Although data breaches often place ITAD clients in a poor light, firms have a duty to protect their own reputations as well as those of their clients, panelists said. | Big Wave Productions/Resource Recycling[/caption]
High-profile data breaches have highlighted the perils of ITAD, and until multiple companies are "put in the penalty box," it will keep happening, industry experts said during a panel at the 2024 E-Scrap Conference.
However, ITAD firms can take steps to help avoid risk and educate clients, the panelists said during the conference, which was held by Resource Recycling in Orlando from Sept. 30 to Oct. 2.
In one notorious example, years of ITAD errors cost banking giant Morgan Stanley more than $163 million in penalties and fees. The legal issues stemmed from IT asset decommissioning and refresh projects the company undertook between 2016 and 2019.
Morgan Stanley hired a moving company with no data destruction experience to decommission two U.S. data centers in 2016, and devices holding unencrypted customer data were eventually sold online. In 2019, Morgan Stanley simply lost track of dozens of devices containing customer data during an IT refresh project.
"I don't think we've actually studied it as an industry and learned the lessons yet," said Kyle Marks, founder and CEO of Retire-IT, adding that millions of dollars in fines and penalties is small change to a corporate behemoth. "Morgan Stanley eats that for breakfast."
In the latter incident, the vendor was Arrow Electronics, "one of the most credentialed, secure powerhouses in the industry at the time," Marks said. The incident "ran down the list of everything you could do wrong."
However, those failings were on the part of the client, not on the part of the ITAD, he said. "Very often ITADs or any vendor is more compliant than their client is. From any perspective, this becomes a poster child for why a client should pick you as a service provider," he said. Morgan Stanley had chosen a vendor based on reduced costs, "and it's coming back to bite them. That's obviously a good message for you if you're an ITAD."
Panelist Bob Johnson, principal advocate at Privata Vox, agreed: "Cheaper is not always better, in fact cheaper is probably not better. You need to be careful in the selection process."
The incidents were a great example of why ITAD isn't just disposing of garbage and must be taken more seriously, Johnson said. "The client always pays for the consequences of the vendor's mistake," he said.
In announcing its findings, the SEC called the Morgan Stanley breaches "astonishing." Marks said, "The only thing astonishing is that the FCC found it astonishing. Anybody who has been in this industry for any period of time understands that most clients are wildly noncompliant."
"When the company buys the assets and deploys them, they're already losing track of 2-3% of assets upon deployment," he said. "And life cycle management is a series of check-ins and check-outs, and ITAD is what I call the final checkout. Companies are lucky if they know where 85% of their assets are, but magically at the end of life, 100% of assets are accounted for."
[caption id="attachment_25287" align="aligncenter" width="1200"] Although data breaches often place ITAD clients in a poor light, firms have a duty to protect their own reputations as well as those of their clients, panelists said. | Big Wave Productions/Resource Recycling[/caption]
High-profile data breaches have highlighted the perils of ITAD, and until multiple companies are "put in the penalty box," it will keep happening, industry experts said during a panel at the 2024 E-Scrap Conference.
However, ITAD firms can take steps to help avoid risk and educate clients, the panelists said during the conference, which was held by Resource Recycling in Orlando from Sept. 30 to Oct. 2.
In one notorious example, years of ITAD errors cost banking giant Morgan Stanley more than $163 million in penalties and fees. The legal issues stemmed from IT asset decommissioning and refresh projects the company undertook between 2016 and 2019.
Morgan Stanley hired a moving company with no data destruction experience to decommission two U.S. data centers in 2016, and devices holding unencrypted customer data were eventually sold online. In 2019, Morgan Stanley simply lost track of dozens of devices containing customer data during an IT refresh project.
"I don't think we've actually studied it as an industry and learned the lessons yet," said Kyle Marks, founder and CEO of Retire-IT, adding that millions of dollars in fines and penalties is small change to a corporate behemoth. "Morgan Stanley eats that for breakfast."
In the latter incident, the vendor was Arrow Electronics, "one of the most credentialed, secure powerhouses in the industry at the time," Marks said. The incident "ran down the list of everything you could do wrong."
However, those failings were on the part of the client, not on the part of the ITAD, he said. "Very often ITADs or any vendor is more compliant than their client is. From any perspective, this becomes a poster child for why a client should pick you as a service provider," he said. Morgan Stanley had chosen a vendor based on reduced costs, "and it's coming back to bite them. That's obviously a good message for you if you're an ITAD."
Panelist Bob Johnson, principal advocate at Privata Vox, agreed: "Cheaper is not always better, in fact cheaper is probably not better. You need to be careful in the selection process."
The incidents were a great example of why ITAD isn't just disposing of garbage and must be taken more seriously, Johnson said. "The client always pays for the consequences of the vendor's mistake," he said.
In announcing its findings, the SEC called the Morgan Stanley breaches "astonishing." Marks said, "The only thing astonishing is that the FCC found it astonishing. Anybody who has been in this industry for any period of time understands that most clients are wildly noncompliant."
"When the company buys the assets and deploys them, they're already losing track of 2-3% of assets upon deployment," he said. "And life cycle management is a series of check-ins and check-outs, and ITAD is what I call the final checkout. Companies are lucky if they know where 85% of their assets are, but magically at the end of life, 100% of assets are accounted for."
Although data breaches often place ITAD clients in a poor light, firms have a duty to protect their own reputations as well as those of their clients, panelists said. | Big Wave Productions/Resource Recycling[/caption]
High-profile data breaches have highlighted the perils of ITAD, and until multiple companies are "put in the penalty box," it will keep happening, industry experts said during a panel at the 2024 E-Scrap Conference.
However, ITAD firms can take steps to help avoid risk and educate clients, the panelists said during the conference, which was held by Resource Recycling in Orlando from Sept. 30 to Oct. 2.
In one notorious example, years of ITAD errors cost banking giant Morgan Stanley more than $163 million in penalties and fees. The legal issues stemmed from IT asset decommissioning and refresh projects the company undertook between 2016 and 2019.
Morgan Stanley hired a moving company with no data destruction experience to decommission two U.S. data centers in 2016, and devices holding unencrypted customer data were eventually sold online. In 2019, Morgan Stanley simply lost track of dozens of devices containing customer data during an IT refresh project.
"I don't think we've actually studied it as an industry and learned the lessons yet," said Kyle Marks, founder and CEO of Retire-IT, adding that millions of dollars in fines and penalties is small change to a corporate behemoth. "Morgan Stanley eats that for breakfast."
In the latter incident, the vendor was Arrow Electronics, "one of the most credentialed, secure powerhouses in the industry at the time," Marks said. The incident "ran down the list of everything you could do wrong."
However, those failings were on the part of the client, not on the part of the ITAD, he said. "Very often ITADs or any vendor is more compliant than their client is. From any perspective, this becomes a poster child for why a client should pick you as a service provider," he said. Morgan Stanley had chosen a vendor based on reduced costs, "and it's coming back to bite them. That's obviously a good message for you if you're an ITAD."
Panelist Bob Johnson, principal advocate at Privata Vox, agreed: "Cheaper is not always better, in fact cheaper is probably not better. You need to be careful in the selection process."
The incidents were a great example of why ITAD isn't just disposing of garbage and must be taken more seriously, Johnson said. "The client always pays for the consequences of the vendor's mistake," he said.
In announcing its findings, the SEC called the Morgan Stanley breaches "astonishing." Marks said, "The only thing astonishing is that the FCC found it astonishing. Anybody who has been in this industry for any period of time understands that most clients are wildly noncompliant."
"When the company buys the assets and deploys them, they're already losing track of 2-3% of assets upon deployment," he said. "And life cycle management is a series of check-ins and check-outs, and ITAD is what I call the final checkout. Companies are lucky if they know where 85% of their assets are, but magically at the end of life, 100% of assets are accounted for."
Categories