December 15, 2011

Data security breaches have the potential to cripple a financial institution. The average U.S. breach cost companies $214 per compromised record, resulting in an average total cost of $7.2 million per incident, according to the Ponemon Institute, a privacy think tank. Compounding these numbers are notification and legal defense expenses, lost revenue from customer defections and the incalculable cost of restoring a battered reputation.

That's why companies rightly allocate substantial resources to fortify their IT perimeters against hacker attacks, malware intrusions and phishing schemes. They cannot afford to place at risk the vast amounts of personal identifying information, proprietary research and other sensitive corporate and customer data that is collected, stored and transferred via their technology.

Yet many financial institutions are unaware of a gap in data security even as they invest heavily in preventing and detecting malicious attacks. Without realizing it, these same companies can compromise that sensitive data during routine IT equipment refresh cycles. They assume, incorrectly, that once old electronics are laid to rest, the data on them are, too. Yet the data live on -- not just on computer and server hard drives, but across a wide range of devices, including printers, copiers, scanners and fax machines.

Copier and printer hard drives, for example, contain readily obtainable data. Printable copies of bank checks and scans of Social Security cards and drivers' licenses still can be found on end-of-life copiers and printers. Old cell phones, PDAs and other smart mobile communication devices also retain confidential information. Even basic network equipment, like switches and routers, can hold network-specific information, such as static IP addresses, that can potentially expose a company's network to attack.

Most companies don't realize the damage that can ensue or the corporate disasters that can arise from a lack of due diligence in properly disposing of end-of-life electronics. The gray market -- where information and goods are sold outside of authorized channels -- is evolving and becoming more sophisticated. Discarded machines that were once prized by thieves for the commodities they contained -- aluminum, copper, gold -- are now tempting targets for those same thieves because of the confidential data unwittingly left behind by institutions conducting routine equipment upgrades. Symantec Corporation's year-long study of the online underground economy revealed that the potential value of total advertised goods was in excess of $276 million. Credit card and bank account data were among the most popular goods routinely bought and sold by cybercriminals.

Theft of such data can prove especially worrisome for financial institutions that are subject to the data protection provisions of the Fair and Accurate Credit Transactions Act (FACTA) and the Gramm-Leach-Bliley Act (GLBA) and for whom trust is at the core of the relationships with their customers. Last September, the Federal Deposit Insurance Corporation issued guidance that advised financial institutions under its supervision to adopt written policies and procedures that ensure sensitive and confidential customer information stored on the hard drives or flash memory of photocopiers, fax machines and printers is erased, encrypted or destroyed before disposal. And in its 2010 privacy trust study of retail banking, which measures consumer perceptions of trustworthiness, the Ponemon Institute discovered that notification of a data breach was the second-most cited factor contributing to a negative perception of a bank.

These serious compliance issues explain why 74 percent of the businesses participating in an International Association of IT Asset Managers 2010 survey ranked data security and privacy as extremely important to their IT asset disposal (ITAD) programs. The survey also found that 69 percent of these organizations outsource their IT asset disposal programs. Among those who do so, 76 percent indicated that data security is either extremely or very important when choosing an electronics reuse and recycling vendor.

Yet, like every other industry, all reuse and recycling companies are not created equal. Therefore, it is vital that financial institutions ask the right questions when considering and selecting a reliable and reputable vendor to remarket or recycle end-of-life electronics. Their fiscal health and reputations depend on making an informed choice.

Reputable Recycling

Here are important questions to ask when navigating the selection process: