Commentary--The definition of "intellectual property" may vary by firm but most business professionals would agree that items such as trade secrets, design plans, formulas,
manufacturing processes, and business strategic plans are extremely important assets
and therefore must be protected. In some cases, a company's ability to safeguard their
IP assets could mean the difference between business success and failure. This is
especially true for many of us in the high tech industry.
The rapid expansion of technology has created some very sophisticated methods of tracking and controlling intellectual property assets. However, this same technology has also allowed highly sensitive data to be downloaded and stored on inexpensive PC computer disk drives. Although the storage of confidential data on PC disk drives may not be a security problem, the improper disposal of these PC disk drives does represent a significant security risk.
Protection of data can take many forms, but most companies understand they need policies and procedures in place that provide end-to-end security. Today, installing firewalls, intrusion detection systems, sign-on procedures, and virus detection software are all examples of the control framework companies deploy in an effort to build an impenetrable fortress around their data. However, all too often these same companies lack sufficient controls in the discarding of unwanted IT assets. From a data security standpoint, the improper disposal of IT assets is a missing security link for many companies.
With an increasing number of security related issues, IT operations usually does not have the time or resources to focus on IT asset end-of-life issues. Let's face it, IT executives are constantly facing increasing complexities and challenges each day so why worry about some old IT assets? The problem with this philosophy is quite simple. Whether these assets are traded in for new equipment, remarketed, given away to employees and charity, sold to scrap brokers, or placed in garbage dumpsters, they may still contain highly sensitive data. This could prove to be a very costly mistake if any company confidential data remaining on the disk drive falls into the wrong hands.
Although IT organizations may feel they have adequate procedures in place to ensure that all disk data has been adequately destroyed, all too often this is not the case. A recent computer industry journal reported that a sample test of PCs resold on one of the largest online public auctions had a very large percentage (70%) still containing personal data, corporate, and Web surfing images. The consequences can be disastrous, not only from an intellectual property protection standpoint, but also from a privacy and environmental regulation standpoint. Besides protecting data, companies must also deal with the ever increasing privacy and environmental regulations when disposing of IT assets. End-of-life IT asset disposal is impacted by many regulations and compliance issues and the most commonly known are Sarbanes-Oxley, HIPAA (criminal penalties of up to $250,000 and/or 10 years imprisonment per violation of patient security information) and Gramm-Leach-Bliley (penalties of up to $100,000 per violation for financial service/customer information).
What should companies do to protect intellectual property and personal information residing on discarded IT assets? A time consuming and costly option is for the company to destroy or erase all the data on the disks themselves. Another option is to work directly with IT asset disposal partners that understand privacy and environmental government requirements. Reputable IT asset disposal companies will maintain strict chain of custody control over assets while meeting all privacy and environmental government requirements. Whether companies destroy and erase data themselves or hire professionals to do the job, there are a number of additional critical issues to consider, such as:
• Maintaining strict physical inventory control and tracking that starts at the point of shipment through final disposition.
• Hiring direct route licensed bond carriers to transport disk drives.
• Ensuring that once disk drives are received at the disposal partner's facilities they are verified, tested and assigned a unique customer specific control tracking work number.
• Removing all company specific labels and identification tags.
• Ensuring that data erasure procedures are completed in accordance to U.S Department of Defense 52220.22M standards.
• Receiving a Certificate of Erasure (COE) and a Certificate of Destructions (COD) upon completion.
• Having non-functioning drives physically destroyed by certified-EPA friendly partners.
• Having periodic internal and external random quality control audits conducted on the entire process.
• Keeping a detailed audit trail documenting the successful erasure and/or destruction.
For years, IT asset disposal has just been an afterthought, but new legislation has upped the ante by increasing the risks into billions of dollars, lost brand equity, fines and possible prison time for convicted violators. Inadequate IT asset disposal controls can have a major detrimental impact on the overall level of intellectual property security.
To protect assets, companies need to realistically assess their IT asset disposal program controls. Companies also need to develop an ironclad IT asset disposal program and integrate this program into their overall end-to-end security plan. At the end of the day, you do not want your IT asset disposal practice to be your missing link in your IP data security plan.
biography
Chris Adam is the director of NextPhase Services.
