When educational institutions purchase new IT equipment, they often overlook the importance of data residing on the old equipment. Federal laws have been enacted to protect student data, and proper disposal and erasure of retired IT assets is vital.
The Family Education Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA) are federal laws that protect the confidentiality of personally identifiable information of students attending any educational institution receiving funds from a program of the Department of Education. In part, these laws generally prohibit disclosure of information without the consent of the subject or their parent guardian and mandate prevention of unauthorized releases of information. These requirements still apply when information is no longer necessary to retain and assets containing such information are retired.
To comply, educational institutions need to use vendors that have appropriate controls in place to prevent unauthorized disclosures, they should get proof that data bearing assets have been sanitized as planned and, above all, use vendors who they can trust. It is important to understand what NAID AAA Certification is and to use a vendor who adheres to the standard. There are many non-certified recyclers in the educational space who are not following proper data security protocols.
Educational institutions in violation of these laws can lose government funding, and while the institutions themselves are not always held liable for disclosure by a third party, the failure to perform proper due diligence, use a trusted vendor, and maintain records of sanitization can be viewed as a failure to prevent unauthorized disclosures.
Maximizing ROI on decommissioned IT assets is often the biggest priority for educational institutions. However, the financial impact of an offsite data breach would far outweigh the monies gained from resale. By using a certified professional vendor, you can help make sure our educational institutions maintain funding and our future generations’ personal information is handled correctly.
ARCOA is a provider of IT services that encompass Cybersecurity, IT Asset Recovery and Disposition, and end-of-life recycling of electronics. We partner closely with clients to develop solid solutions around five architectural areas: cybersecurity and data destruction, specialized logistics and secure chain of custody, value recovery, asset tracking and control, and responsible recycling of end-of-life technology.