Learning Center

Posted by

The Importance of Chain of Custody for Electronics Disposition

Today more than ever before, companies are making sure that they can establish a well documented chain of custody to help manage the risks associated with retiring their old electronics. Establishing a chain of custody will show that an asset was sold or disposed of properly and is the basis of a defense if something goes wrong. The risk of something going wrong comes from two primary areas: confidential information disclosure and environmental violations.

The consequences of a confidential information disclosure are widely recognized. In recent years federal legislation has been enacted to protect customer and patient confidential information. Legislation like Sarbanes Oxley and Gramm Leach Bliley are used to regulate the manner in which confidential information is protected within the financial services industry. Confidential patient information is regulated in the healthcare industry under the Health Insurance Portability and Accountability Act (HIPAA). Consumer information collected in the retail industry is protected under the Fair and Accurate Credit Transaction Act (FACT-A). Regardless of the industry, the common theme for all legislation pertaining to data security and client confidentiality is that they mandate a reasonable attempt to safeguard data.

In response to the increased legislation most companies have focused primarily on up front activities to protect sensitive information. If you mention data security to most people they’ll talk about network security, firewalls, and internal protocols to keep people from gaining access to information within the building. However, the biggest risk arguably comes from material that is leaving the building. Companies that decide to destroy data themselves internally usually have competing internal interests that lead to making their data destruction processes less efficient than they would like. Companies that outsource the data destruction responsibility expose themselves to the efficiency and security of their downstream processors and logistics providers. In either case, something can easily go wrong.

Pollution violations caused by the improper disposal of electronics are less publicized yet no less important from a risk management perspective. In fact, due to the low barriers of entry in the recycling business and the appeal of “free recycling,” pollution violations are inevitably more prevalent. Assets that are sold or donated and assets that are sent out for strict recycling become a liability because of the nature of the material they contain. A typical desktop PC can contain elements like lead or mercury that are classified as hazardous wastes.  Contained within a computer system, they are not classified as a hazardous waste but may be classified as Universal Waste. A Universal Waste that is improperly disposed of can be subject to prosecution under federal pollution laws that not only fine the company but may also fine individuals in the company for the violation. The bottom line is that if old electronics end up in a place where they are not supposed to be it can spell big trouble for the original owner of the equipment. Because of this any company that engages in an asset recovery program for their old IT assets will want to consider how it will ultimately be disposed of and determine if the reward justifies the risk.

The Importance of Chain of Custody for Electronics Disposition

The fines and public relations damage from information theft or from a pollution violation can be enormous, so it follows that a component of any responsible program for assuring the integrity of an asset disposition process is a well documented chain of custody.  To understand the important components of a good chain of custody, it helps to understand how a violation is traced back to the company that originally owned the equipment. When a violation occurs, the asset is tracked back to the original owner of the equipment based on the original equipment manufacturer serial number. At this point the original owner of the asset will have to prove that they were not guilty of the violation. This is where well documented chain of custody comes into play.

Based on the fact that violations are traced by using the original equipment manufacturer’s serial number, it’s easy to see that the foundation for establishing chain of custody is recording that serial number. This number is most likely to survive any recycling or resale process and is linked to the company that originally purchased the equipment. The next bit of information that must be recorded is the internal asset tag. Each internal asset tag must correlate to a manufacturer’s serial number because internal asset tags are usually removed somewhere in the recycling or resale process. The most important part of the process is that the two identifiers are recorded by both the owner of the equipment and the entity to whom they send it, and the identifiers must be reconciled after the hand-off. If that has occurred, you have established a chain of custody for one level of processing.

We also recommend that the downstream trail of the asset be documented at least one level beyond the initial asset disposition point to ensure that the product is not being used or disposed of in a way that is not acceptable to the original owner. Some classes of assets require additional tracking measures, but that information can be easily captured and recorded. Just remember to tie them back to the original manufacturer’s serial number.

By now you probably realize that establishing a chain of custody is a process as much as a means of documentation. It is a simple process to implement and provides huge returns in the event that something goes wrong.

© Copyright 2015 CRUSA Computer Recycling USA. All rights reserved.   |   Corporate Office: 425 Fortune Blvd. Milford , MA 01757   |   [email protected]