How IT Chain of Custody Defends Your Data & Devices

By now, it’s easy to take for granted that everything is tracked: every purchase, every click, every message sent and received. You can track your food delivery driver from the restaurant to your door, and track a package along its entire shipping route, practically in real time.

If you’ve ever lost a package you were expecting or had food show up to the wrong house, then you know exactly why chain of custody is a must-have.

What is a Chain of Custody?

Chain of custody describes the process for tracking ownership of, access to, and liability for assets. It basically asks and answers the question, “Whose responsibility is this?” when property, physical or digital, changes hands.

The most literal example is the classic movie cliche of the person who literally handcuffs a briefcase to their wrist in a high-stakes situation. Blockchain, mostly associated with cryptocurrency but gaining interest in other applications, is another form of chain of custody.

Chain of custody is not limited to what entity legally owns the property, but includes the risks they assume while it is in their possession, and to an extent, after it travels downstream to other stakeholders.

Establishing who is legally responsible for something valuable is important in the event that something happens to that asset somewhere along the way, such as damage, loss, or theft. Evidence of chain of custody can be critical during an audit or investigation.

When you dispose of your old IT equipment, prioritizing the security of the chain of custody should not be overlooked. It could save your organization from liability and your brand from bad press if your equipment somehow ends up in the wrong hands.

Chain of Custody is an End to End Process

Chain of Custody might bring to mind a typical bureaucratic paper trail. In reality, it’s a process. It starts before your devices ever leave your facility, with practices within your own walls.

Asset tagging is among the most common methods organizations use to track the devices they issue to users. Typically, this just involves labeling each unit with a unique number, and sometimes a bar code, that connects it to asset management records.

Chain of custody policies like asset tagging help organizations oversee the status of their IT hardware inventory in near-real time. Who has each device? How long have they had it? What condition is it in? When is it due to be decommissioned or upgraded, and when was it last patched? This data is invaluable to IT asset managers, especially those with a large and diverse network that might include desktops, laptops, phones, and tablets.

It’s not just individual user-assigned devices that need to be tracked and maintained, either: shared equipment like printers and copiers, projectors, cameras and microphones should all be accounted for. Chain of custody should encompass the equipment’s owner and anyone who might have access to it.

Asset tagging can also reduce and discourage theft or other shady behaviors. Devices bearing their owners’ labels are less attractive for resale, and linking asset tags to serial numbers can deter anyone who might think they’d like to hang onto the company laptop and hope no one notices. You can’t miss what you’re not looking for, and without the proper visibility to your chain of custody, you may never even be aware that something is unaccounted for.

Tracking Chain of Custody for Retired IT Hardware

When your devices are ready to be decommissioned, this is where a thorough and well-documented chain of custody practice can really shine. A certified IT asset disposition (ITAD) provider can use your records to streamline processing the equipment for resale or recycling. At Cobalt, assets are tagged regardless of whether they came to us with tags or serial numbers, so that every unit is represented within our system and associated with the right documentation. A full assay and valuation of your equipment is made available once the process is through, as well as a Certificate of Destruction, if required or requested.

What To Look For

The nature of the electronics resale and recycling process means that units and materials can change hands more than once before they reemerge on the other side of a new lifecycle. Unless you’ve arranged for on-site data destruction at your facility, your equipment will first have to leave your property and on to your ITAD provider.

Depending on whether you use your own transportation, a third party contractor, or the ITAD vendor provides vehicles and drivers, this first handoff can add another link or two in your chain of custody – so make sure you’re connecting to someone you can trust. Certifications are a good place to start, as many of them require stringent chain of custody and liability protections.

> More: Why R2 Certification Matters

Transportation is one way risk can enter the equation; people are another. Again, outside vendors or contractors that handle your equipment along the way introduce potential weak links in the chain. It’s a good idea to use a full-service ITAD provider like Cobalt that supplies their own transportation and their own employees to collect your IT hardware.

It’s not always practical to get an in-person look at the facility where your assets are going, but it never hurts to ask. You should at least have some assurance from your provider as to the physical security of the site and how the provider controls access to the equipment in their custody. Who has access to it? Just employees, or outside parties? These are questions worth asking.

Within the devices, of course, is the data you’re seeking to protect, and that too deserves a mention within the chain of custody. Certificates of Destruction are used as evidence that the data on a device has been destroyed according to industry and regulatory standards. It is a document you’ll definitely want to have on hand should you be getting audited or undergoing an investigation. (Hopefully, you won’t have to face the latter.)

> More: 7 Criteria for choosing an ITAD provider

Why Chain of Custody Became So Important to E-Waste

It wasn’t so long ago that electronic waste, or e-waste, was treated much like other recyclable materials: as material, and nothing more. Dealing in bulk with an eye out for profit rather than responsibility, some early players in the globale e-waste trade cut corners or committed outright fraud in how they processed equipment.

E-waste “graveyards” cropped up in poorer areas of the world that accepted this material without asking too many questions. With them came the attendant problems of pollution and effects on human health. Men, women and even children, making pitiful wages, would tear apart and burn devices to access the tiny amounts of gold, silver, and copper within, sending the toxic byproducts into the surrounding air, water, and community. The chemicals that electronics emit in an uncontrolled landfill setting have been shown to cause birth defects and brain damage when inhaled or consumed in drinking water.

That’s the last place where you want an investigative reporter to find hard drives with serial numbers associated with your organization, or hardware bearing your branded asset tags on the side. And yet, in 2008, CBS’s 60 Minutes reported that the Government Accountability Office uncovered 42 companies engaging in illegal e-waste trade in a sting operation – at least one of which CBS caught on camera, sending cathode ray tubes to Hong Kong.

The way the world has processed e-waste has grown up significantly since then – you could argue that these were the events that gave rise to the IT asset disposition industry, and certifications like R2 and e-Stewards. Still, they illustrate just why chain of custody is not something you can afford to take for granted. The risks to organizations and brands are real.

Chain of Custody and Corporate Responsibility

Brands and organizations are increasingly being encouraged, by clients, customers, and their own employees, to “walk the walk” of corporate responsibility. Enough ugly stories of companies looking the other way or hoping not to be noticed have surfaced in the last decade, and social media has made it easier for everyday people to challenge brands on their values.

Among many things that came to light in the 2020 COVID-19 pandemic, certain weaknesses in the U.S. supply chain were in public view, prompting more intense scrutiny over where our things come from and where they go. The very same year, the newest Global E-Waste Monitor report showed that the volume of electronic waste created in 2019 reached a high of 53.6 million metric tonnes – a 21% increase in just five years.

By responsibly reselling or recycling your used IT assets and entrusting them into the custody of a certified ITAD provider like Cobalt, your organization demonstrates its values and the gravity with which it views its responsibilities to its customers and their sensitive data.