Substantial resources are spent by manufacturers and distributors in choosing the right information technology (IT) equipment to invest in and how to secure those devices throughout their useful lives with passwords, encryption, firewalls, antivirus software and properly trained staff. But security concerns are often overlooked when those same assets are retired. Ongoing attention to security is a must, because IT equipment typically houses a company's most valuable intellectual property.

Security Breaches

Just because data appears to have been deleted from a device's hard drive does not mean it is gone. Some data may be recoverable — even if you smash a device with a sledgehammer — and recovered data can come back to haunt you if it winds up in the wrong hands.

Let us look at an example: Company A (a fictitious manufacturer) returned two copiers to its equipment leasing company. Neither party erased the devices' internal hard drives, which stored everything that Company A had copied or scanned over the term of its lease. When the leasing company subsequently sold the copiers to a competitor, the buyer also obtained Company A's financial data, customer lists and employee records.

It is important to look at the language of equipment leases to understand what will happen to the data stored within the hard drive on the machine after the equipment is returned. Many leases nowadays do include a hard drive destruction clause within the contract. Be sure to review leases for similar clauses, or lack thereof, before signing.

Security incidents also can arise when a company resells, recycles or donates its old IT equipment without properly erasing the hard drives. In other breaches, thieves steal assets from dumpsters or unlocked storage sites before management wipes the hard drives. The result? Large volumes of confidential and sensitive data are left unprotected and vulnerable to theft and fraud. It also opens the door for violations of software license agreements.

Bulletproof Disposal Protocols

Asset-intensive companies need formal companywide IT disposal policies to ensure reliable data destruction. Here is some guidance to consider when drafting an IT disposal policy:

Rewrite Multiple Times. Companies cannot just delete data once, because it can still be reconstructed from the device by an IT professional. Many Fortune 500 companies and the federal government follow the Department of Defense protocol, which requires data to be rewritten at least three times.

Consider Outsourcing. Companies often turn to outside disposal vendors to ensure safe disposal and factor disposal fees into the total cost of equipment ownership. Equipment retailers, manufacturers and leasing companies also may provide these services upon request. If you decide to outsource disposal, choose your vendors wisely. The cheapest vendor might skip steps, such as performing background checks on employees and their subcontractors, offering risk indemnification, tracking assets during the disposal process and ensuring that assets are disposed of in an environmentally responsible manner.

Act Quickly. Dispose of outdated equipment as soon as you upgrade. Doing so reduces the risk of theft and increases the price you will receive at resale.

As IT assets near the ends of their life spans, consider whether the devices can be repurposed. Sometimes equipment can be reused internally to temporarily save the cost (and hassle) of secure disposal.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.