IT Asset Disposal Compliance Starts Day One, a Guest Blog by Bob Johnson, NAID CEO
We’re pleased to share this great article with you on IT asset management, authored for Securis by Bob Johnson, NAID’s CEO.
IT Asset Disposal Compliance Starts Day One
When it comes to the protection of data on retired or recycled IT equipment, awareness of the regulatory requirements and consequence varies wildly. Some organizations are acutely aware of their responsibilities to have written policies, train employees and demonstrate due diligence when selecting third-party services to process the equipment. Many organizations understand they have a legal requirement to notify the authorities in the event of a potential data breach that puts personal information at risk. Even among those organizations at the other end of the spectrum, the good news is that few, if any, would claim they have no awareness of their data protection responsibilities. Data protection is too prominent of an issue these days for any organization to claim they have no awareness. To make such a claim would be tantamount to admitting gross negligence…or rather “willful negligence,” as the data protection regulations refer to it.
There is, however, an emerging issue in IT asset disposal and recycling still overlooked even by organizations that take data protection compliance extremely seriously: tracking of IT assets over their deployed life.
Anyone who’s done an IT asset inventory even at a medium-sized company expects that there will be a significant percentage of missing devices. The problem usually worsens as the organization gets larger.
Technically, IT assets carried on an organization’s books that are discovered to be missing during an end-of-life audit should, at minimum, prompt an internal breach investigation, and in many cases lead to a significant number of breach notification incidents. In the real world, however, the discovery of missing assets is met with a shrug of the shoulders and a kind of “oh well” attitude. Keep in mind, not reporting a potential data breach is illegal and it is hard to see how the discovery of a missing device would not qualify as a potential breach. Not conducting an investigation and not reporting these incidents are de facto violations of the law, especially, as is the case with HIPAA, where there is no “risk of harm” loophole in the breach notification law.
Of course, conducting an investigation for every missing IT asset during an end-of-life inventory poses a number of logistical and other practical hurdles. It’s like looking for the horses two weeks after the barn door was left open. The reality is that IT asset/data protection regulatory compliance does not start with the decision to retire the asset. It starts on the day the equipment is originally acquired, and continues to the tracking of that equipment over its deployed life.
Until and unless that happens, many, if not most organizations, even those who give compliance a high priority, will continue shrugging their shoulders and playing Russian roulette in violation of the regulations.
Robert (Bob) Johnson – Biography
Robert Johnson is the founder and CEO of the National Association for Information Destruction, Inc. (NAID). Johnson has also overseen the development of NAID-Canada, NAID-Europe, and NAID-ANZ for which he also currently serves as executive director.
Formed in 1994, NAID’s purpose is to educate governments and businesses of the need to properly destroy discarded information as well as to promote ethics and security standards among it members. The association now represents over 1,900 member companies globally.
With more than 30 years in the secure destruction industry, Johnson spends the bulk of his time speaking and writing on a wide range of issues related to the proper disposal of information, data protection legislation, policy and compliance issues, and vendor selection criteria.
In his capacity as NAID CEO, Johnson is routinely sought by policymakers around the world as they look to create regulations and standards concerning proper information disposal. He has testified before the Canadian House of Commons and the Canadian Privacy Commissioner on the issue of proper information destruction and the need for clear regulatory direction and enforcement. The U.S. Federal Trade Commission consulted with him in the development of the FACTA Final Disposal Rule and appeared before the U.S. House of Representatives’ Financial Services Committee during hearings on data protection.
Currently, he serves on the Information Asset Protection Council and the Information Protection Guidelines Committee of ASIS International. By special invitation, he also serves on the British Standards Institution’s committee responsible for developing practices and standards for information destruction firms in the U.K.