Server disposal isn't a topic topmost on people's minds. For most companies, the mantra appears to be "out of sight, out of mind." In practice, this often means finding a handy room or annex and filling it up with junk.
"I've never visited a company without a storeroom full of IT equipment," says Joe Pucciarelli, a pricing and leasing evaluation analyst at IDC. "In some cases, it is like something out of the warehouse in Indiana Jones, complete with spiders crawling all over the boxes."
According to a recent survey conducted by consulting firm TNS Prognostics of Palo Alto, Calif., 70 percent of respondents underestimate the cost of disposing of PCs and servers, and 66 percent of executives with purchasing authority are unaware of the financial implications of ignoring environmental regulations when disposing of IT equipment.
Negative publicity and litigation can result when discarded equipment containing toxic waste turns up in landfills within the United States or as far away as China. If a customer data breach occurs, the price tag is staggering. The Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices, conducted a study to analyze large companies where data was exposed. It cost, on average, $14 million per company to notify customers of the breach. Around 19 percent of customers will terminate as a direct result, and 40 percent more will consider terminating that vendor.
"With 12 percent of all consumers in the U.S.A. having received such a notification, it makes it very clear that server disposal needs to be taken seriously," says Jim O'Grady, director of technology value solution at HP Financial Services' Technology Renewal Center (TRC) in Andover, Mass. "The data on the server is far more important than the hardware cost."
The sheer volume of regulations influencing this area is frightening. Under the Resource Conservation and Recovery Act, for example, the Environmental Protection Agency (EPA) can hold the equipment owner liable if it has been improperly discarded even if the disposal itself was outsourced. The Health Insurance Portability and Accountability Act authorizes criminal penalties of up to $250,000 or 10 years imprisonment per violation of security standards for patient health information. Similarly, the Gramm-Leach-Bliley Act establishes financial institution standards for safeguarding customer information and imposes penalties of up to $100,000 per violation.
Some U.S laws even create personal liabilities. If an individual within a bankrupt company did something illegal related to hazardous materials inside a server, for example, the government can come after him.
"You don't want to be involved in the dumping hazardous waste," says Pucciarelli. "That's a major criminal offense with a lengthy jail term."
Within the 550 U.S. laws affecting IT equipment disposal, California is the most aggressive. Such regulations show up when you buy a cell phone, for example. Often, the box includes a prepaid envelope to send it back to the manufacturer when it reaches end of life.
70 percent of respondents underestimate the cost of disposing of PCs and servers, and 66 percent of executives with purchasing authority are unaware of the financial implications of ignoring environmental regulations when disposing of IT equipment. TNS Prognostics, Palo Alto, Calif.
The European Union is a little more organized. Instead of a patchwork of regulations, it has enacted the RoHs Directive, restrictions of hazardous substances in electrical and electronic equipment. This directive prohibits enterprises in the European Union from purchasing new electrical and electronic equipment containing higher than agreed levels of lead, cadmium, mercury, hexavalent chromium, polybrominated biphenyl (PBB) and polybrominated diphenyl ether (PBDE) flame retardants. It requires OEM certification that all server components and other IT equipment have been manufactured environmentally soundly. Any manufacturer failing to meet these requirements must provide expensive disposal options.
"Any IT managers with a footprint in European Union would be wise to look carefully at disposal when they acquire equipment," says Pucciarelli.
Where Do I Put It?
The good news is that servers are not viewed as being as difficult to dispose of as other IT equipment, such as CRT monitors. Further, servers are considered to be among the most valuable equipment at salvage. So chances are strong that companies can at least cover their costs, if not make a profit by tending to disposal responsibilities in a correct manner.
Pucciarelli lists a number of possible alternatives. Small service companies, he says, are so numerous it's like counting the bubbles in the ocean.
"A single location manufacturing company might do fine with a small local service provider," says Pucciarelli. "As there are some outfits that cut corners, exercise due diligence by checking into industry bets practices, making onsite visits and carefully reviewing the financial as well as business references."
Another possibility is a large independent like Redemtec of Columbus, Ohio., a vendor that covers much of the country with a wide range of options and service plans. Yet another option is via the OEM. Dell, EMC, CDW, IBM, HP and Hitachi all offer established disposal programs.
"Organizations increasingly are coming to companies like CDW and other service providers to recycle servers and server components," says Brian Costello, a technology services sales manager with CDW Corporation. "Service providers attempt to recycle the entire server unit by reselling it once data is completely wiped clean if this option is not possible, the components are recycled. Funds from recycling may be returned to the customer or used to fund the disposal process."
When it comes to disposal, CDW functions as it does in its products' business. It partners with service providers to deliver services. Disposal of equipment is run through CDW but delivered to the customer via best-in-class service providers. Its own equipment is handled somewhat differently.
"After ensuring that all corporate and personal information is eliminated, the bulk of CDW's end-of-life IT equipment is donated to charity or retrofitted for tasks that do not require extensive computing power," says K.C. Tomsheck, senior director of IT operations for CDW. "The company just donated 100 PCs through Operation Homelink, for instance, to families of enlisted service members at Fort Drum, N.Y., to enable them to keep connected via e-mail while their loved ones are in Iraq."
Costello recommends the data on any server be cleansed in accordance with Department of Defense (DoD) standards. In essence, this means changing all the zeros and ones to ones, then changing them all back to zeros, and finally creating a random combination of zeros and ones before disposing of servers.
That may not be enough, however. Pucciarelli points out that some experts say even machines wiped per DoD specs can still be read. Thus, even more robust services are available, such as shredding the hard drive completely.
Old Servers Wanted
HP, too, is big on server disposal. But rather than outsource it, HP has embraced disposal as a value add. It has formed a network of TRCs throughout the world where old servers and other IT equipment go for a makeover or to retire. In addition to its 165,000 square foot hub at Andover, it has other TRCs in Holland and Australia, as well as distributed partner sites to service Canada, Latin America and some regions of the United States.
All together, this network handles more than 1.5 million computer devices per year.
HP's strategy is to run disposal under the umbrella of its leasing division. By managing lease returns well, it can bring product back to market and recover as much value as possible. Alternatively, HP server owners can bring gear to the attention of the TRC and earn cash or discounts on their next purchase
"Send us the gear and we'll eradicate the data, audit it, sell it and give you a percentage of it," says O'Grady. "Although we work primarily for HP accounts, we are also happy to use the service to reduce or eliminate the footprint of a competitor."
This also plays a role in maintaining HP's large user populations on end-of-lifed gear such as VAX, AlphaServer and MIPS/PA-RISC.
Just Do It
The biggest issue in server disposal, apparently, is getting around to it. In the rush to deploy newer technologies, many companies send aging boxes somewhere to be handled "later." Yet there they sit, sometimes for as long as half a decade. What companies fail to realize, however, is that valuable customer data sitting on those neglected machines is prey to anyone. It has no security shell in force to protect it.
"It takes time to do disposal properly, and that is why most don't do it well," says Pucciarelli. "Instead of leaving it at the bottom of the priority list, get rid of it now."