Bob Johnson, RecyclingToday.com, November 2023
Emerging regulatory trends soon will alter the internal reporting structure by which enterprises dispose of their information technology (IT) assets. Although this change is limited to enterprise IT asset disposition (ITAD), it is sure to affect the way those enterprises interact with ITAD service providers.
By and large, enterprise ITAD falls under the responsibilities of IT asset managers who also oversee hardware issues, such as device procurement, onboarding and tracking, while also managing their organizations’ portfolios of software licenses.
As many ITAD service providers know, most enterprises lose track of a significant percentage of their IT assets before they are discarded. This has nothing to do with the ITAD service provider, but it usually becomes apparent when a discrepancy arises between the internal device inventory generated by IT asset monitoring software and the devices accumulated for final disposal.
Because it is highly probable unresolved or missing IT assets contain regulated personal information, regulatory and legal obligations necessitate investigating and resolving their absence. Regulators require such incident investigation because it is the only way to establish whether a missing device constitutes a reportable data security breach.
But, instead of investigating and resolving the possible incident, the overwhelmed IT asset manager could be unaware of the compliance imperative or unwilling to trigger an investigation that could reflect poorly on oneself. The result remains the same—the IT asset disposal process ends up being used to avert the required investigation by allowing it to be assumed that any unresolved devices were among those that were securely retired.
Why & how enterprise IT will change
According to the Security and Exchange Commission (SEC), as of December, all publicly traded corporations and investment firms must disclose any material cybersecurity breaches within four days of discovery. These same corporations also must disclose an aggregated summary of material cybersecurity incidents every year, define their overall cybersecurity postures and their boards’ roles and, finally, attest to their capabilities for assuring appropriate cybersecurity reporting and preparedness.