With so many certified ITAD companies to choose from, don’t settle for the ‘poor man’s wipe’ and end up entangled in a class-action lawsuit.
Trying to turn the decommissioning of retired IT assets into a “profit center” can have dire consequences. Just ask Morgan Stanley.
Lawyers for the plaintiffs in a class-action lawsuit allege the financial services giant ignored industry standards when it cut loose its long-standing ITAD partner to save money. Instead, the firm chose the “poor man’s wipe” to sanitize its equipment.
That decision has come at a high price. Morgan Stanley is currently facing a $60 million data mismanagement fine from the U.S. Treasury Department. The charge: failing to exercise proper oversight of the 2016 decommissioning of two Wealth Management business data centers.
And that’s not the end of it. In a separate 2019 incident, the company, once again, allegedly did not properly sanitize servers and failed to follow chain of custody procedures.
3 lessons from the Morgan Stanley data breach that can help you assess ITAD companies
The costly and highly publicized data breach cases illustrate just how important it is for organizations to perform due diligence and evaluate ITAD companies in accordance with certain criteria. Also, the string of mistakes that landed Morgan Stanley in trouble is not necessarily uncommon. It offers valuable lessons that all companies should keep in mind when the time comes to recycle their electronic devices.
Let’s take a closer look at the sequence of events, what went wrong, and how you can avoid repeating the same mistakes.
Lesson 1: If a quote seems to good to be true, it probably is
According to the September court filing, Morgan Stanley changed ITAD vendors to save money. The lawyers, representing the consumers in the class action complaint, allege cost-cutting “at every corner” drove Morgan Stanley’s decision to part ways with IBM in favor of a local moving company with no ITAD experience. Although the change saved approximately $100,000, there was a problem: the new vendor botched the job. When devices hit e-commerce platforms, unencrypted data remained intact.
No one wants to pay more than they need for any job. And a company can hardly be faulted for being enticed by a competitive quote. But when you compare ITAD companies, a strikingly low offer may be a sign that something is amiss.
Recycling costs tend to correlate with the rigorousness of asset disposition — and data cleansing in particular. It requires specific data sanitization methods, procedures, equipment, and expertise to comply with standards such as NIST SP 800-88 and DoD 5220.22-M. Simple formatting and quick data deletion, on the other hand, may be cheap but it also leaves your data vulnerable to data thieves and puts your company at risk of regulatory violations.
Lesson 2: Saying the job will get done is not the same as getting it done right
Morgan Stanley hired Triple Crown, a local moving company, to remove and wipe more than 4,900 devices from two decommissioned data centers. Triple Crown, in turn, reached out to AnythingIT, a New Jersey-based electronics recycling and ITAD firm. Morgan Stanley says AnythingIT provided Triple Crown with certificates of indemnification that Triple Crown falsely presented as certificates of destruction.
In a statement to E-Scrap News, AnythingIT denies that it was hired to perform any destruction services but simply purchased and resold retired devices from Triple Crown.
Regardless of who is ultimately at fault, the breach can’t be denied: a consumer who bought used equipment on an e-commerce platform in 2016 discovered it retained Morgan Stanley data. To make matters worse, not all decommissioned devices could be accounted for due to lapses in Morgan Stanley’s internal asset tracking.
Three years later, in 2019, history repeated itself when some servers from a hardware refresh program were not properly sanitized and chain of custody errors resulted in more missing devices. In July, 2020, Morgan Stanley finally acknowledged the data breaches. It alerted consumers that their personal data had potential to be compromised.
It’s surprising that a large organization like Morgan Stanley chose to handle the disposition of retired IT assets so carelessly. Then again, pouring resources into new investments and safeguarding networks against cybercriminals tend to garner more interest than the last phase of the asset lifecycle.
But the Morgan Stanley data security scare underscores the significance of working with certified ITAD companies. No promise or handshake can replace standards and certifications when it comes to guaranteeing the integrity of the entire process. The framework of certifications establishes clear chains of custody. They also include data sanitization verification, and a systematic approach to correctly navigating the increasingly complex regulatory environment. Certifications not only bring real ROI; the requirements make for a more efficient operation that you reap the benefits of.
In addition to NIST SP 800-88 mentioned earlier, an R2-certification ensures ITAD companies meet the highest environmental and safety standards for the recycling of used electronics. (A quick search of R2-certified facilities did not turn up AnythingIT). The job is not finished until you receive a certificate of destruction with a serialized inventory of data-bearing assets.
Lesson 3: The best ITAD companies may not always be around the corner
When it came time to select a new vendor to wipe its decommissioned equipment, Morgan Stanley appears to have gone local. Triple Crown was, just like Morgan Stanley, based in New York City.
Considering Morgan Stanley’s chosen vendor lacked all qualifications to perform the job, the location of Triple Crown may — alongside the financial incentive — have played a role.
We have in a previous blog post cautioned against letting location trump other more important criteria. The fact is location is less of a prohibitive factor than in the past. The cost of palletized shipping is typically not a budget-buster. And worth it when the receiver is just the type of trusted partner that you’ve been searching for. Your partner may even offer logistics services that make pick up and transportation easy.
The case of Morgan Stanley shows that even large organizations make costly mistakes when it comes to ITAD. You can learn from it and make better, informed decisions. It really doesn’t take much to get it just right.
Keep it up:
- For optimal IT asset recovery, consider alternatives to degaussing
- 6 easy ways to increase IT asset recovery value
- Pursuing DIY IT asset disposition? Consider the risks