Bob Johnson speaks onstage at the 2024 E-Scrap Conference in Orlando. | Big Wave Productions / Resource Recycling, Inc.
When it comes to ITAD data protection and privacy compliance, I tend not to be an alarmist. For the most part, service providers, especially certified service providers, operate in a compliant manner and are actually more secure and compliant than the clients they serve.
With that in mind, more than a few eyebrows raised when I told an audience at the 2024 E-Scrap Conference that their most overlooked risk is actually their clients’ non-compliance.
Generally speaking, most clients have poor IT hardware asset management practices. A recent Gartner report put the number of untracked enterprise IT assets as high as 30%, attributing this troubling statistic to unreported loss and non-sanctioned procurement. Keep in mind that every unaccounted-for IT asset is at minimum an investigation, and potentially a reportable incident.
Now, because there’s nothing an ITAD service provider can do about a client’s sloppy hardware asset management, there is also no inherent culpability or liability when missing assets go uninvestigated. That’s on the client. The problem is that too many ITADs inadvertently take on culpability simply by becoming aware of client inventory discrepancies.
Clients often provide ITADs with inventories of IT assets either with or in advance of equipment deliveries. More often than not, what’s actually received differs from what’s on the inventory list. Even if the client has not required it, not notifying the client of that disparity is where the culpability comes into play. Should any missing asset turn up later, the client is going to report that according to their records, the device in question was sent to the ITAD. Even if the client did not request – or declined – inventory resolution, breach notification regulators will view that ITAD as the only point at which the client could have been alerted to the missing asset. (Side note: Regulations such as HIPAA do not allow covered entities to release business associates from their inventory discrepancy reporting obligations.)
Another particularly troubling aspect of this is that reporting liability is perpetual. If the device surfaces in ten years, the regulators will come calling. Talk about tail risks.
Most readers will recall when, about six years ago, a major service provider inexplicably walked away from their massive investment in ITAD. Some say their investments in acquisitions amounted to hundreds of millions of dollars. A relatively short time after they closed shop, one of their former major clients reported a large number of missing decommissioned servers. The client then endured a very expensive SEC and class action settlement. The ITAD in question was never found to be at fault by regulators, and it is likely they had no culpability.
What we do know, however, is that they packed up their tent virtually overnight. They said it was due to “the economics” of ITAD. To the best of my knowledge, they never attempted to divest of the company or accounts. They just wanted out, and fast.
Though purely speculation, it leads me to wonder if that service provider’s board calculated that the risks of signing off on the inaccurate inventories of hundreds of other clients were simply too large to continue.
Notwithstanding such speculation, from an ITAD’s perspective, there are two strategies for addressing this risk.
The first strategy is scrupulously reporting any discrepancies. It doesn’t have to be elaborate or complicated. It is simply a report that identifies how what the ITAD received differs from what the client said they were sending. Some ITADs do this already.
The second strategy is not accepting advanced inventories prior to delivery but rather simply providing an inventory of what was received.
Either of these strategies prevents the ITAD from abetting a client’s prerogative to either blame a service provider for missing assets that resurface months or years later, or sweep missing devices under the rug, thereby avoiding their investigation and reporting obligations.
I started off by saying that I am not a compliance alarmist. I cannot point to an incident that mirrors the scenario I describe. But, given the measures reputable ITADs go through to identify and eliminate data security risks, it would be a shame if abetting a client’s non-compliance ended up being their Achilles heel.
Robert (Bob) Johnson, CSDS, CIPP/US, CIPP/E, is the Principal Advocate at Privata Vox, LLC. He can be reached at [email protected].