High-profile data breaches have highlighted the perils of ITAD, and until multiple companies are “put in the penalty box,” it will keep happening, industry experts said during a panel at the 2024 E-Scrap Conference.
However, ITAD firms can take steps to help avoid risk and educate clients, the panelists said during the conference, which was held by Resource Recycling in Orlando from Sept. 30 to Oct. 2.
In one notorious example, years of ITAD errors cost banking giant Morgan Stanley more than $163 million in penalties and fees. The legal issues stemmed from IT asset decommissioning and refresh projects the company undertook between 2016 and 2019.
Morgan Stanley hired a moving company with no data destruction experience to decommission two U.S. data centers in 2016, and devices holding unencrypted customer data were eventually sold online. In 2019, Morgan Stanley simply lost track of dozens of devices containing customer data during an IT refresh project.
“I don’t think we’ve actually studied it as an industry and learned the lessons yet,” said Kyle Marks, founder and CEO of Retire-IT, adding that millions of dollars in fines and penalties is small change to a corporate behemoth. “Morgan Stanley eats that for breakfast.”
In the latter incident, the vendor was Arrow Electronics, “one of the most credentialed, secure powerhouses in the industry at the time,” Marks said. The incident “ran down the list of everything you could do wrong.”
However, those failings were on the part of the client, not on the part of the ITAD, he said. “Very often ITADs or any vendor is more compliant than their client is. From any perspective, this becomes a poster child for why a client should pick you as a service provider,” he said. Morgan Stanley had chosen a vendor based on reduced costs, “and it’s coming back to bite them. That’s obviously a good message for you if you’re an ITAD.”
Panelist Bob Johnson, principal advocate at Privata Vox, agreed: “Cheaper is not always better, in fact cheaper is probably not better. You need to be careful in the selection process.”
The incidents were a great example of why ITAD isn’t just disposing of garbage and must be taken more seriously, Johnson said. “The client always pays for the consequences of the vendor’s mistake,” he said.
In announcing its findings, the SEC called the Morgan Stanley breaches “astonishing.” Marks said, “The only thing astonishing is that the FCC found it astonishing. Anybody who has been in this industry for any period of time understands that most clients are wildly noncompliant.”
“When the company buys the assets and deploys them, they’re already losing track of 2-3% of assets upon deployment,” he said. “And life cycle management is a series of check-ins and check-outs, and ITAD is what I call the final checkout. Companies are lucky if they know where 85% of their assets are, but magically at the end of life, 100% of assets are accounted for.”
Certification helps avoid risks
Morgan Stanley failed to conduct the risk analysis associated with hiring third-party vendors, said panelist Jennie Gift, vice president of member services at i-SIGMA. Using a certified company would have helped with their verification process, she said, and the company is required to do a risk assessment based on working with certain vendors. Had Morgan Stanley looked at its subcontractors involved in the project beforehand, “they would have been able to see some red flags before the incident happened.”
Using certified vendors also would have avoided the miscommunications that led to the breach, including one firm assuming the downstream firm would wipe the data, and the downstream firm assuming the upstream firm had done so. “They would have had processes that they would have gone through to track all of that,” she said.
Panelist Eric Capps, director of global compliance at Iron Mountain, concurred, saying that by using proper policy and strategy, “we’re making sure that we’re not releasing control of any data-bearing device without 100% certainty that it’s safe.”
“Never assume a hard drive doesn’t have data,” he said. “We should never take anybody’s word for it.”
Johnson added that processors’ written policies and procedures are among the most overlooked areas of vulnerability.
Top-down education
Avoiding disastrous breaches starts with education, the panelists agreed.
“We need to educate our customers and help them understand the process of how to manage these assets and how to retire them properly,” said Gift.
She added that having only one person at an organization understand the risks is insufficient, and client-facing staff must know the reasons behind best practices. “They’re your stewards, they’re out there talking to your customers,” and this extends the education even further.
Capps agreed, saying front-line workers have procedures to follow but aren’t always told why to follow them. Beyond that, shareholders and investors need to understand as well, he said.
The people ITAD professionals speak to often are not very high on the decision-making ladder, added Johnson. Lower- and mid-level employees would “just as soon not be bothered with incidents, whereas someone higher in the org would understand that we can’t just let this stuff go,” he said.
ITAD firms have to elevate the discussion up the organizational chain so chief risk officers and boards of directors understand what’s going on, “and we as an industry are not abetting this noncompliance simply by being the rug under which these missing IT assets are swept,” Johnson said.
Companies may not understand the significance of a seemingly small issue, he added. “A missing IT asset can have more information than an entire warehouse, so if Iron Mountain couldn’t find one of those buildings, it would be a pretty big deal.”
As a result of new SEC rules implemented at the end of 2023, entities must account for all assets even if they might not contain data, Marks said.