Secure chain of custody. IT asset disposition. Used IT equipment. Data breaches.
As technology evolves, ensuring the security and proper handling of your IT assets is more critical than ever. This is especially true in instances when equipment contains sensitive data. With the global average cost of a data breach in 2023 exceeding $4.45 million, partnering with an IT asset disposition (ITAD) provider that prioritizes security is your best defense (research conducted by Ponemon Institute and analyzed by IBM Security). Central to their security offerings should be a robust and secure chain of custody. In this article, we explore what this concept entails and how comprehensive security measures can protect your assets throughout the entire handling process.
What is the Definition of “Secure Chain of Custody?”
Creating a secure chain of custody involves meticulously tracking the movement of IT assets and materials from your organization’s locations to the ITAD provider’s facilities. ITAD partners maintain a high level of accountability and can track the assets at all times, including which employees handled the assets and where the assets are. If you need to verify the location or status of a retired asset, and the disposal partner cannot provide an answer, a breakdown in responsibility has occurred.
As mentioned earlier, for organizations that handle sensitive data, a break in the custody chain such as mishandling or losing a retired asset can have detrimental effects. Not to mention, it’s probably safe to assume that an IT asset manager at nearly every organization wants a quick, easy, and confident answer to the question, “Did you dispose of that asset?” versus a tedious investigation after the fact. For these reasons, it’s essential to work with an ITAD provider that takes security responsibilities seriously.
What Makes the Chain of Custody “Secure”?
A respected ITAD provider will use a multi-layer approach within their processes. The following are key features to look for when seeking out a disposal firm that offers a secure service for transporting and processing your IT equipment:
1. Employees Handle Your Equipment, Not Contractors
The first layer of protection within a secure chain of custody is partnering with an ITAD provider that prioritizes sending their own professionally trained staff to handle your equipment rather than third-party contractors. There are several reasons for this. Qualified ITAD providers, especially ones certified by the National Association for Information Destruction (NAID), focus on employee training and security processes to maintain their credentials. Another reason to use an ITAD provider rather than a third-party contractor is that you reduce the number of hands involved, thus creating a more streamlined and secure process.
Another point to keep in mind is that if your goal is to recoup some of your IT investment by reselling the used assets, you’ll want a provider that is knowledgeable about protecting the equipment’s value. Some third-party services prioritize getting the job done quickly rather than carefully.
Note: There may be times when an ITAD provider suggests that you outsource pick-up services to save on logistics costs. To help mitigate some of the security risks, a quality ITAD provider will partner with carriers that agree to meet the required procedures. The ITAD provider may even use a tamper-evident truck seal, which involves taking a picture at the time of shipment and again at the time of receipt to identify differences. Another option is to inventory all items at the time of shipment and receipt to provide evidence the load was delivered intact.
2. Employees Undergo Comprehensive Background Checks
In addition to using trained staff, a reputable ITAD provider will perform employee background checks to ensure a trustworthy workforce. These regular screenings and checks for criminal records help maintain a safe and secure environment. To provide a comparison, Cascade uses a third-party security firm and strictly prohibits the employment of individuals with financial, honesty, or computer-related convictions. Some employees even undergo annual FBI background checks, attaining a “High” security status with the U.S. government. In addition, Cascade ensures a drug-free workforce through required testing.
3. Staff and Vehicles Are Clearly Identified
The third level within a multi-layer secure chain of custody approach involves easily identifiable staff and vehicles. Imagine a scenario in which a couple of people wearing dirty t-shirts and jeans arrive on your site in an unmarked moving truck. Should your team trust them to take your company’s retired equipment containing sensitive data? An ITAD provider with a professional appearance, complete with company-branded apparel, photo IDs, and marked vehicles, instills confidence that the equipment will be handled securely and responsibly.
4. Security Measures in Place for Vehicles and Facilities
Having robust security measures in place for vehicles and facilities is the next qualification related to a secure chain of custody. Equipment should always be secured. When ITAD staff are loading your equipment, they should lock the doors every time the truck is left unattended. If equipment from multiple customers is being transported on the same truck route, each individual load should be packaged separately to maintain the highest level of security. Upon arrival at the ITAD’s secure facilities, the equipment must be unloaded and processed in a controlled environment. Features to look for in a secure facility include access controls, video surveillance, and alarm monitoring to safeguard the inventory.
5. Insurance Coverage for Both the Equipment and Data
Insurance coverage is another critical aspect of a secure chain of custody. It is vital to know who is responsible for the equipment if it is lost, stolen, or damaged during transit. To further minimize risk, the ITAD provider should also have a policy in place to cover potential data loss. To compare, Cascade carries a $5 million insurance policy that covers any damage or loss to the equipment. In addition, Cascade’s $10 million insurance policy for Errors & Omissions provides breach notification and remediation coverage in case of a data breach. To summarize, lower your risk by working with an ITAD provider that is covered by insurance and has a claim-free record.
6. Assets Are Inventoried On-Site
Lastly, for higher-value equipment or highly sensitive data, performing onsite inventory adds an extra layer of security. This additional step involves asset tracking at every stage of the disposition process. The ITAD provider takes inventory of all items prior to removal, and both parties sign off on the transfer before loading it. When the equipment arrives at the ITAD provider’s facility, they perform an inventory quality control process to confirm the receipt of every asset. Each item is then tracked to its final status whether that be refurbishment and reuse or demanufactured for recycling.
In conclusion, safeguarding your IT assets in today’s digital age requires a comprehensive approach to security, with a secure chain of custody at its core. By partnering with an ITAD provider that prioritizes security and implements multi-layered measures, you can ensure that your valuable IT assets are handled responsibly and securely throughout the entire disposition process.
Chain of Custody Checklist
To assist you in selecting an ITAD provider that uses a multi-layer approach to safeguarding both data and IT devices, download our Secure Chain of Custody Checklist.