In general, the development of faster computers just barely keeps pace with the need for faster computers. Back in 2000, for instance, a PC equipped with a Pentium III chip processing instructions at 500 megahertz per second could easily handle most computing tasks performed by a typical business user. Today, that same computer would churn through a graphics-laden, enterprisewide business-intelligence program with all the speed of a teenager asked to do a chore.
To help keep up with new — and more- robust — releases of business software, companies typically replace workers’ computers every three to four years. While this schedule seems about right, there is one slight downside to the regimen: getting rid of old computers is growing increasingly difficult. These days, computers hold a massive amount of structured and unstructured data, as well as application logic and personalized settings. Architecting and migrating this information from one storage device to another can be a pain. Moreover, laws require companies in the United States to dispose of PCs in an environmentally friendly fashion (computer hardware contains toxins such as lead and mercury). Failure to do so can result in stiff fines from the Environmental Protection Agency.
Given the hurdles, it’s hardly surprising that executives tend to focus on “putting new IT systems in place rather than getting rid of old ones,” says Michael Warrilow, a senior analyst with the security and risk strategies team at Meta Group. But the crucial task of replacing old machines is about to get even harder: federal regulations slated to go into effect next month — including those from the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act — hold companies responsible for properly disposing of any personal information stored on donated or dumped computers. In addition, provisions of Sarbanes-Oxley require publicly traded companies to maintain procedures for the safe disposal of computers. Says Jenny Schuchert, vice president, program development, at the International Association of IT Asset Managers: “[The companies affected by Sarbox] typically have 25,000 desktops in use, so a significant percentage have to be retired each week. They know something has to be done with them — they just can’t end up in a landfill.”
The new laws should worry a whole host of corporate officers, starting with CFOs and corporate risk managers. Companies that take shortcuts in wiping hard drives run the risk of violating these privacy laws — and alienating customers in the process. “If you do something outrageous to your consumers, like expose their data,” cautions Lisa J. Sotto, a partner in the New York office and head of the Privacy Regulatory Practice Group at law firm Hunton & Williams, “you’ve incurred a reputational risk that could have an enormous impact on future revenues.”
Still Lurking About
While erasing data from a hard drive is so easy a child can do it (and often that’s just how it happens), permanently erasing data from a disk drive requires effort. Merely scrambling or reformatting the directories on a drive leaves the underlying data intact. Even if a new operating system is installed and the files are overwritten, the previous data may still be lurking about. Warns Steve Koch, managing partner at IT and business consultancy Client Care Associates, “Unless you overwrite the whole hard drive, it will still hold data from the previous client.”