Old PCs Pose Environmental, Regulatory Threat

From Innovations, a website published by Ziff-Davis Enterprise from mid-2006 to mid-2009. Reprinted by permission.

We all know how great it feels to have a new PC plunked down on our desktop or in our briefcase.  But for IT organizations, that exhilaration is increasingly compounded by anxiety.  What should they do about disposing of the computer that’s being replaced?

This issue is gathering importance as the number of old computers grows.  Gartner has forecast that consumers and businesses will replace more than 925 million PCs worldwide by 2010.  And that’s just one category of computer.  Gartner expects another 46 million servers to ship during the next five years, and about one billion mobile phones to be discarded yearly beginning in 2010.

There are obvious ecological concerns that attend this problem, of course. Most personal computers contain chemicals that can poison water supplies and old CRT monitors have lead linings that should never make their way into a landfill.

But the risks to businesses these days can hit even closer to home.  Discarded computers can contain proprietary data that, if disclosed, can open a company to a host of legal and compliance problems. Among the regulations that provide severe financial penalties and even imprisonment for improper data protection are the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act and Sarbanes-Oxley Act.  There are also a host of local regulations to consider, the result of Congress’s decision many years ago to make environmental rules the domain of individual states

Companies have gotten by for years on ad hoc approaches to computer disposal.  Often, they sell old machines to employees, give them to charities or palm them off on trash hauling business that dispose of the equipment in places unknown. But regulators don’t buy the “out of sight, out of mind” philosophy. Most place the onus of insuring data protection on the original owner. That means that if a PC or cell phone containing protected information turns up in a landfill overseas somewhere, the firm that captured the data is on the hook for any legal obligations.

A particular concern is the trash companies, who often piggyback their computer disposal services on top of their basic business of hauling away Dumpsters full of refuse. While many of these companies are no doubt legitimate, some tried to cut costs by piling IT equipment into containers and shipping them overseas.

In some cases, this equipment is simply thrown into open holes in the ground, causing unknown public health concerns. Many Third World companies also of the have subcultures of entrepreneurs who to disassemble equipment and sell the piece parts on the open market. In 2006, The BBC bought 17 second-hand hard drives in Nigeria for $25 each and recovered bank account numbers, passwords and other sensitive data from them. Under many regulations, the original buyers of that equipment could be liable for any security or privacy breaches that resulted.

Nearly every business should have a plan for disposing of end-of-life computers.  If storage equipment is to be repurposed, it needs to be thoroughly erased. The Department of Defense’s 5220.22-M erasure standard insures that media is completely cleansed of recoverable data. A simpler approach is to take a hammer and smash the storage media into smithereens. Whatever tactic you use, you need to document the data destruction using the appropriate compliance forms.

A new practice has also emerged called IT Asset Disposition (ITAD). ITAD vendors essentially outsource the disposal process and provide tracking, verification and even insurance against liability. Some firms can also remanufacture components and sell them, thereby reducing costs for their customers.  Research firm International Data Corp. has published a good study on the market. The site Greener Computing also has helpful advice.