How well do you know your ITAD provider? If this question causes you to pause, you could be opening yourself up to a tremendous amount of risk. One global financial services provider is learning this the hard way. The banking giant revealed last month that a 2016 data decommissioning project was outsourced to a company who in turn sold the devices to another ITAD firm, who sold them to yet another third party (or should we call them a fourth party at this point?). That company resold the devices to consumers without properly wiping the data. This resulted in thousands of customers’ data to be compromised, several court cases, $60 million in fines and a lot of bad publicity.
The bank required the contractor to provide written consent before subcontracting any work, but that didn’t seem to stop them. Now, the bank is left to deal with the aftermath.
Most CIOs are very tuned in to data security risks while IT is in place. Between phishing attacks, ransomware, malware and more, there is certainly plenty to worry about. However, it’s equally as important to ensure data is safe on decommissioned technology as well. So many companies treat IT disposal and decommissioning as an afterthought, but this story should be a huge lesson for IT departments and asset managers everywhere. Do your due diligence when selecting an ITAD provider. Vet them, get to know them, understand their processes, research their certifications. If you don’t, your decommissioned IT just might end up in a similar game of hot potato.
Building an effective chain-of-custody process not only reduces your organization’s risk, but it helps you gather a strong foundation of evidence should a data compromising situation occur. Other benefits include deterring employee theft, uncovering holes in your organization’s security and consistently holding your vendors accountable. Properly documenting and reconciling your inventory with your ITAD vendor when something is amiss can be the key to avoiding a costly disaster.
The responsibility of equipment and where it goes lies on your organization until you prove there was a successful transfer to the vendor. Remember, if equipment is found in the wrong hands and it contains data, there could be a hefty price to pay.