A Big Lesson From a $60M Fine for Poorly Performed Data Disposition

Posted by Frank Milia

Oct 13, 2020 9:59:39 AM

Last week the Department of the Treasury OCC levied a $60 million dollar fine to Morgan Stanley for data breaches that occurred from poorly managed IT asset disposition projects associated to data center decommissioning activities in 2016 and additional disposal events in 2019. 

In a recent consent order the OCC describes that the bank “…failed to effectively assess or address the risks associated with the decommissioning of its hardware; failed to adequately assess the risk of using third party vendors, including subcontractors; and failed to maintain an appropriate inventory of customer data stored on the devices.”

The responsibility to stop unauthorized access to protected data is disproportionately the responsibility of the data controller, in this case Morgan Stanley. Detailing all of the security controls required to lower risk would not be possible in this short article. In reality there is no one tool, vendor, process, method, policy, or procedure that one could point to that would have guaranteed the bank hundred percent security. 

Secure management of data disposition, especially for large enterprises, requires a robust program that includes policies, procedures, assigned accountability, employee training, contracting and vendor due diligence requirements, and a process for strict oversight of activities all working together to minimize the risk of exposure and regulatory non-compliance.  

From a reading of the previously mentioned description from the OCC it would be easy to characterize Morgan Stanley’s management of these data disposition activities as a failure by every measure.   However, it is the following accusation by the OCC that most likely explains why the fine is so high “The Bank failed to exercise adequate due diligence in selecting the third party vendor engaged by Morgan Stanley and failed to adequately monitor the vendor’s performance”.   

Due Diligence on Black-Golden Watch Face with Closeup View of Watch Mechanism.

Typically, regulatory fines are reduced when the organization under investigation is able to prove that reasonable steps to protect private data were taken. In other words, mistakes will happen but if an organization can display that they have formal and documented data disposition procedures that includes vendor due diligences the penalties for an incident will likely be reduced.

At this time Morgan Stanley has yet to disclose the vendors utilized to perform these services. Considering the OCC’s claims that the bank failed to perform due diligence and oversight of the vendor’s practices it is likely that Morgan Stanley is unable to effectively shift the liability and financial responsibility to the contractor. 

Although there is no legal mechanism for Morgan Stanley to be indemnified of their regulatory obligations, they theoretically would be able to recoup some of the financial impact of the fine if there were well written contracts, documented performance testing and due diligence records. 

Performing documented due diligence in vendor selection and ongoing auditing of a vendor’s practices will significantly reduce the financial impact of breach or other regulatory non-compliance by reducing fines and ensuring an effective method for suing vendors that break contractual obligations. Vendor due diligence should include documented investigation of a vendor’s policies, procedures, methods, breach notification systems, training programs, third party certifications and key management system protocols at selection and at minimum on an annual basis. 

In the most simplest terms it appears that Morgan Stanley did little to deter these breaches from occurring, but the impact of the breaches were multiplied by the inability to establish that any care was taken in their approach to data disposition and vendor management. 

Every organization is at a risk of data breach or regulatory fine associated to poor data disposition. The only way to both minimize the likelihood of an exposure and reduce the financial impact if one would to occur is by investing in your data disposition program and ensuring internal and external stakeholders are regularly tested, results are documented, and corrective actions implemented when applicable. 

 

Looking to reduce your risks from IT asset disposal?

Get the Best Practices Guide Today:

Learn More

 
more

Topics: IT Asset Disposal, data breach, education & tips, IT Asset Disposition, Risk Management

Bidding a Project to Computer Liquidators

Posted by Frank Milia

Sep 18, 2017 9:14:26 AM

If your IT department generates valuable surplus computer equipment whether through a regular refresh project, office relocation, staff reduction or merger it will be helpful to understand how to bid out an IT asset disposal project to computer liquidators.


We suggest contracting a prime source for ongoing IT asset disposal services, but from time to time it may be required to get a fixed bid on excess IT assets. In this post we will be providing a few tips on how to solicit offers in a way that will fairly evaluate capable vendors.

11872905_m.jpg


1. Qualify a list of bidders before distributing a Request for Proposal. Do not waste time taking offers from vendors that do not meet your company’s security, environmental compliance, or risk assessment requirements. When researching vendors and compiling a list of potential bidders weed out any vendors that do not meet your internal requirements. We suggest only bidding projects to vendors with third party certifications such as ISO 14001, Responsible Recycling (R2), and e-Stewards certification.

2. Create a spec sheet for the equipment that you will be bidding out, including an accurate estimate of the quantity of machines by locations. As an example for a desktop, note the make, model, processor model, RAM configurations, hard drive type and size, and form factor. Sometimes providing a service tag or part number will be enough, but to avoid potential issues from discrepancies it is best to have all bidders on the same page at day one of bidding. For a vendor to include all shipping and packaging costs in an offer they will need to know how many units and where the units are located.

3. Create a fixed timeline to receive accurate pricing. Provide bidders with a deadline for bids and what day the equipment will be released and ready for pickup. Most vendors will have an expiration date for competitive offers. A long timeline for a sale puts the vendor and your organization at risk of a bid expiring and the depreciation of the market effecting value returns for all parties. Reduce your company’s exposure by providing accurate timelines and rebidding if the timelines are not met.

4. Make sure all service level requirements are specified at the time of bid. Clearly outline any packaging services, de-racking, wiring, on-site data destruction, or any other services that will come at a cost to your company or vendor at the time of the bid. In order to fairly evaluate vendors one needs to avoid selecting a vendor and then finding out that there are additional costs and reductions to the value back because the requirements of the equipment sale were not clearly specified at the bidding.

Following these guidelines will help you seamlessly sell surplus IT equipment.

Looking for a tool to get the most value back on your company's IT disposals?

Download the ITAMG Inventory Template Today:

Tips & Inventory Template

 

more

Topics: IT Asset Disposal, IT Asset Disposition, eWaste Disposal, Risk Management, IT Liquidation

Three Quick IT Liquidation Tips

Posted by Frank Milia

Aug 1, 2017 10:25:22 AM

Evaluating an IT liquidation provider to purchase your corporate IT equipment can be a difficult task to accomplish. There are a good deal of variables that can lead an IT manager down a path where he or she will be unable to accurately evaluate competitive quotes, incur unnecessarily high service costs, or set incorrect expectations of value returns that will not be achieved at the end of a project.

55448959_m.jpg


Here are some quick tips to make you aware of potential pitfalls and help you eliminate these variables.


1. Know what you’re selling. Having a good understanding and detailed inventory of the models, specs, functional conditions, and cosmetic conditions of your equipment is the most empowering tool you will have available in the process. The more details and assurances you’re able to provide to a vendor the more comfortable and competitive the solution the ITAD provider will be able to offer. Its understandable most IT departments will not have the resources to test equipment and note cosmetic issues on every machine, but if you’re aware of equipment defects and issues provide this information to your IT liquidation vendor and get an understanding of what the cost reductions will be ahead of executing the project.


2. Understand your service level requirements. Make sure to provide all IT liquidators bidding on your project with detailed information on what data destruction service level, packaging requirements, building access requirements, shipping requirements, or any other data and asset management requirements you may have. This can be particularly important when the service level will affect the value of the equipment. For example, if you choose to require a vendor to shred the hard drives from a laptop liquidation there be additional costs for the destruction services and the machines’ overall value will be decreased from removing the hard drives.


3. Set a rigid time frame for the project. The secondary markets fluctuate rather quickly and most IT disposal vendors will not be willing to hold aggressive return rates in effect for longer than 10 business days. Keep in mind that if you’re planning a project 30-90 days out to set these expectations upfront so the vendors are able to give realistic pricing that can be met. We suggest in these situations to get the IT asset recovery estimate from vendors early in the planning stage and qualify capable providers. You can then re-price the project and make final decisions closer to the release of the equipment.

Having a good understanding of your disposal inventory, conditions of the equipment, service levels required, and time frame of project will allow you to control the process and meet the expectations set with your IT asset disposal vendor.

Looking for a tool to get the most value back on your company's IT disposals?

Download the ITAMG Inventory Template Today:

Tips & Inventory Template

 

more

Topics: IT Asset Disposal, IT Asset Disposition, eWaste Disposal, Risk Management, IT Liquidation

IT Asset Management Group Becomes EPEAT Champion

Posted by Frank Milia

Mar 24, 2014 1:57:00 PM

IT Asset Management Group (ITAMG), a leading provider of IT asset disposal, data destruction and electronics recycling services, has joined the EPEAT Champion program. EPEAT is the definitive global rating system for greener electronics. Becoming an EPEAT Champion complements ITAMG’s goal to reduce the hazardous effect of surplus and end-of-life technology through refurbishing, reuse and electronic waste recycling.

epeat_green_tm_WEB

As an EPEAT Champion, ITAMG will promote the use of the EPEAT system among its major enterprise, institutional and public-sector clients. Using EPEAT, purchasers and procurement officers can easily identify and compare thousands of environmentally preferable devices based on more than 50 environmental criteria, including energy use and recyclability.

“It is in the best interest of our environment, and ITAMG’s core business, when large organizations make purchasing decisions that value the length of an asset’s life, the amount of recyclable material that makes up the product, and are designed to easily dismantle for more efficient reuse and recycling,” said Richard Sommers, President of ITAMG.

Frank Milia, Vice President of Account Management at ITAMG, added: “We are excited to promote the importance of green purchasing decisions as an EPEAT Champion.  We know our work with EPEAT will support our current client base by providing resources that simplify purchasing decisions and improve the end of life cycle management of retired and surplus IT equipment.”

IT Asset Management Group works with large organizations and provides IT liquidation, computer equipment recycling, and secure data erasure and on-site hard drive shredding services.  Since 1999 ITAMG has been delivering a full suite of IT asset disposition services to a national client base of government agencies, private firms, and fortune 1000 companies.

Download the EPEAT InfoGraphic

more

Topics: IT Asset Disposition, Electronic Waste Management, EPEAT, Green Technology Procurement

Electronic Waste Problem to Increase a Dramatic 1/3 by 2017

Posted by Frank Milia

Jan 16, 2014 10:03:11 AM

 

E-waste is on the rise and the impending result will impact us all.  

13225130_m

 

According to a USA Today article referencing a UN Study, “The mountain of refrigerators, cellphones, TV sets and other electrical waste disposed of annually worldwide is forecast to grow by a third by 2017.”  In 2012 there was 53.9 million tons, and this forecast will bring that number to 72.09 million tons in 2017.  Findings were based on estimates of product life along with actual data regarding discarded products in several countries.

 

The United States was the number one contributor to e-waste, followed by China.  These are frightening numbers and this e-waste problem must be addressed through initiatives and legislation.  Fortunately steps are being taken in a number of areas to address this growing problem.

 

The Environmental protection agency is collaborating with “Solving the E-Waste Problem” (“StEP”) to focus on this issue.  StEP has published a world-wide map which drills down on country by country data referencing equipment on the market yielding e-waste.  This information is eye-opening.  StEP has set up an initiative with five task forces to address growing e-waste concerns. By addressing policy, redesign, reuse, recycle and capacity building, analysis is done and recommendations and action can be taken to ultimately provide solutions to this mounting problem.

 

In addition, while laws vary by country, legislation was introduced in the U.S. to address the export of e-waste concern. The Responsible Electronics Recycling Act of 2013 (RERA) would make it illegal to send e-waste from the U.S. to developing nations.

 

As our society continues to focus on upgrading consumer technology more waste will be generated.  All of our efforts must be stepped-up to recycle properly.  We need a continued focus by organizations such as the Environmental Protection Agency, StEP, IT asset disposal providers, electronic waste recycling companies, and government agencies to set in motion recommendations, programs and legislation so as a global community we can reduce the harms of the drastic increase of waste generation forecasted to take place by 2017.   

 

Download the ITAMG Inventory Template Today to Get The Best Value For Your Company's Responsible Recycling:
Tips & Inventory Template
more

Topics: IT Asset Disposition, eWaste Disposal, Electronic Waste Management

   

ITAD Guidance

Stay informed on important IT asset management topics.

Our posts focus on IT management, data security, and computer hardware from the unique perspective of IT asset disposal experts.

Subscribe and you will stay on top of:

  • IT procurement trends and analysis
  • Data security methods and best practices
  • Compliance tools and updates

Subscribe to Email Updates

R2-2013_Logo.png

Recent Posts

Visit our Main Site at: www.itamg.com