Northeast Wisconsin
  • Northeast Wisconsin
  • January 2014
Written by  Brian Arpke

IT asset disposal — Achieving regulatory compliance for your company

Regulatory standards exist to protect consumers and to ensure a level playing field for business. As such, most regulatory standards place a heavy emphasis on process — not just doing the right thing, but planning a process and putting it in place to ensure the right thing gets done every time, with the documentation to prove it.

This approach should apply to all of a company’s compliance initiatives, but it is especially critical for the IT asset disposal process. Before it can reach final disposition, any given piece of IT equipment may undergo a journey that involves multiple people, procedures and locations, from identification and collection, to storage, to data destruction, to packing and shipping, to remarketing or recycling. Trying to enforce compliance throughout such a complicated process with a piecemeal approach is difficult, at best.

For this reason, I recommend a four-step approach to regulatory compliance:

  1. Understand the implications of each industry regulation for IT asset disposal. We’ll discuss some of the most common regulations below.
  2. Develop IT asset disposal data security processes that are compliant with the regulations and document them.
  3. Make sure everyone who contributes to the IT asset disposal process understands the process and requirements.
  4. Be prepared to prove you have followed the compliant process if challenged in an audit.

Regulatory standards and data destruction

Some of the most common data security-related regulatory standards to which American businesses must comply include:

  • HIPAA/HITECH: The Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act are federal healthcare industry regulations that, among other things, govern the security and privacy of healthcare data.
  • PCI-DSS: The Payment Card Industry Data Security Standard requires information security compliance from organizations that process credit cards, debit cards and other types of payment cards.
  • SOX: The Sarbanes-Oxley Act of 2012 is a federal law that sets standards for public companies, their boards and their management teams.
  • FACTA: The Fair and Accurate Credit Transactions Act was passed to protect consumers from identify theft. Its requirements include the proper disposal of consumer information.
  • GLBA: The Gramm-Leach-Bliley Act applies to financial institutions like banks and insurance companies and includes provisions for protecting consumer privacy.

From a compliance standpoint, protecting sensitive data from falling into the wrong hands is the highest priority of the IT asset disposal process. This sensitive data could include customer financial information like credit card numbers, employee social security numbers, health records, company trade secrets and anything else that could infringe upon someone’s right to privacy or be used maliciously if the wrong people got ahold of it. When IT equipment reaches the end of its lifecycle with a company, the process must ensure that sensitive information is destroyed.

Compliant data destruction processes

There are three different ways to destroy the data stored on retired IT equipment — physical destruction, degaussing or sanitization (wiping). But achieving a compliant data destruction process involves more than choosing one of those methods. Procedures should be in place to ensure assets don’t inadvertently pass through the IT asset disposal process without their data being destroyed. This might happen when, for example, your team is in charge of the data destruction and a laptop gets placed in the wrong pile; or a tech gets called away to another task before completing data destruction on a set of equipment. Documentation is very important, too, so that compliance can be demonstrated during an audit.

IT asset disposal providers that have been certified by leading industry organizations like Responsible Recycling Practices (R2) have strict controls in place for handling equipment, destroying data with up-to-date methods and documenting the process. These are usually the most reliable data destruction vendors with which to partner when compliance is an objective.

IT asset disposal and risk management

Compliance with regulatory standards is a major goal of risk management planners. Other risks of IT asset disposal include environmental violations and data breaches. Many companies, especially smaller ones without compliance or risk personnel, struggle with the temptation of working with a non-certified recycler in an effort to save a buck … but in the end, the potential rewards never outweigh the risks and lawsuits these companies are exposing themselves to. 


Brian Arpke is the owner of REBOOT (the Valley’s premier refurbisher and surplus technology store) and R3NEW Recycling (NE Wisconsin’s only R2/ISO:14001/OHSAS:18001 Certified e-Recycler). Be sure to check out REBOOT at 15 Tayco Street in Menasha. With refurbished laptops and desktops starting at $125, you won’t find a better deal or more bang for your buck! Store hours are 1 p.m. to 7 p.m. on Tuesdays and Thursdays, and 9 a.m. to 1 p.m. on Saturdays. For more information, visit http://itreboot.com and http://facebook.com/itreboot.

Subscribe Today
Community Partners Directory
Find a Complimentary Copy
Community Calendar