Reconciling the conventional approach to ITAD reconciliation

May 22, 2014

By Bob Johnson, NAID CEO

In the upcoming edition of ITAK, the professional journal of the International Association of IT Asset Managers (IAITAM), I wrote an article with Kyle Marks (Retire-IT) about a series of recent events that have demonstrated the hazards of traditional IT asset disposal (ITAD) reconciliations, which have exposed great opportunities for both IT asset management (ITAM) professionals and ITAD service providers.

The incident that started this discussion happened last January when Coca Cola notified regulators and affected employees that the individual responsible for recycling their IT assets – a company employee – had been routinely pilfering laptops. An investigation prompted by the discovery determined that one or more of the stolen laptops had the personal information of approximately 74,000 employees, constituting a data security breach notification.

The dirty little secret that prompted Kyle and I to put pen to paper, was that ITAD reconciliations often unearth missing IT assets that go uninvestigated and unreported, potentially creating hundreds or even thousands of data breach notification violation time bombs. With no statute of limitations on the failure to report a data breach, should any of those devices ever turn up in the future containing personal information, it would most likely be classified as a failure to comply with breach notification requirements. One thing we know for sure is failure to notify has much higher penalties than those that result from the breach itself.

If Coke started us thinking, it was the recent multimillion dollar settlements announced in April that forced our hand. For the first time in history, courts allowed class action data breach lawsuits to go to trial in the absence of demonstrated damages. Within days of the rulings, the respondents in the cases settled rather than let it go to a jury. That was smart. I think juries would have been much harder on them. The point is, with courts for the first time willing to allow these suits to proceed, not only can they no longer turn a blind eye to missing IT assets, they have to do whatever they can to prevent them from going missing in the first place.

Tune into NAIDnotes next week where I will explain why I think the class action law suit against Target for the data breach over the holidays will (and should) go to the Supreme Court.