It’s been two years since the COVID-19 pandemic forced companies and institutions across the world to require employees to work remotely while at the same time restricting on-site interactions with service providers.
What has this all meant for the intersection of IT asset disposition (ITAD) and data security? This article will offer the perspectives from a number of operators who have had to navigate these unprecedented times, encountering plenty of challenges and opportunities along the way.
The work-from-home world
Most ITAD leaders interviewed for this story agreed that the initial reaction to the pandemic and resulting lockdown was a nearly full stop. At the time, however, the shock was tempered by hopes that, though acute, the situation may be short-lived. A survey by i-SIGMA in the first weeks of the shutdown showed the vast majority of respondents (70%) felt that business would begin to return to normal in three months.
Of course, that is not what happened. The shutdown persisted, clients adapted, and corporate HR managers reported that people could be equally (if not more) productive at home compared with being in the office.
In early 2022, it’s clear the dispersed workforce is a continuing reality, and collection of IT assets from people working at home is becoming increasingly baked into ITAD expectations. The question now is: How will these growing volumes of devices be collected when it comes time for a refresh?
“Devices were quickly deployed across millions of home offices, creating security and compliance challenges at every stage of the asset life cycle,” said Angie Singer Keating, CEO of Reclamere, Inc. “The challenges for service providers are great, but so are the opportunities for service providers that can provide a secure compliance solution.”
On this front, many ITAD operators turned to what is commonly referred to as a “box” program as a collection solution. A review of the websites of nearly 100 NAID AAA Certified ITAD service providers found that approximately one-third explicitly advertised a parcel-shipping solution available to assist clients in collecting discarded IT assets.
That said, the jury is still out on the efficacy and profitability of parcel returns.
“We had a box program prior to the pandemic, and during the shutdown, [we] promoted it as a solution for clients struggling to find secure disposal options,” Glenn Laga, president of Guardian Data Destruction said. “It was a way for us to be responsive to clients’ needs and has proven to be very popular.”
Others, like Cascade Asset Management’s CEO Neil Peters-Michaud, note that, while clients continue to use their legacy parcel return program, the uptick in use since has not been significant.
“Our box program predates the lockdown,” said Peters-Michaud, “but we have not seen a dramatic increase in direct inbound shipments since the beginning of the pandemic. More commonly, at least for us, is the scenario where clients are using parcel returns to aggregate devices internally prior to proper disposal. Commonly, we see this being done in conjunction with the distribution of new devices where the same box can then be used to return the obsolete asset directly to client’s operation.”
Kyle Marks, CEO of RetireIT and ITCentral, said he has come to believe box programs only work when there is dedicated management support and accountability at the enterprise level.
“It’s neither effective nor profitable for a program to depend on employees who may have only been given a general or loose directive to ship IT assets to a preferred ITAD service provider,” said Marks. “Any program lacking organizational accountability and a simple, well-designed, unambiguous protocol is in no one’s best interest and likely to fail.”
Marks added that ad hoc compliance that results in such cases can actually put both the client and service provider at greater risk for data security problems. That’s because third-party parcel shipment firms overtly disavow any fiduciary responsibility for the contents of the shipments they handle.
From a regulatory compliance standpoint, collections based on third-party parcel delivery puts both service providers and clients between the devil and deep blue sea. On the one hand, turning regulated personal information over to third-party shippers overtly denying (vis-a-vis their contracts) the care and custody of the information flies in the face of data protection regulations. On the other hand, it is clearly untenable (even negligent) for clients to leave their remote workers with no direction and no options.
“ITAD providers need to have solutions that have unbreakable chains of custody,” explained Reclamere’s Keating. “Documentation must be bulletproof, and it must be able to withstand the most rigorous audit and reconciliation processes.”
As a way of mitigating these regulatory challenges, some service providers are experimenting with technology to track parcels, including automated mechanisms that forward confirmation texts and video clips offering details on when devices arrive at the facility and how they are destroyed or sanitized.
Still others are experimenting with widely distributed high-security containers into which media can be locally deposited. Keating’s firm provides heavy-duty security cages armed with GPS in order to protect and track shipments.
Evolution in data center business
All the ITAD professionals interviewed for this article said they saw their data center-focused work come to a full stop for a few months in 2020, only to be followed by a surge of business once pent-up projects were finally given the greenlight.
Data center projects have been a focal point for ITAD companies for a number of years, and in the wake of so much decentralized device deployment, such projects will continue to be very important.
In addition, data center ITAD work has become highly competitive, pushing some projects into low-margin or even unprofitable territory.
“Because data center operators are under significant pressure to control costs, the competitive environment sometimes motivates decision-makers to engage in risky ITAD practices,” said Brooks Hoffman, principal with Iron Mountain’s Secure IT Asset Disposition team. “If they are susceptible to such temptations, it can be difficult for a reputable, compliant services provider to compete for their business.”
But he added that “the proliferation of strong data protection regulations along with the potential for devastating fines and embarrassing headlines are slowly improving the situation for compliant ITAD companies.”
At the same time, the ITAD sector is seeing a trend toward data centers wanting on-site data destruction, whether it be overwriting or physical destruction. Those interviewed for this story said they see somewhere between half and all of their data center clients requesting some form of on-site media destruction or erasure prior to removal.
Dag Adamson, president of DestroyDrive.com, said ITAD opportunities with data center clients are growing as the internet of things and other networking trends evolve.
“Data centers – and, to some degree, all offices – have media-bearing devices that ITADs overlook when assessing a client’s data protection needs,” said Adamson. “Any networked device, including routers, switches, printers and handhelds, contain information that can compromise the security of the enterprise. Bringing this to clients’ attention not only represents an opportunity, but a duty.”
Being proactive to address the shifting electronics stream – and the shifting world – will be a critical component of ITAD success moving forward, said John Shegerian, executive chairman at nationwide processor ERI. He believes those companies that have not simply assumed the world would return to a pre-pandemic mode of operation will be the ones that thrive.
“Those of us who focused on innovation and operational flexibility over the last year are now much better prepared to handle what’s coming,” Shegerian noted. “In sum, we have learned to do much more with much less.”
Data protection remains key
One core trend was woven into the responses of all those interviewed for this article: Data security continues to grow in importance to clients and to the ITAD bottom line.
Is it fair to call this a reemergence story or is it a continuation of a story started decades ago? I say both.
While all readers are aware that data security was a growing priority for some organizations, clients emerging into this new world are taking the opportunity to reset their compliance focus. Additionally, service providers that survived the lockdown are emerging with a renewed understanding that customers who understand their compliance requirements are much more likely to stick around and pay prices that ensure a reasonable ITAD profit.
It’s true ITAD executives still find too many decision-makers who don’t know any better (or who have been persuaded to take the ever-enticing “shortcut”), but they also clearly believe there will continually be fewer and fewer who are willing to put their organizations at risk.
Bob Johnson is the CEO at i-SIGMA (the International Secure Information Governance & Management Association). He can be reached at firstname.lastname@example.org.
This article appeared in the March 2022 issue of Resource Recycling. Subscribe today for access to all print content.