Unbroken Chain

Today more than ever before, companies are making sure that they can establish a well-documented chain of custody to help manage the risks associated with retiring their old electronics. Establishing a chain of custody will show that an asset was sold or disposed of properly and is the basis of the company’s defense if something should go wrong.

The potential problems come in two primary areas: the disclosure of confidential information and environmental violations.

The consequences of an unintended disclosure of confidential information are widely recognized. In recent years, federal legislation has been enacted to protect confidential consumer and patient information. Legislation like the Sarbanes-Oxley and Gramm-Leach-Bliley acts are used to regulate the manner in which confidential information is protected within the financial services industry. Confidential patient information is regulated in the health care industry by HIPAA, the Health Insurance Portability and Accountability Act. Consumer information collected in the retail industry is protected under the Fair and Accurate Credit Transaction Act (FACTA). Regardless of the industry, the common theme for all legislation pertaining to data security and client confidentiality is that they mandate a reasonable attempt to safeguard data.

In response to the increased legislation, most companies have focused primarily on up-front activities to protect sensitive information. If you mention data security to most people, they’ll talk about network security, firewalls and internal protocols to keep people from gaining access to information that is housed on the company’s networks. However, the biggest risk arguably comes from electronic devices that are leaving the building.

Companies that decide to destroy data themselves internally usually have competing internal interests that lead to making their data destruction processes less efficient than they would like. However, companies that outsource responsibility for their electronic data destruction expose themselves to the efficiency and security of their downstream processors and logistics providers. In either case, something could potentially go wrong.

Pollution violations caused by the improper disposal of electronics are less publicized, yet are no less important from a risk management perspective. In fact, in light of the low barriers of entry in the recycling business and the appeal of "free recycling," pollution violations are inevitably more prevalent.

Assets that are sold or donated and assets that are sent out for strict recycling become a liability because of the nature of the material they contain. A typical desktop PC can contain elements like lead or mercury that are classified as hazardous wastes. Contained within a computer system, these substances are not classified as a hazardous waste, but may be classified as Universal Waste. A Universal Waste that is improperly disposed of can be subject to prosecution under federal pollution laws that could result in fines for the company but may also result in fines for individuals within the company as a result of a violation.

The bottom line is that if old electronics end up in a place where they are not supposed to be, they can spell big trouble for the original owner of the equipment. Because of this, any company that engages in an asset recovery program for its old IT assets will want to consider how its electronics will ultimately be disposed of and determine if the reward justifies the risk.

The fines and public relations damage that result from information theft or from a pollution violation can be enormous, so it follows that a component of any responsible program for assuring the integrity of an asset disposition process is a well-documented chain of custody.

To understand the important components of a good chain of custody, it helps to understand how a violation is traced back to the company that originally owned the equipment. When a violation occurs, the asset is tracked back to the original owner based on the original equipment manufacturer’s serial number. At this point, the original owner of the asset will have to prove that it was not guilty of the violation.

This is where a well-documented chain of custody comes in to play.

Based on the fact that violations are traced by using the original equipment manufacturer’s serial number, it’s easy to see that the foundation for establishing a chain of custody is recording that serial number. This number is most likely to survive any recycling or resale process and is linked to the company that originally purchased the equipment.

The next bit of information that must be recorded is the internal asset tag. Each internal asset tag must correlate to a manufacturer’s serial number because internal asset tags are usually removed somewhere in the recycling or resale process.

The most important parts of the process are that the owner and the disposition company must record the two identifiers and that this information must be reconciled after the hand off has occurred. If that reconciliation has occurred, you have established a chain of custody for one level of processing.

However, we also recommend that the downstream trail of the asset be documented at least one level beyond the initial asset disposition point to ensure that the product is not being used or disposed of in a way that is not acceptable to the original owner. Some classes of assets require additional tracking measures, but that information can be easily captured and recorded. Just remember to tie the data back to the original manufacturer’s serial number.

By now you probably realize that establishing a chain of custody is a process as much as a means of documentation. However, it is a simple process to implement and has a huge return if something goes wrong.