once to remove it, says O'Brien. Don't forget about the property tax on IT assets if your state that assesses property tax.
Leasing. Leased equipment comes with built-in disposal. "Make arrangements with the lessor to eradicate the data and prove that they did it," says O'Grady.
Lessors own the equipment, even when it's in the lessee's possession, so they are liable for the disposal of the equipment, making them more likely to dispose of it correctly.
"We will provide them asset tracking reports that say we picked up this asset at their facility," says O'Grady. "We can even give them onsite serialization if they want it, so they can track and confirm the process."
While leasing may be convenient, O'Brien suggests asking upfront about additional charges and sanitization. "Some companies [taking their leased equipment back to the lessor] think they don't have to sanitize the data-that the lessor is going to do it - but oftentimes unless the lessee pays additional money or requests it, the lessor doesn't necessarily do it."
Extra charges for damages may develop when the leasing company sanitizes the data because they use an overwrite tool that may overwrite the operating system, rendering the equipment unusable, says O'Brien. "So, theoretically, if an insurer leases equipment, they should sanitize and load back up that operating system."
No matter the disposal method, Western & Southern's Hamilton sums up the important issues: "First and foremost, make sure all data on any equipment has been adequately destroyed," he says. "Know and understand the environmental regulations, and get competing bids for any equipment you may want to sell."
Disposal Questions
The Electronic Industries Alliance, headquartered in Arlington, Va., provides a Web site to help consumers find electronics recycling, reuse and donation programs in every state across the country. The Web site, www.ecyclingcentral.com, also provides a checklist of important questions-that can also apply to insurers-to ask a recylcer to ensure the proper handling of used electronics.
* What are your policies and practices for destroying personal data that may still exist on used computers?
* Do you follow any recognized best management practices for electronics recyclers? Who certifies and audits your management system? Are you legally able to perform the work you claim?
* Have you had any environmental or safety violations (citations, fines, notice of violation, consent orders, etc.) or filed for any environmental damage insurance claims in the last five years? If yes, please explain.
* Do you send used equipment or wastes to other business partners or service providers? If yes, do you know what their export policies are, if they have any environmental or recycling certifications or if they follow recognized best management practices for recycling?
* What percentage of the materials you collect are recycled and what percentage is disposed (either through landfilling or incineration)?
* Do you have general liability and environmental liability insurance? If so, how much?
Source: Electronic Industries Alliance
