Many people don’t understand the importance of performing due diligence on their ITAD vendor. There is really one word that sums up why it’s important – risk! Trusting that your ITAD vendor is doing the right thing is not enough. Data security and privacy are large scale issues facing all businesses, and it is imperative that your vendor is handling both in the right way.
The potential costs and losses associated with improper disposal and data security lapses is significant. Many regulations and laws exist that relate to data security and privacy such as HIPAA, HITECH, PCI, GLBA, FCRA, FERPA, GDPR and other state and national legislation. Substantial fines can easily reach into the millions. The average cost of a breach in 2018 in the US was $7.91 million according to the Ponemon Institute. Fines for GDPR can reach up to 4% of annual revenue or $22 million. There are also significant monetary risks for improperly handled scrap materials. According to the findings published by the Ecological Society of America in 2009 the EPA has remediated and closed about 1500 Superfund sites since CERCLA passed. According to the EPA, the cumulative value of private party cleanup commitments and cost recovery settlements from those sites is $25 billion. For any business it is important to consider other tangible risks such as loss of business, trade secrets and brand damage.
There have been many articles in the news about electronics recyclers and IT asset disposition vendors who have declared bankruptcy, been indicted or convicted for illegal export or storage of equipment, fraud and tax evasion.
In order to avoid these risks, while supporting financially sound auditing practices, one needs to know what to look for. As a baseline, look for companies that are audited by an independent party on a regular schedule. Certifications such as R2 that audit processes surrounding the handling and treatment of decommissioned IT assets provide a great jumpstart on vendor due diligence. You can find a detailed R2 certification checklist here to add to the list below.
Following the list below will assist you in covering your bases. The Desktop Audit should be completed before moving on to the Site Visit.
- Identify who, what and where in relation to your vendor
- Ask for copies of certifications, permits and business licenses that align with above
- Verify the information you are given (e.g. validate R2 certification via SERI)
- Ask for a certificate of insurance listing your company as additional insured
- Ask for evidence of documented procedures and policies (e.g. data destruction)
- Ask for the flow of equipment until the point of final disposition and the supporting bills of lading
- Ask for vendor’s due diligence on any subsequent processors
- Make sure a signed agreement is in place with audited vendor
- Determine who within your organization is best suited to conduct the onsite audit. Typically, it is the EH&S Manager or ITAM personnel
- Ask for a facility walkthrough that encompasses the processes involved in handling your materials. Assess items below during the walkthrough:
- Check for physical security – both for the facility and data handling
- Verify good housekeeping and hygiene practices
- Ask to see OSHA recordable incident rate
- Check for safe daily operations
- Check for proper waste handling
- Check for emergency response equipment
- Validate that procedures and policies from desktop audit are being followed
- Check that data is segregated from other work areas
- Mass balance on outbound weight for charge items
The vendor audit is all about risk management. Make certain that your questions and concerns are addressed to your satisfaction. Be leery of facilities and organizations that look too good to be true. Document any issues you find and determine whether that residual risk is acceptable to your organization. A vendor worth working with will pass your audit and minimize and/or eliminate the risks associated with decommissioning assets.