[ISN] Old computers: An IT department liability that's costing more

InfoSec News isn at c4i.org
Thu Aug 26 05:44:51 EDT 2004


By Lucas Mearian 
AUGUST 25, 2004 

Resellers of old computer equipment say they will no longer accept
used equipment without charging for erasing hard drives to ensure they
aren't held liable for exposing sensitive data.

Marc Sherman, chairman and CEO of WindsorTech Inc. in Highstown, N.J.,
a used IT equipment reseller, charges companies a flat $8.75 fee for
performing a basic audit of used computer equipment and $10 to $30 for
erasing disk arrays, depending on the disk's size.

"As the business developed over the years, we've gone into a world
where data security is critical," he said. "The whole thing now is
we're in a situation where we're reluctant to buy equipment unless
we're fully indemnified. Otherwise, it puts us in a very dangerous

"It's been an educational process for IT users. The information on a
computer doesn't belong to the company. It belongs to the customer,"  
he said.

Sherman said he believes his company is more trustworthy when it comes
to ensuring data has been erased from drives before resale because his
is the only publicly traded firm that resells used equipment and must
answer to the U.S. Securities and Exchange Commission and the National
Association of Securities Dealers.

Jill Vaske, vice president and co-founder of Redemtech Inc., a
Columbus, Ohio-based recycler of PCs and other IT products, said that
with the economy picking up, companies are just beginning to change
out PCs and servers after holding on to them for longer than the
normal three-year refresh cycle.

Redemtech manages end-of-life technology turnover for almost 100
Fortune 500 and Global 1,000 companies, making sure data isn't exposed
when computers are reconditioned for continued use or given to

"Our experience is [that] most resellers aren't minding the liability
side of end-of-life equipment. They don't assume liability for
reselling it," Vaske said.

Liability for any data exposed through the resale of technology
equipment rests squarely on the company that created the data,
according to Alan Burger, an attorney at the law firm of Burger,
Trailor & Farmer in West Palm Beach, Fla. "You can't shift the risk by
contract to a reseller," he said.

Burger sees a growing problem around data security and information
privacy because of a number of laws that took effect over the past
three years, including the Health Insurance Portability and
Accountability Act, the Sarbanes-Oxley Act and the Gramm-Leach-Bliley
Act, also known as the Financial Institution Privacy Protection Act of

"You're just getting into that computer changeover due to technology
obsolescence now," he said. "You will have billboards on both sides of
the highway saying, 'Was your health information exposed? Call ABC
attorneys.' "

Examples of the necessity of data protection abound. For instance, in
January 2003 a disk drive with 176,000 insurance policies was stolen
from Guelph, Ontario-based Co-operators Life Insurance Co.

In response to such events, California adopted a new law, SB 1386,
which went into effect this month. It requires any company that stores
information about California residents to publicly divulge any breach
of security affecting that data within 48 hours.

Said Sherman: "These regulations ... are really validating our
business model."

More information about the ISN mailing list