CEOs should be concerned about non-compliant old PCs piling up in storage
JOHANNESBURG – Disposing of old computer equipment used to be a mindless process, but those methods of the past are no longer an option with the introduction of new laws and regulations.
The days of piling it up in storage or simply selling it off to staff or second-hand retailers or even dumping it in a landfill, are over.
CEOs should be concerned about non-compliant old PCs that are piling up in storage, especially since the Protection of Personal Information (PoPI) Act came into being. All those old hard drives usually contain vital client information and must be removed in a manner that is compliant with the Act.
Simply pushing the “Delete” button also won’t do it nor will running a magnet over the old hard drives in an attempt to erase data. Even using the old hard drives for target practice or drilling holes in them will not satisfy the prescriptions of the PoPI Act and nor does factory reset encryption.
Here is an actual example of the kind of PoPI Act violations that could land executives in jail or leave the company with a R10-million fine. Scores of old hard drives were found being sold on the street in downtown Johannesburg, they were either stolen by company insiders or disposed of by the company themselves. What the buyers were actually looking for was client data: ID numbers, credit card information, bank account details and anything else that might be of value.
Don’t believe this does not happen, criminal syndicates are forever seeking ways to get their hands on company data and will pay a hefty price for a staff member to remove a hard drive and hand it over. That old hard drive sitting in storage and gathering dust could be worth millions to someone who knows how to access the data.
Syndicates will pay large amounts of cash for hard drives. All they really want is the information, particularly from companies in the financial and insurance sectors. Last year financial services group Liberty announced a massive data breach that is reckoned to have cost millions to fix, even though no clients reportedly lost any money.
Many companies are disposing of old computer equipment by putting it in storage. The problem with this is that storage costs money, the longer the equipment is in storage, the more it costs. Then there are the insurance costs.
But the biggest potential cost is the risk of falling foul to PoPI and exposing client or company information. Simply dumping old equipment in landfill sites also doesn't satisfy the requirements of PoPI because of the environmental risks of toxic materials in electronic waste.
The PoPI Act is designed to ensure that all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity's personal information by holding them accountable should they abuse or compromise your personal information in any way.
Blancco vice president of enterprise and cloud erasure solutions Fredrik Forslund says companies stockpile old hardware wherever they have some free space and that is driving up costs. Furthermore, many companies are still struggling to come to grips with the implications - and risks - of violating the Act.
A company was found to have a decade-worth of old computer equipment stockpiled in a disused room. Nobody managed the storeroom facility, making it an easy target for thieves. Nor did the company have any documentation or itinerary of the equipment in storage. The hard drives were found to be loaded with client data.
This is not unusual, a Veritas Global Databerg report found that 85% of stored data is either dark or redundant, obsolete or trivial. This is a huge problem considering the PoPI Act and other international data protection laws, companies can no longer afford to ignore the risks.
Companies like Xperien have a track record in the refurbishment and disposal of old computer equipment in a way that is fully compliant with the PoPI Act. The safe erasure of data is carried out using specialised tools like Blancco, which is recommended by IT consulting firm Gartner as one of the most suitable tools for this purpose.
This is done either on site or removed under strictly supervised and secure conditions for off-site handling. Once the data is safely erased, the client company is issued with a PoPI-compliant certificate.
Xperien was recently contacted by a company that had many years of old computer equipment piled up in storage. It commissioned three teams to carry out a full inventory of the stock and also to remove all data from the hard drives. The client was then presented with a full inventory report detailing the equipment age and specifications, including missing items. The company was also able to receive a financial return on its old equipment, including a certificate of proof that it was PoPI compliant.
Return on Investment
Most companies retire their computer equipment after 3 - 5 years and it typically has a residual value of 10 - 20% of the original cost. That residual can quickly devalue the longer the retired equipment is kept in storage. There are broadly three options available to companies contemplating the disposal of old equipment.
Firstly, sell the equipment outright to a company like Xperien and recover the residual value which can then be put straight back into the company’s IT budget. This would include the certified erasure of client data from hard drives.
Alternatively, companies like Xperien can refurbish the equipment and also do full data erasure. This equipment can then be sold to company staff at a reduced price that is often up to 75% of the original cost, depending on the condition.
Finally, the company can consider donating the refurbished equipment to schools and orphanages as part of its Corporate Social Investment programme, and claim the tax benefits.
The financial case for data erasure and asset disposal
In most cases, companies don’t even have to find budget for disposal of equipment and erasure of data. Using a typical example where a computer was originally bought for R10 000 three years ago, it will have some residual value.
The client will conservatively get 10% of this back, or R1 000. For this amount, Xperien will ensure that the data is removed in a PoPI-compliant manner, with the client receiving a certificate to prove that it has been removed.
In some cases, clients could also require video evidence of the erasure of data. This service is generally done onsite but if the equipment is removed from the premises, it is done using Xperien’s own security and transport so as to authenticate the chain of disposal.
Do not sweat your IT assets, use the residual value of the old equipment to reduce the cost of new equipment and get free data erasure certificates. Business leaders must become creative, they can save more than 35% on their IT budget.
Bridgette Vermaak is head of ITAD department at Xperien. The views expressed here are her own.
BUSINESS REPORT ONLINE