"The Data Diva" Talks Privacy Podcast

The Data Diva E85 - Mark Dobson and Debbie Reynolds

June 21, 2022 Season 2 Episode 85
"The Data Diva" Talks Privacy Podcast
The Data Diva E85 - Mark Dobson and Debbie Reynolds
Show Notes Transcript

Debbie Reynolds “The Data Diva” talks to Mark Dobson, IT Asset Disposition (ITAD) Program Manager, NextUse. We discuss his 25 years of IT roles, the considerable risk and problem of Data Privacy and data loss, his history of proper disposal of data and hardware assets, what is involved in improper data sanitization, AAA data disposal organizations, the end of digital transformation is digital degradation, a cautionary tale of Data Privacy and cybersecurity breach case against Morgan Stanley resulting in over 120 million dollars in fines and lawsuits, the lack of executive education on proper dispose of hardware and data, which creates a  data risk for organizations, the importance of chain of custody, his thoughts about Data Privacy regulations which place the onus on organizations to avoid data risk, the need to budget for the end of life data disposal, and hope for Data Privacy in the future.

Support the show

44:52

SUMMARY KEYWORDS

data, companies, drives, assets, people, clients, morgan stanley, vendors, asset, called, facilities, cases, linkedin, certification, sanitizing, properly, custody, security, talk, dispose

SPEAKERS

Debbie Reynolds, Mark Dobson


Debbie Reynolds  00:00

Personal views and opinions expressed by our podcast guests are their own and are not legal advice or official statements by their organizations. Hello, my name is Debbie Reynolds; they call me "The Data Diva". This is “The Data Diva” Talks Privacy podcast where we discuss Data Privacy issues with industry leaders around the world with information that businesses need to know right now, I have a special guest on the show, Mark Dobson. He is the IP Asset Disposition Program Manager at NextUse. Hi, Mark.


Mark Dobson  00:42

Hi, Debbie.


Debbie Reynolds  00:44

So this is going to be fun; this is going to be a little bit different, too, for the audience. So I've been following you on LinkedIn for many years now; I really love your content; you go at it from a lot of different angles. But one of the things that you talk about a lot, and the thing that interests me, and the reason why I think it’s important for you to be able to show, is that you have a lot of deep Real World War Story experiences, about the end of digital transformation. So a lot of companies, they do rah-rah things around digital transformation, but at some point after the big reveal, and people install these systems that aged out, right, so they, the software ages out the hardware ages out, and then companies have to deal with how do they dispose of that data or that equipment. And so I call it the flip side of digital transformation; I call it digital degradation. But people don't talk about it a lot. And a lot of companies don't do it well, and there are Data Privacy implications for that. So they're a breach of security, typical cyber data breach; there as we see, regulators are really putting the hammer down on companies and how they transfer data to a third party. So I thought it'd be great to have you on the show and and talk about your work and  NextUse and your journey into this field.


Mark Dobson  02:24

Well, first of all, thank you very much for having me, I was super excited that you approached me for this opportunity, because as you can tell from my work on LinkedIn, I basically spent a lot of time trying to educate C level VP level, IT director level up contacts at companies about this industry. And just a little bit about how I got to where I am doing this. So I've been doing IT-related sales and marketing roles and support roles for various IT startups for about 25 years now. Getting a little snow on the roof here, as you can see. And I came into doing ITAD, specifically IT Asset Disposition, interestingly enough, not from the data security perspective, but because there's a huge e-waste problem, it's going to become a major part of the ecological crisis that we're facing. But then when I got into the industry, I realized that Data Privacy and data loss was actually as big if not a bigger risk to our society than the e-waste. So really, one of the reasons I decided to go to work with NextUse was simply because those are their two top priorities. NextUse is really a specialized data security house, that's what they do, they have a data lab 360 ports of simultaneous overriding, and they're really structured towards not adding drives into the waste stream to properly sanitizing the drives of all sorts, that's their number one priority. Their number two priority is the ecological impact aspect. And, and somewhere in there, they actually managed to make money, which is the core of any business, but it's certainly not their priority as it is for many vendors in this industry. So, we aligned. We aligned ethically, I think, which is really kind of important. And the staff there, they're all as I joke around as some of my content. It's a it's a calling, not a job, a lot of the people there they are there because this is the sort of stuff they prioritize, and in turn, they it shows in their work ethic and what they're doing in their prioritizing of clients.


Debbie Reynolds  04:55

That's amazing. That's amazing. You know, this is awesome. Probably isn't the most sexy topic, right? So I think I'll talk about it from an executive perspective. So if you're an organization, or you're working with the organization, and they have the servers that are aged out, these need to be gotten rid of, a lot of times those things end up locked in back rooms and are given away, I've seen people do that. But the problem comes with the data a lot of times that is on those devices. So you can't just throw it in the garbage, okay? You can't use it and give it to your neighbor or your friend or whatever, you definitely shouldn't do that. And then there is a cost involved with sanitizing, taking the data off those drives. And then one thing that I used to do, not server related, but the detachable hard drives, I would never reuse those. So that's another thing that people get wrong with data stuff. So they may not overwrite the drive properly to put anything new on it. And so what I used to do is that I will only use the drive once. I wouldn't use it again for anything else. And I definitely wouldn't let it out of my possession. If if I wasn't 100% sure that it could be wiped, DOD style, if needed. But that's a very time consuming process, as you say. But tell me what typically happens. And tell me what should happen when people have this situation where they have hardware, that has data on it, and how they should handle that process?


Mark Dobson  06:50

Sure. So you pretty much hit the nail right on the head. And then the two and a half years, I've been working with NextUse and doing program management for them for ITAD. We've seen it all. And a lot of it is really shocking. I would go so far to say in some cases horrifying. Some of the use cases that I've seen align very much with what you're talking about. So you will be called on-site or will be contacted about coming on site. And it will literally be anywhere from a year to 10 years worth of assets piled up. Now, a lot of times these are not in secure facilities. They're in a building but the room they're in might lock, it might not lock, it might be in it storage space that the door is frequently left open, well, people are coming or going or they think it's the junk room, there's no reason to secure it. And, you know, unfortunately, Debbie, we're not talking about lumber companies or ice cream vendors here. We're talking about right up to financial services firms, hospitals and other health care providers. There's really just a real blind spot is a term I like to use a lot for data security and for the value of maintaining chain of custody on those assets. So a big part of my network on LinkedIn happens to be from people in IT Asset Management, or ITAM. And they're actually that in data security, like cybersecurity folks, like CISOs tend to be some of our biggest allies, because they get it right. They understand that those assets go from a cycle, all the way from purchasing to in production to end of life to a term we hear a lot of times is reverse logistics, where the stuff then goes back to either into a second life, which is what we always prioritize because of the environmental impact, or at least getting properly recycled. So we are always running into this clash. Well, very frequently, we run into this clash where there's a roomful of junk, people, that's how they perceive it, they want to get rid of it, they want to do it as cheaply as possible, or they want to make money from it. And meanwhile, we come in saying great, and just so you know, there are tons of unqualified vendors that will do that for you with varying levels of risk. And again, some of the use cases we could talk about today, we're talking like 10s, or hundreds of millions of dollars worth of risk. Or we can start off the process right for you by taking the assets, auditing them, data sanitizing them and reporting on them in basically nauseating detail. So for example, we get clients all the time that say, good news, you don't need to pay for data sanitizing, why not? Nothing we're going to give you has any data on it. And we you know, we try not to smart but we're like okay, sure that sounds good. And so we don't write that into the statement of work or anything. We don't put it on the quote, but we do make sure they understand that What we're gonna do when you get that stuff is look, first and foremost for data and sanitize it. And then that's how next use lands. Most of its long term clients, by the way, don't do a lot of advertising. Don't do a lot of outbound sales efforts. But we get a client and we report back to them to say, we polled 30 or 50, or 100, drives, hard drives, solid-state drives non volatile memory devices that they didn't even realize had any data storage capability at all. And we give them data destruction certificates with itemized list of those assets. And the drives are all serialized. So we provide the serial number of all the drives. And usually, that's enough for them to understand that a well qualified vendor is offering in their best interest and, and that really makes a lot of them very loyal repeat clients very quickly. lumber companies or ice cream vendors here we're talking about right up to financial services, firms, hospitals and other health care providers. There's really just a real blind spot is a term I like to use a lot for data security and for the value of maintaining chain of custody on those assets. So a big part of my network on LinkedIn happens to be from people in IT Asset Management, or ITSM. And they're actually that in data security, like cybersecurity folks, like CISOs tend to be some of our biggest allies, because they get it right they understand that those assets go from a cycle, all the way from purchasing to in production to end of life to a term we hear a lot of times is reverse logistics, where the stuff then goes back to either into a second life, which is what we always prioritize because of the environmental impact, or at least getting properly recycled. So we are always running into this clash. Well, very frequently, we run into this clash where there's a roomful of junk people, that's how they perceive it, they want to get rid of it, they want to do it as cheaply as possible, or they want to make money from it. And meanwhile, we come in saying great, and just so you know, there are tons of unqualified vendors that will do that for you with varying levels of risk. And again, some of the use cases we could talk about today, we're talking like 10s, or hundreds of millions of dollars worth of risk. Or we can start off the process right for you by taking the assets, auditing them, data, sanitizing them and reporting on them in, you know, in basically nauseating detail. So for example, we get clients all the time that say, good news, you don't need to pay for data sanitizing, why not? Nothing we're going to give you has any data on it. And we you know, we try not to be smart but we're like okay, sure that sounds good. And so we don't write that into the statement of work or anything. We don't put it on the quote, but we do make sure they understand that what we're going to do when you get that stuff is look, first and foremost for data and sanitize it. And then that's how NextUse lands most of its long term clients, by the way. We don't do a lot of advertising. Don't do a lot of outbound sales efforts. But we get a client and we report back to them to say, we polled 30 or 50, or 100, drives, hard drives, solid-state drives, non volatile memory devices that they didn't even realize had any data storage capability at all. And we give them data destruction certificates with itemized list of those assets. And the drives are all serialized. So we provide the serial number of all the drives. And usually, that's enough for them to understand that what a well qualified vendor is offering is in their best interest and that really makes a lot of them very loyal repeat clients very quickly.


Debbie Reynolds  10:51

Yeah. Let's talk a little bit about data standardization for people who don't know what this entails. Okay, so it isn't, people think, okay, I go on my computer, I see some files. I'll delete those files, and then I'm good. And we know that that does not work. So tell me a little bit about that data sanitisation. I think you'll all be to DOD Department of Defense level sanitisation, where and how many writes? Or how many write overs do you do in your standardization process?


Mark Dobson  11:25

Sure. Well, this is a pretty complex topic. But I do prefer not to speak very technically. So I'm going to keep this as accessible as possible. But essentially, a lot of people, like you said, think that if they reformat the hard drive, for example, that they've wiped out the data. But in reality, all that does is it removes the table that tells the drive where the data is stored, but it doesn't remove the data itself. And so, with even modestly publicly accessible data accessing software, that data cannot be retrieved. So just that basic understanding that is overwriting the drive is done with specialized hardware and software. It's very energy-intensive, bigger drives can take hours and hours, and every single sector is being overwritten. It's so energy-intensive; it's a labor-intensive; they all have to be loaded into and pulled out of drive bays on the specialized hardware. That's not even counting having the personnel trained and having the company certified. There's a huge amount of investment that goes into meeting these certification standards. I'm sure anybody who's done an ISO certification can tell you it's not cheap or easy. The certifications that NextUse issues are called NAID, the National Association for Information Destruction. And their AAA standard is incredibly detailed, incredibly intensive, and comes with quite a cost as well. So there's a big disconnect, I think, in a lot of people's minds about, like you said, that it's just easy, we can just push a button, we can run a program. In reality, it's big time and effort. And there's an expense associated with it as well to doing it properly.


Debbie Reynolds  13:16

And let's talk a little bit about this, this particular certification. So there are only 13 companies in the world that have this triple-A certification from this organization. And they're only five in the US. And you're one of those five? Is that correct?


Mark Dobson  13:33

Actually, I updated that. That data gets updated all the time. So there's currently six organizations in the US that have the set of named AAA certifications that NextUse holds. And that's the ability to either go on to a client site or bring these assets back to the facility. So either one to either physically destroy DOS or overwrite the data on hard drives, solid-state drives or non volatile memory. And in addition that the ability to either physically destroy or overwrite the data on on non digital media, so that would be things like magnetic tapes, disk-like floppy disk, USB drives, that comprehensive set to be able to do everything in that realm related to data. Only six companies in the US, including NextUse have that set of certifications. And right now, interestingly enough to me, there's a renaissance going on. So in Australia, the Australian government basically codified this right into their laws, that if you are going to be doing anything with their government, or like a subcontractor, you have to use a vendor that's named AAA certified and nothing drives getting gold standard certification, like the government telling you you have to do it. So these companies in Australia. Now we're up to 20 companies worldwide, who have the who have made AAA certification to that level, where they can basically cover everything from soup to nuts. There are probably, if I had to just guess, there's probably closer to 100 vendors that have pieces of that. So they might be able to do physical drive destruction, but they might be able to do, they might be able to do physical drive degaussing. Or they might be able to do solid-state drive overwriting. So there's a lot of vendors that have bits and pieces of this, which it's still better than than going with a lower qualifying standard of which there are two. And I can go into detail about that with you if you'd like as well.


Debbie Reynolds  15:45

All right, right. Excellent. Excellent. So I like to tell companies, if you have data that has a low business value, it has a high cyber or privacy risk, because a lot of times, companies, if it isn't a high value data at the time, they aren't securing it in the same way maybe like you said, maybe it’s in a room, not a special room, maybe not even a locked door, stuck in storage in a box somewhere, connected to the Internet, sometimes not updated and stuff like that. So I see the type of risks that companies take, and they don't really think about it. A lot of times it comes, sometimes it comes into light when companies are hit with litigation, and they have to get data so the data that they had at that moment, even if it's old, and then back room, it may be subject to that litigation and source. So part of it is companies need to do a better job of getting rid of data, figuring out what has the high business value. If it doesn't have a high business value, get rid of it, because it creates cyber privacy risks. What are your thoughts?


Mark Dobson  17:02

Yeah, I mean, that's a big part of ITAD is companies realizing that the real value, the real cost, has nothing to do with the hardware. It has everything to do with the data. And so the chain of custody on these assets, it's physical, because they’re physical assets, but it's really chain of custody on the data from the time that it's in their possession to the time when it's basically irretrievably erased from existence by having all the sectors on the media overwritten, or in worst-case scenario. And just to clarify something, NextUse will destroy drives when clients ask us to. We advocate against it strongly. But there are cases that even when the client understands our reasoning and decides they're going to do best-case scenario, both for their own liability and protection and for the environment. There are times when we still have to destroy drives, nonfunctioning drives can't be overwritten, they have to be physically destroyed as a matter of fact, is a good example. But clients making that realization that it's really the data that carries a risk to the tune of tens or even hundreds of millions of dollars. That's it's sort of a sea change that we are starting to see more, thankfully.


Debbie Reynolds  18:21

Yeah, excellent, excellent. And actually there was  a Morgan Stanley case, set of cases around a data center decommission, and you serialized, this and several posts on LinkedIn over time, and it was great. I was riveted, actually, because a lot of times, when things go wrong in this area, you don't really have a lot of visibility to it. But this became like a regulatory issue, became like a litigation issue with individuals who are impacted. So there's a lot of public information out there about this particular case. And it’s not necessarily to beat up on Morgan Stanley, because I feel like almost in most organizations have these troubles, right. But this just bursts out onto the scene in a public way. So why don't you start by telling the story about what happened with Morgan Stanley. So what were they trying to do? And then what did they do and what happened as a result of that?


Mark Dobson  19:30

Yeah, and just a little bit of a precursor, as you indicated, this was the best use case we could possibly have asked for. I'm hoping, and one of the reasons I serialized it on LinkedIn is I'm hoping that this is going to be a learning experience for every other company to avoid becoming Morgan Stanley. Essentially as you stated, I'm sure this is far from an isolated incident. This is the one that happened to get caught essentially and go public and really blow up, but a lot of other companies can avoid shooting themselves in the foot from this example. So, Morgan Stanley, there were two separate incidents in 2016 and 2019. But I'm going to focus mostly on the 2016 incident because that's what we know the most about. They were going to decommission some data centers, a very common thing to do, one of the things we get called in on a lot, and they had a partner. Now, interestingly enough to me, this partner, which I will name because it's in the public record, was IBM. They're not particularly qualified to do ITAD. This is often the case, by the way. Big companies that do at least make an effort to do ITAD correctly often attach themselves to vendors that are IT manufacturers, resellers, or distributors. But they're a household name. And they think, well, surely they must be able to do ITAD at the end of the cycle because they do everything leading up to it. And in this case, their vendor of choice, which they moved away from to save money, wasn't necessarily even the best choice to begin with. But at some point, they decided that $100,000 to dispose of 4900 assets was too much money. And mind you, if you do the math on that, and I did because this is what I do. It comes out to about $12 an asset. Essentially was what it would break down to, which is a bargain, by the way, because sometimes we do jobs depending on what the people are asking us to do. It can run anywhere from $15 to $25 an asset. And again, that's not at all unreasonable when you're actually asking for actual proper disposal with data standardization. But they decided to move away. And then, for some bizarre reason, despite the fact that most companies have a huge constellation of stakeholders in this process. Legal, Finance IT Asset Management, cybersecurity, this company, Morgan Stanley, there seem to be some kind of shortcut because they handed this job off to a company called Triple Crown. It ends up we find out from the court reporting that they are a New York area moving company, no particular qualifications whatsoever to do anything with IT or IT Asset Disposition that I could find, but presumably a competent moving company in the New York-based area, no idea how much they ended up paying. But what did end up happening is Triple Crown then sold the assets in turn to a company called Anything IT. Now Triple Crown claims that they subcontracted the data sanitization to Anything IT because Anything IT presumably had some understanding and capability of how to wipe drives or overwrite drives more accurately. Anything IT, however, in the court recordings indicates that they were never contracted to do data sanitization. They were just sold the drives. And so as is, they took the drives, and they, in turn, sold them to a company called Kruse. And that company, in turn, ended up selling them through various reseller channels, including online. One of the people that bought those assets found encrypted data from Morgan Stanley on one of the drives, and very, very nicely. Instead of contacting REvil, or some other major cybercrime organization, instead contacted Morgan Stanley to make them aware of what they'd found. And then, from there, it basically snowballed into two things so far. One is Morgan Stanley, paid a $60 million fine to the Federal government for that data breach. And they've also just recently settled a class-action lawsuit from customers whose data they lost control of, and that's another $60 million. So far, not counting brand damage, revenue, or any of that. We're up to $120 million to save $100,000.


Debbie Reynolds  24:15

Oh, my God. Stunning, stunning. Oh, my goodness. Yeah. This is unbelievable. So again, I think, I feel like the majority of companies don't know how to properly dispose of things. And like you said, you have to know the types of drives that you have, the types of media that you have. Not every company can handle all that. So that all needs to be very detail-oriented; you definitely want to make sure you get the certification. They've done that, especially if people are going to reuse and repurpose those drives. So there's a lot of laws now around third-party data transfer. And so this creates a huge risk if companies aren't making sure that sanitization is happening properly before they decide to repurpose or sell or transfer on these drives.


Mark Dobson  25:15

Yeah, that's very accurate. And it's funny because now, thanks to Morgan Stanley, and I wish I could claim credit for them providing us an awesome use case, but I can't. But thanks to that, we're now seeing companies take this a lot more seriously. And some of the clients that we're working with now in the financial services and healthcare industry, especially, not only are they listening to us when it comes to understanding how vendors need to be certified and NAID, by the way, it gets incredibly detailed. I don't think I made this clear when I first talked about it. The NAID standard is applied per media type. So you don't just get like a blanket; you can handle anything. It's literally per media type; you have to prove to them that you know and have repeatable, efficient processes for hard disk drives. And again, for solid-state drives. And again, for non-drive media, you have to prove you can do it on-site; you have to prove you can do it back at your facilities. And there's tons and tons of oversight and supervision and requirements on the physical facilities, the security of it, the video surveillance of it, that they can pull records the fact that they can walk on-site and do want to announce it anytime they want to make sure. But yeah, it's really an area where companies are now starting to take it seriously. We even have clients coming to visit us, which even during the pandemic, they are coming on-site to tour the facility; they want to see the data lab. And if they ever set foot in a recycler, for example, another popular standard is what's called R2, Responsible Recycling. That's literally what the R2 stands for. They've if they've been in a recycling facility before and then come to see NextUs, it's like all the difference in the world. And so, in addition to understanding the certifications, and having long, involved vetting processes, as well as with all sorts of paperwork being exchanged, we're seeing more and more clients come right on-site, talk to us, tour the facility, see the data destruction lab, it's extremely eye-opening to see a facility that specializes in data destruction as opposed to a facility that's a recycler, who just happens to do data destruction to the art to standard.


Debbie Reynolds  27:36

Right, right. Let's talk a little bit about the chain of custody; you touched on that. So the chain of custody, a lot of times people I know talk about the chain of custody like an evidence type of thing. But I think all your assets, in addition to tracking them in your typical Asset Management program. If you're decommissioning things, you still need to have documentation about all the different things that happen to those drives and all the different people who touch the stuff. I tell people I don't like to touch drives because then I have to do more paperwork. But tell me a little bit about the importance of this chain of custody.


Mark Dobson  28:18

Yeah, you actually use a great analogy that I use all the time. And that is, you wouldn't want evidence from a crime scene, passing to people's hands that you had no idea what was happening with them but what their qualifications were to handle them. And really, these assets, they may look old, and they may look beat up, and they may be covered in grime, depending on how long they were sitting in where they were. But they really are every bit as important as evidence from a crime scene, especially with the potential ramifications if they lose control of it. So understanding that it's in secure facilities with the client, that it's only being handled by people that are on a restricted asset access list, right. So they are the only ones that are allowed to view the assets, touch the assets, transport the assets, and then handling those assets off like an actual physical handoff, what we call an on-site takeout, where the chain of custody transfer is from the original owner of the assets to a qualified vendor like next use that is huge. Part of the need certification is making sure that once those assets are in a qualified vendor’s hands that they see in a lot of cases, honestly, Debbie probably has a better chain of custody supervision than they did when they were in the original owner's hands. Everything from locked and sealed trucks that are not unlocked until they arrive at the processing facility to, as I mentioned earlier, facilities with multiple layers of physical and digital security, with surveillance cameras recording everything that's done to those assets at every step that is held for upwards of 90 days or longer, they can be viewed and anytime by the client and or by the certifying agency in this case need. So the chain of custody plays a huge role in making sure that data on those assets went from one responsible set of hands to another before it was physically, you know, eliminated from existence, essentially. And then that all culminates in what's called a Certificate of Destruction or CoD and being able to understand that CoD is not just a piece of paper with serial numbers on it, but it's actually the combination of a monitored and controlled chain of custody steps that lead to it, that makes a huge difference.


Debbie Reynolds  30:43

Yeah, I agree. I mean, I remember times I've met people from around the country at the airport, and they give me a drive, we got to do paperwork in the airport. Yeah, it's really important to be able to have that. So let's talk a little bit about Data Privacy. So I think the thing that's happening with Data Privacy, and I want your thoughts about this, so the thing that Data Privacy regulation is doing, which I think is a good thing, is putting the onus on organizations to really take a look at in the life cycle of data, right? So I feel like, before that, a lot of companies felt like, well, I can just keep data forever. Right. So now we’re seeing regulations saying that once your purpose has expired, you should get rid of data. And so what we're seeing now, instead of people just stockpiling things in back rooms, now they're seeing, okay, this is a risk now, a new risk that I didn't have before. So before, let's say there were some regulations, depending on certain types of data you have, you have to keep something for like seven years, or five years or three years. So Data Privacy regulation makes it a little bit more tricky, where they're not saying, you know, there's not like a statutory limit to when you take up, get rid of data. But they're saying you need to make sure that the purpose for which you use the data, and once it expires, that you should be able to dispose of that information in some way. So give me your thoughts about that change.


Mark Dobson  32:31

Sure. That's actually been another thing, I think that's been driving companies to take this step or stage more seriously, is the fact that you have GDPR in Europe, and you have CCPA in California, you have a number of other states that are working on or passing Data Privacy laws, and so suddenly, their standards, and there's probably more important than anything, that'd be in my opinion, and it's my opinion only, when you have actual repercussions, like reasonably significant repercussions. So I think we've probably all read about cases where a company does the totally wrong thing, and they get a total slap on the wrist financially for it. But GDPR, from my understanding, and CCPA both have percentage of revenue or percentage of gross profit penalties. So instead of a company seeing a number that might bankrupt a smaller company, but it's meaningless to a larger company, these penalties, financial penalties are targeted at the at the income level and the revenue level of the offending company. So it's meant to be meaningful and painful, and nothing drives behavior changes like meaningful, painful financial penalties. So that's another thing where I wish I could claim credit. And we have had talks with congressmen and stuff before. We've been in consultative phases with Max use before. But you know, I can't claim any credit, but it's definitely been a boon to companies and individuals’ privacy, and to companies’ bottom lines, that these regulations are getting put in place, and and they're well written towards making sure that they're not just going to be shrugged off by the bigger companies.


Debbie Reynolds  34:24

Yeah, yeah. I agree with that. I agree with that. And a lot of times when I look in the news about data breaches and stuff, I always look to see, I follow those stories to see exactly what happened, and a lot of times is from this old data is that this end of lifecycle data somehow wasn't secure some way or like this Morgan Stanley thing, maybe the asset had data on it was transferred, so it's an epidemic of people really not taking stock of what happens to data at end of life. What are your thoughts?


Mark Dobson  35:03

Yeah, I mean, that's accurate. When I started with NextUse, two and a half years ago, I would encounter clients that said, and these are real world examples that would say, every year this, so I'll give you an example of a local municipality, midsize. Every year DPW would show up and dump trucks and so all the stuff and take it to the landfill. And I'm like, yeah, what did you do for data sanitation? Oh, DPW took it to the landfill. And so cases like that, where it's really you're starting to see a change in the mindset of what they think of when they think of end of life. And it's both environmental. And from a data security and privacy standpoint, they're just transitioning from; it's garbage, let's get rid of it, to let's make some money off it to let's properly dispose of this like we would hazardous waste. And interestingly enough, by the way, what got me into this in the first place is that a lot of these assets are indeed hazardous waste. It's just now, thanks to Data Privacy regulation, companies realize they’re hazardous waste to them in more ways than one.


Debbie Reynolds  36:18

That's a great analogy. I've heard people try to do stuff like take a hammer to a server or drive, someone threw a laptop in the ocean once, and someone retrieved it, and they were able to get the data off. So I mean, this is not a do-it-yourself type of thing. You definitely need a professional here, and it definitely will save companies a lot of money. Let's talk about budget. So I feel like when companies are doing these digital transformation projects, they really need to build this cost into their budget. So a lot of times what happens is people, they do these new projects or whatever in the store, a lot of money is spent upfront for kind of the rah-rah part of this rollout, right. But then the money is spent before the end of life, and no one really wants to pony up that money at the end, right? So I was thinking about data, the whole lifecycle, not just the start, and not just the kind of behind-value data. But once the end of life has reached the purpose of the data or the end of life to the asset, you know that I think companies need to really think about building that into their budget. What are your thoughts?


Mark Dobson  37:35

Yeah, that's, that's a really great way to put it. One of the things that I created content about one time on LinkedIn recently was that someone had written an excellent article about the 19 steps in deconditioning a data center. Now, here's the thing that this was a typical post or article on LinkedIn will have 1300 or more characters. So you're talking paragraphs and paragraphs; there was literally one sentence in there. And one of the steps right at the end, by the way, is about budgeting for and properly disposing of the assets. So the posts I made basically said a couple of things.

One is that that's like saying, get men on the moon, right, and skipping all the steps it took to get the men on the moon, right. And the other thing, as I said, Is this stuff actually comes in, it should actually be the first step, not the last step. Because, as you indicated, if you're not planning for ITAD, it becomes an afterthought. And afterthoughts, as Morgan Stanley can attest, become costly disasters. So companies need to understand that they need to plan and budget, and that requires time to find a properly certified and vetted vendor, establish exactly what you want to do with that vendor regarding the assets, get quotes on that vendor, finesse the program structure so it's doing everything you want, and it's coming in at a price you are finding reasonable, and then build all that in that really needs to be done right upfront. It's not a hey, we're really almost done. I can see the finish line. Can we just toss this stuff aside and run across the finish line? No, we cannot. And thanks to a case like Morgan Stanley, I think more companies realize this. And but again, that's why I write a lot of the content I write. It's really about just trying to help educate companies about the fact that it does have to be an integral part. And again, I'm sure IT asset managers, the ITAM teams in these companies, and the cybersecurity folks from the CISO down. I'm sure they're also advocates for having to plan this stuff in. We need to budget for it right upfront.


Debbie Reynolds  39:52

Yeah, so I guess the advice would be, don't store these things in back rooms. Don't just keep them plugged up to the end. You know, get a certified vendor that knows how to handle all the types of assets that you have, and don't make it an afterthought, because that could just be a disaster in the making.


Mark Dobson  40:13

Yeah, and more and more now, we're seeing companies that are getting on. So one of the things I've tried really hard to do is structure programs to meet requirements within a client's budget. And one of the best practices that we're doing with a lot of our clients now is simply developing a repetitive program. So they say, instead of piling stuff up for five years, or 10 years, and then it's an absolute nightmare, what happened to those assets in the five or 10 years? Who knows? Right, so now we're working with clients to do like three months, six months annual, depending on their size, the amount of times they do IT Asset refreshes, the amount of times they close facilities, because they're consolidating, or they're moving to the cloud, or they are in a merger acquisition, those odd things are going to occasionally pop up. But when there's any predictability to the amount of IT assets that they retire and a schedule for that, we can work with them to do programs where we get those assets from them on a regular basis. And then the program becomes predictable, repeatable, and, more importantly, debit to your last point, sort of the costs, right, if you know that it's going to cost you X amount every quarter to move out X number of assets and properly sanitize the data and dispose of the asset. So you're not getting hit with fines from data loss or from stuff ending up in landfills, you know, literally hazardous waste; it becomes a lot easier to structure and sell to IT and business decision-makers.


Debbie Reynolds  41:45

Excellent. I totally agree. So I ask everyone this question, if it were the world according to Mark, what would be your wish for privacy or even cyber data stuff in the future if it were your wish?


Mark Dobson  42:00

I'm a huge advocate of GDPR. And the thing is, from my content on LinkedIn, I’m a, I don't like to say the term of a Renaissance man. But I'm not a one-trick pony, right? I pay attention to a lot of things and how they interact. So even though I'm playing my part here working with NextUse on the ITAD piece, I think GDPR has really hit the nail on the head. Data, private data belonging to people, is their property. And the way businesses in the US and elsewhere have treated it as a commodity to deal with as they see fit to buy and sell to have total disregard for the owner of that data and what impact that has on them. I think that all needs to change; I think we definitely need to be looking more to the European model and treating people's private data as their property to that they get to make all the decisions about that only things get done with it when they consent to it, and understanding what they're consenting to as well.


Debbie Reynolds  43:02

I agree, you know, it should be common sense. But we all know common sense is not common, right. And there are a lot of loopholes there. But I hope that we will get to that place where if people do have more control and more agency and more say over their data, so it’s definitely having an impact. You know, I see even companies that aren't impacted in the US, for example, by GDPR, they're looking very closely at what's happening with these cases in Europe because those things will have impacts, especially if they're doing any type of work with companies or customers and other regions of the world. Very true. Very true. Excellent. So thank you so much for being on the show. This was amazing. Thank you so much; anyone you all need to follow Mark Dobson on LinkedIn and definitely take a look at his write-ups on the Morgan Stanley case. There's a lot of detail there that people really enjoy. So thank you so much, again, for being on the show. This is awesome.


Mark Dobson  44:03

No, thanks for having me. You know, it's a passion project. For me, it makes a paycheck, but honestly, it's something I'm very passionate about. So I was super excited with the fact that you're going to let me give voice to some of these concepts and reach a broader audience because, at the end of the day, we all benefit from it,


Debbie Reynolds  44:18

I agree with that wholeheartedly. Well, thank you so much. I really appreciate it. Thanks.