It’s inevitable for any business. You will, at some point, have to dispose of obsolete electronic hardware, including computers and other devices. The problem of disposal is a big one. Many companies will either throw old hardware away or store it in a closet somewhere. There are problems with both of these approaches.
First of all, some jurisdictions have legislation about electronics recycling. For example, in many states, including California, New York, and North Carolina, it is illegal to simply throw away electronic devices.
Second of all, both throwing away and long term storage have security risks. The old computers have data on their hard drives which might compromise your company if it got out. The same goes if you let an employee take an obsolete system home, for example for their child to use. Computers in storage may be stolen, or an employee may decide to “borrow” one, causing security problems.
The fact is that businesses need an action plan for dealing with electronic hardware. Here is one suggested system:
Peripherals, Parts, and Monitors
Have a collections system for broken and obsolete keyboards, mice, printers, monitors, etc. As these devices don’t store data, you don’t need to worry about security. You do, however, have to concern yourself with recycling laws in your state. (Illinois, for example, requires that mice and keyboards are recycled). Delegate an employee to periodically ensure that the collection point is emptied and the items properly recycled. You may be able to return them to the manufacturer. Or, you will need to take them to an e-waste site. Bear in mind that if you still have a CRT monitor or television, these can be considered hazardous waste. In some jurisdictions there’s a small charge for recycling them. It is generally wise to keep an obsolete monitor or two around as emergency spares.
Smartphones and Tablets
Whether you provide the smartphones or have a BYOD policy, smartphones can end up holding sensitive personal and corporate data. Because of this, any phone or tablet should be factory reset before being disposed of in any way. Make sure that the phone is backed up first. You should also remove the SD card and, if the phone has one, the SIM card. Unless the SD card has proved to be too small, it can simply be put in the person’s new phone. SIM cards are sometimes also transferrable. If not, then make sure the SIM card is wiped or physically destroyed (and the same with any SD cards that are not going to be used). Double check that all of the information is gone from the phone.
You may want to have a policy on disposing of phones, including BYOD phones. If somebody is switching out their own phone, educate them on why it should be wiped and have IT either do it or make sure it is done properly. Most people will understand that doing a full wipe of a phone before letting it go is smart.
Once the phone is “clean,” then you may want to encourage that it be recycled or donated. Phones can often be recycled at electronics vendors, and many charities will take donations.
Laptops, Desktops, and Servers
This is where the most significant security concerns are. The fact is that factory wiping a phone is often enough to ensure the data on it does not get into the wrong hands. This is not always the case for computers, especially if they use traditional hard drives. Just ask a data recovery expert what they can get off of a supposedly wiped drive.
The procedure for disposing of a computer should be:
- Do full backups of all the data on the system. Even if backups are being done regularly, Murphy’s Law may cause those backups to fail when they are most needed. One way is to clone the drive onto an external drive. All users should be copying the most important files to cloud backup anyway, but cloning the drive copies everything. In theory, the user should not even notice they have a new system, except that it is faster. There are a number of drive cloning tools available for both Mac and Windows. However, if a system is suspected of having corruption or a lot of hard drive clog, you may not want to clone the drive, as it will also copy over the problems. IT should make a reasoned case by case decision on whether to clone an old system or do a manual migration. Proper cloud backups will make manual migration a lot easier. As a note, Chromebooks, which store most of their data in the cloud, generally only need to be synced, not backed up. Mac Time Machine backups can sometimes be used to migrate, but IT should check the backups are good first.
- Deauthorize any cloud accounts. This includes things like Office 365, iTunes, etc. Forgetting to do so will cost you one of the limited slots for accessing the files and it can be a challenge for support to fix this. Having IT double check that everything is deauthorized is a good idea. If you don’t have full time IT, get another person with a similar user profile to check.
- Decide whether to wipe or destroy the hard drive. If the computer is going to be recycled, then you should remove and destroy the hard drive. If it is going to be donated or reused, then you will need to secure wipe.
- Wipe the hard drive. Just erasing the data on the drive is not enough unless the computer was only used for low security purposes. Instead, you should download whole-disk wiping software. Make sure that you use software that works with the drive or drives in the computer. Some older programs may not be able to properly wipe SSDs or hybrid drives. If the computer is going to be reused, make sure to create a boot disk before wiping the drive. Whole-disk wiping software generally has to be run from a DVR or a flash drive. If you only have an SSD, then it has a built-in secure erase function, but you may need to download an application to initiate it. Hybrid drives require a special application. Be aware that secure erase takes hours or even days, so you should initiate it after the new computer is set up and let it run in a corner. Once the drive is wiped, you will want to reinstall the operating system.
- Destroy the hard drive. An alternative is to physically destroy the hard drive after removing it from the computer. Smashing it with a hammer is usually sufficient, but if you handle a lot of customer data or have to deal with HIPAA, then you may want to take the hard drive to a professional for shredding. If you are disposing of a lot of computers, the shredding company may be willing to come to you. Some shredding companies will take the entire computer for recycling as well, and in some cases they don’t charge because they are making their money from the scrap value of your system. (It is hard to realize the scrap value yourself, so this may be a good deal to take).
- Decide how to dispose of the computer itself. You have four options:
- Trade it in. Some companies will take old companies through trade-in programs. This may save some money off of the replacement. Best Buy may also have trade-in options, but they don’t always offer the best deal.
- Recycle. Choose a recycler that is part of the e-Steward network, as you don’t want the recycling to be done by children scavenging piles of e-waste in third world countries. That’s not as common as it once was, but it still happens, and those kids often experience heavy metal exposure. If you hired a hard drive shredding company, they may be willing to take your system to recycle it. Recycling is the best option if the system is broken or more than five years old.
- Sell/give. If the system is relatively new and simply not up to your company’s needs, then you may be able to sell or give it away to somebody who can get some use of it.
- Donate. A system that is still usable may be donated. Donated systems end up in schools or libraries, but you should not donate them straight to the library. Instead, you should send or give the old computer to a refurbisher that takes donations. Make sure they accept the type of computer you have (most refurbishers will not take systems that are more than five years old), and include all the peripherals and documentation if you still have them. Refurbishers prefer complete systems over trying to find compatible mice and keyboards.
The security issues that come with disposing of old hardware, especially if you plan to donate it, though, may mean you have to choose recycling instead. One way to minimize these risks is to make greater use of cloud storage. Data that is not stored locally is not at risk of being stolen if the computer falls into somebody else’s hands. Using cloud storage also makes the task of migrating to a new system much easier and reduces the inevitable downtime. Using the cloud can also reduce the amount of electronics you need in the first place, by removing the need for on site servers in a server room. As servers tend to have a shorter life span than desktop computers, minimizing the number you use can help reduce the amount of obsolete electronics you need to properly dispose of.
To find out more about how cloud storage and applications can improve security and make dealing with hardware obsolescence easier, contact Applied Innovations today.