Pick a scenario -- any scenario:
- Your company has just been fined for allowing old PCs to be dumped in a landfill in Romania. You didn't know that was going to happen, but you've been ordered to pay a penalty and clean up the mess anyway. Romanians, it seems, are less than keen to have hazardous mercury and lead so close to their ground water.
- A customer's medical information or credit card number gets into the wrong hands because one of your retired PCs still had the information on its hard drive. How would you like your subpoena?
- The cost of getting rid of those old PCs from Y2K ends up being double the cost of selling them. You have to find some money in the budget and quick.
Congratulations, you've just experienced "TCO's Last Surprise," the unforeseen costs of PC disposal.
What an unpleasant surprise
Gartner analyst Frances O'Brien coined the term for PC disposal last year in a report of the same name. She said that companies generally are lost when it comes to budgeting for their PCs' afterlife and have not planned the process. She figured on average, companies that sell their machines after three years get back 3% to 5% of the original price. The pain sets in with the disposal costs. Taking the PC off the network, getting backup for the data and cleaning the hard drive aren't free. If you're going to sell off the PCs, you may have to reload the OS. If you're sending them for an eternal dirt nap, you likely will have to pay a recycling fee.
If you don't do any of these things, you're opening up the company to a laundry list of lawsuits, from privacy breaches to environmental wrongdoing, such as violation of the federal Resource Conservation and Recovery Act (RCRA), which forbids anything with a circuit board to be thrown out. Cost of disposing of PCs so you don't have to worry about them? Anywhere from $85 to $136 per machine, according to O'Brien.
She recommended that companies come up with an official process for getting rid of old hardware, come up with an accurate TCO figure, and budget for the machines' end-of-life.
Some companies are doing this; some are not. Robert Houghton, founder and president of Redemtech Inc., a technology recycling company based in Hilliard, Ohio, said that many IT execs don't have that TCO figure because the disposal details are buried in the budget and don't have their own place on the planning sheet. "Most likely, those costs aren't being properly planned and specified as an end-of-life expense," he said. "Some companies know the issues, but others have trouble rationalizing the process."
Still others are new to this ballgame. David Ellard, CIO of storage giant EMC Corp., said that his company had been leasing its PCs until recently. "The leasing company took them back, and I didn't have to deal with it," he said. But over the past year, EMC has purchased PCs, so there's a lot more to deal with. "I will have to start implementing a plan," he said.
Understand it, budget for it, outsource it
Houghton recommends a centralized plan across the enterprise that avoids departmental division. He also said there are two broad areas CIOs should focus on when it comes to properly pitching out their PCs. First "you must understand the end-of-life costs and budget for them – that puts you in a position to control cost as you control risk," he said.
Houghton said that virtually all companies are subject to risks from environmental compliance. That's why it's important for CIOs to focus on the second area: being certain that the company disposing their PCs is reliable enough and solvent enough to do the job properly, because the CIO's liability doesn't necessarily end when the PCs are hauled off. "Transferring title to a broker doesn't sever your responsibility," Houghton said. "The liability for environmental compliance is non-severable, so you need to know where your product is headed downstream."
While environmental risks affect everyone, data privacy and security issues are especially important for financial firms and health care organizations. HIPAA and GLB compliance both necessitate thorough data scrubbing of old PCs so that sensitive information doesn't get left behind (and possibly into the wrong hands). But according to Houghton, it's impossible to get 100% data security from an enterprise environment. That's why he recommends that CIOs outsource the process, which indemnifies their companies and gives them a "throat to choke."
"[This way] CIOs are not focusing on hard drive erasure so much as verification and proof of erasure," he said. "We recommend creating a repository with a record of everything that's been erased."
While Houghton recommends outsourcing the process to companies like his (others in the market include Columbus, Ohio-based RetroBox, Inc.), other organizations handle PC disposal and redeployment internally. Vanderbilt University Medical Center, Nashville, Tenn., has a centralized process by which individual schools and departments must abide. Jeff Kimble, director of network computing services, said that simply deleting files from or reformatting electronic media may not be enough to prevent recovery of stored information – information that can include sensitive patient or student data as well as Vanderbilt licensed software. Kimble said that departments and schools must either:
- Destroy the information on the hard drive or media by first reformatting it and then running additional utilities.
- Remove the hard drive or other media and secure it indefinitely.
- Remove the hard drive or other media and physically destroy it.
Kimble also said that schools and departments must certify that at least one of those procedures has been followed by filling out and attaching a tracking document to every computer or electronic storage device that is surplused or transferred between departments. "The department should also maintain a copy of the tracking document as a permanent record," he said. Receiving schools or departments at Vanderbilt should then verify the information on the tracking document before they take the equipment.
PCs and equipment that aren't reused, sold or donated are sent via the university's computer recycling program to the Oak Ridge National Recycling Center in Oak Ridge, Tenn. The center removes and segregates all the hazardous heavy metals from the computer components for re-use.
While the stakes may be higher for Vanderbilt because of its repository of health records, Redemtech's Houghton said that state laws nationwide are being passed that extend the same kinds of legal liabilities to any business. Bottom line: "The only way to establish good compliance is for a central policy to exist on how to handle end- of-life material," Houghton said. "A CIO should be trying to avoid a fragmented process among divisions and try to establish a policy across the enterprise for security and environmental management."
FOR MORE INFORMATION