… understand and communicate the risks that unauthorized or gray market products may pose and design procurement processes to mitigate those risks.
A Question of Security
There are massive data protection and security implications when it comes to both the gray and secondary markets. Data may be left on machines, and viruses, malware or spyware could devastate entire networks.
Christina Walker, global director of channel sales and programs at Blancco Technology Group, which supplies secure erasure and diagnostics, talks about the gray market from the perspective of enterprise accountability, particularly in light of recent EU regulations and U.S. laws that hold companies responsible for how they manage, store and dispose of sensitive data.
“An enterprise could potentially have any number of assets floating around the gray market,” said Walker. “If they don’t take the proper precautions to erase the data that inherently resides on said assets before they leave the building or protected data centers, it opens the company up to risk. Not just concerning the regulatory requirements that industries are mandated to follow, such as Europe’s GDPR law and HIPPA, but also potential brand damage.”
Even if sensitive data is not found on a recycled asset that has not been properly erased, it is still possible to see what company previously owned that asset. In an age where security has become more and more a concern in the data life cycle, this can be a PR and brand equity nightmare.
A survey recently conducted by Blancco found that in a large majority of data centers — 79 percent of U.S. and 76 percent of Canadian respondents — at least a quarter of drives on-site are overdue for sanitization and return/replacement. Over half of the respondents, 57 percent, incorrectly say that a quick or full reformat of a drive would permanently erase all data.
Walker recommends that partners either lean on IT asset disposition experts or develop a practice within their own engineering team to support customers in erasing data.
And don’t forget the chain of custody.
“According to GDPR, the data processor, or in this instance, the partner, is responsible for upholding what the customer, the ‘data controller,’ is asking for with regard to data security,” said Walker. “For example, if the protocol is to ensure that data is not recoverable from end-of-life assets, and the asset leaves a building without being erased and disappears while in transit, the partner could be at risk.”
Hardware suppliers — notably Cisco, which has been vocal about and active in combatting back-channel sales in a variety of ingenious ways — insist that it’s not just about profits. They worry about brand damage, unhappy customers and service problems, and say partners ought to be just as concerned.
According to PacketPushers’ Ferro, vendors have taken steps to stem the gray tide, including:
- Improving monitoring of factories with dedicated employees on location.
- Clamping down on resellers with regular inspections and controls.
- Attempting to prevent the resale of hardware with tougher software licensing that makes it difficult or prevents use by anyone but the original purchaser.
- Deploying software to collect asset information and phone home to the vendor as part of a support contract.
AGMA insists that partners who have relationships with a manufacturer and authorization to sell or service products should understand not only their contractual obligations, but also how unauthorized practices, such as gray marketing, can undermine the integrity of the channel ecosystem overall.
If you’re looking to help customers, or your own IT team, pick up some bargain gear, experts have some advice:
- Find a reputable pre-owned equipment dealer that stands behind its offerings and that has relationships with hardware OEMs.
- Consider second-hand hardware for use with noncritical and disaster recovery use cases.
- Be mindful of OEM support for firmware updates and security patches.
When disposing of gear, check out advice from the International Data Sanitization Consortium. It provides information about data sanitization best practices across a variety of IT assets, legal language for use in service provider contracts, updates on global regulations and advice on data erasure procedures and responsibilities.