Theft of retired equipment doesn't have to be catastrophic, but theft of retired equipment that contains confidential data can drain budgets, deplete good will, and tarnish reputations. Assign an employee to ensure all data is removed from a device as soon as it has been identified for disposition using multiple-wipe software that has been proven to fully destroy data on a disk. Nonworking drives should be removed and physically destroyed using a hard drive crusher or even drill. Data destruction should be documented. The longer retired equipment is allowed to linger, the greater the chances that valuable data could end up in the wrong hands.
In all cases, it is wise to destroy data before equipment leaves your facility. A driver could steal a computer causing millions of dollars in damage to your organization. Should a computer be stolen or lost during transit, the transportation carrier might accept responsibility. Unfortunately, that would be a hollow victory, as the Carmack Amendment allows carriers to limit their liability for loss or damage to goods, regardless of how valuable it might be.
Ultimately, retired equipment should be handled by a qualified IT asset disposal vendor. You can outsource recycling, but not responsibility. If you think a pretty certificate will protect you, think again. Compliance and indemnification require unimpeachable chain-of-custody evidence. It is important to remember that unless you prove a vendor has your equipment, there is legal exposure. Disposal tags can protect that vulnerability by deterring employee theft and establishing chain-of-custody with a disposal vendor.
So why not ask a vendor, who is handling the equipment anyway, to also wipe data from the hard drives? You should. However, this should not be the primary method of data destruction. A vendor's data destruction services should be considered a secondary precaution. While it might sound appealing to ask a recycler to destroy data, no vendor can wipe data from a hard drive it never received.
Until a device is completely clear of all company data and verified to be in the custody of a qualified vendor, it is still just as important as it was while the device was in use. Companies spend large sums of money creating firewalls and encryption to protect sensitive business data, so why do companies treat retired equipment so carelessly?
By instituting policies that safeguard all of your equipment, you can ensure your sensitive data is safe from the time a computer is deployed until the day it is retired. With a little guidance, IT staff will likely work with you to keep your data safe.
Kyle Marks is the Founder and CEO of Retire-IT. Marks serves as the chairman of the Asset Disposal & Information Security Alliance North American Advisory Council and is also a Certified Hardware Asset Manager Professional (CHAMP) from the International Association of Information Technology Asset Managers.
This article originally appeared in Law Technology News.