Wendy Burchard, procurement coordinator in the IS department at the University of Richmond in Virginia, knows all about the pitfalls of recycling old equipment.
Burchard discovered that the firm that was carting away the school's unwanted computer hardware for recycling was actually reselling the equipment. "We thought everything was getting crushed up into little pieces. Then we found out later that they were reselling our stuff," Burchard says. "They never told us they were doing that."
Like most IT professionals these days, Burchard was simply trying to help her shop follow environmental best practices. "We would never want to do anything to hurt the environment," she says. "We want to always do the right thing."
In recent years, recycling has become a high priority for IT departments. Yet as recycling efforts are ramping up, more managers are finding themselves coping with shady recyclers that dispose of IT assets in environmentally irresponsible ways, potentially exposing sensitive enterprise data in the process.
Burchard's brush with an unscrupulous recycler put her job on the line. "The last thing that we want is to have somebody find a University of Richmond computer over in China somewhere," Burchard says.
Christine Pfendt, CEO of Citigate Cunningham, feels Burchard's pain. When she joined the public relations firm several years ago, Pfendt didn't anticipate acquiring a recycling headache. But that's what she got when she inherited 5,000 square feet of obsolete computer equipment and peripherals. The previous management team had taken a novel approach to equipment disposal, she says. "Instead of recycling or repairing, they'd just buy new equipment" and cast aside the old.
A staunch environmentalist, Pfendt wanted to find ways to use everything to its end of life, avoid waste and keep the items from adding to landfills.
Cutting through the clutter proved to be an arduous task. "We had to figure out what was usable and what was not," she says. Staff members separated items that contained sensitive information from those that didn't. "For cell phones and pagers without confidential info, we gave them to a battered women's shelter," Pfendt says. "For the servers, we created a script that wiped away the info." The machines could then be safely recycled.
Unneeded monitors, however, were advertised on Craigslist. "The person who came for them told us they were a nonprofit," Pfendt recalls. But she later learned it was a for-profit company that was reselling the monitors -- on Craigslist. Lesson learned: "Require a copy of their 501(c)(3) status in advance," she says.
Mathew Jancsis, an IT services engineer at Vertex Pharmaceuticals Inc. in Cambridge, Mass., doesn't have any recycling horror stories to tell, because he did his homework before signing up with a recycler.
Jancsis recommends sticking with local businesses that specialize in technology equipment recycling, particularly those that have achieved ISO 9001:2008 and ISO 14001:2004 certifications for quality and environmental management. "Tour the facility, if possible, and examine their processes," he says.
Get detailed documentation about equipment that was recycled and specifics about what was done with it post-processing. "Also, if possible, go to the facility when your data-sensitive equipment is scheduled for destruction to verify firsthand that this takes place according to the processes agreed upon," Jancsis says.
Worth the price
All of that takes time and money, which are scarce resources these days, Jancsis acknowledges, but it's worth it. "While saving money is critical, the price a company would pay in working with a less-than-reputable establishment far outweighs the upfront cost of working with an honest firm," he says.
Kelley Keogh, president of Sin Fronteras EHS Consulting, a Santa Rosa, Calif.-based company that helps businesses create and follow environmental, health and safety policies, says IT managers need to be aware of two things when dealing with recyclers. "One is whether the companies are sending the materials to managed facilities that [follow] U.S. specifications," she says. "The other is whether they're exporting materials legally to the countries that are receiving them."
Failing to perform due diligence in both areas can lead to serious consequences. "That's the kind of stuff that comes back to bite you," Keogh says. "A recycler comes in and says, 'I'll do a great job for you,' and then someone finds your material in some little dump in some tiny town in China."
At that point, the world suddenly becomes a whole lot smaller. "They can trace it back to your company," she says, "and because you took the [recycling] company's word, you end up being liable for not only looking horrible, but for being horrible."
On the bright side, an enterprise that has suffered a financial loss because its data was compromised by a shady recycler might be able to recoup some or all of its losses through a lawsuit, says Josh King, general counsel at Avvo Inc., a lawyer search service in Seattle.
But financial compensation can't undo the loss of customer trust. That's why you need be to be highly cautious when recycling IT assets that contain sensitive data. Says King, "You can't just hire vendors and wash your hands of it."
Edwards is a freelance writer in Gilbert, Ariz. You can contact him at email@example.com.
This story, "IT Recycling Pitfalls" was originally published by Computerworld.