Year: 2024

Data security has become a paramount concern for individuals and organizations in today’s digital environment. As we accumulate vast amounts of sensitive information on our hard drives, it’s crucial to understand the various methods available for securely destroying this data when it’s no longer needed. Let’s dive into the hard drive data destruction world and explore the techniques that ensure your confidential information doesn’t fall into the wrong hands.

The Importance of Proper Data Destruction

Before we delve into the specific methods, it’s worth emphasizing why proper data destruction is critical. A data breach can result in astronomical financial losses and irreparable damage to a company’s reputation. Taking a cavalier approach to data disposal is simply not an option. Whether you’re a large corporation or an individual looking to sell your old computer, ensuring your sensitive data is completely and irretrievably destroyed before passing it on for re-use or recycling should be a top priority. Software-based wiping is one method for removing data from a hard drive, but it may not be adequate for all situations. When physical hard drive destruction is called for, the following are the best options:

Degaussing: Erasing with Magnetic Force

Degaussing is a fascinating process that uses powerful magnetic fields to scramble the data stored on magnetic media, such as hard drives and tape drives. When a degausser is applied to a hard drive, it changes the magnetic domains where the data is stored, effectively scrambling the information into random patterns. This renders the data on the drive wholly unreadable and unrecoverable.

Key Points About Degaussing:

• Degaussing is effective on both functional and non-functional drives
• Degaussing a hard drive destroys not only data but also drive formatting and control information
• Degaussing is a process that renders the drive permanently unusable
• Degaussing is compliant with many stringent data destruction standards

NSA-Approved Equipment

For the highest level of security, organizations like Securis use NSA-approved degaussers, such as the LM4 model. These machines are recertified annually to ensure they meet the most rigorous standards for data destruction.

Shredding: Crushing the Problem

Nothing beats the physical destruction of the hard drive when it comes to absolute certainty in data destruction. Hard drive shredding is precisely what it sounds like – the drive is fed into an industrial shredder that reduces it to small metal fragments.

Benefits of Hard Drive Shredding:

• Provides visual confirmation of data destruction
• Extremely effective against all forms of data recovery
• Can be performed on-site for added security

The Hard Drive Shredding Process

Typically, hard drive shredding involves the following steps:

• Collection and inventory of drives
• Secure transport (if shredding is not performed on-site)
• Shredding using industrial-grade equipment
• Proper disposal or recycling of the resulting materials

MicroShredding: Taking It a Step Further

Microshredding (also known as disintegration) takes the shredding process to the extreme for those requiring an even higher level of security. This method reduces hard drives to dust-like particles, ensuring that no readable data can possibly survive.

When to Consider MicroShredding:

• Handling classified or top-secret information
• Dealing with highly sensitive personal or financial data
• Compliance with the most stringent data destruction regulations

Combining Methods for Ultimate Security

While each method can be effective independently, many data destruction services combine techniques for added peace of mind. For instance, a common approach is to degauss hard drives before shredding them. This two-step process ensures that the data is first magnetically erased and then physically destroyed, leaving no possibility of recovery.

Choosing the Right Method for Your Needs

Selecting the appropriate data destruction method depends on several factors:

Security Requirements

Consider the sensitivity of your data and any regulatory compliance needs. Physical destruction methods like shredding or micro shredding may be necessary for sensitive or highly classified information.

Volume of Drives

If you’re dealing with a large number of drives, a method like degaussing might be more efficient than individual wiping.

Drive Condition

Remember that wiping requires a functional drive, while degaussing and shredding can be performed on non-operational devices.

The Role of Professional Data Destruction Services

While some data destruction methods can be performed in-house, many organizations opt to use professional services for several reasons:

Certified Equipment and Processes

Companies like Securis use NSA-approved equipment and follow strict protocols to ensure compliance with industry standards. They will also have essential certifications such as NAID AAA and R2v3, which can assure clients that the company meets rigorous standards for security and sustainability.

Chain of Custody

Professional services provide detailed documentation of the destruction process, which can be crucial for audit purposes.

On-Site Services

Many providers, including Securis, offer on-site destruction, eliminating the need to transport sensitive data off-premises and allowing secure data destruction to occur on-premises and under the client’s supervision.

Environmentally Responsible Disposal

Reputable data destruction companies ensure that materials are recycled or disposed of in an environmentally friendly manner. An R2v3 certification is an important way to know how serious the company is about sustainable recycling.

Beyond Hard Drives: Other Media to Consider

While we’ve focused primarily on hard drives, it’s important to remember that data can reside on various media types. Professional data destruction services often handle:

• Solid State Drives (SSDs)
• Tape drives
• USB flash drives
• Mobile devices
• Optical media (CDs, DVDs)

Each of these may require specific destruction techniques to ensure complete data erasure. Because many of these devices are physically small, disintegration may be the best option for physical shredding.

Conclusion: Taking Data Destruction Seriously

There are many vulnerabilities to a company’s data. These vulnerabilities are not over when the life of the data-bearing device is over. Protecting that data throughout its lifecycle—including its end-of-life—is crucial. Whether you choose wiping, degaussing, shredding, or a combination of methods, the key is approaching data destruction with the seriousness it deserves. Remember, proper data destruction costs are insignificant compared to the potential fallout from a data breach. By understanding and implementing appropriate data destruction methods, you’re not just protecting information – you’re safeguarding your organization’s future, reputation, and peace of mind. So, the next time you’re faced with old hard drives or other data-bearing devices, don’t just toss them in the trash or let them gather dust in a closet. Take the time to ensure your sensitive data is genuinely, irrevocably destroyed. After all, in data security, it’s always better to be safe than sorry.

Do You Need a NAID-AAA Certified Partner for IT asset disposition (ITAD)?

According to the IBM Cost of a Data Breach Report 2024, the global average data breach cost skyrocketed to $4.88 million this year! Avoid the risk of data breaches and costly fines by choosing a NAID AAA-certified vendor for your IT asset disposal. In an era where sensitive data is a prime target, not every data destruction service meets the highest standards. A NAID AAA certification ensures your IT assets are disposed of securely, fully compliant with industry regulations, and with the professionalism your business deserves. By working with a trusted, NAID AAA certified partner, you’re making a critical investment in protecting your company’s data and reputation.

What is NAID AAA Certification?

NAID (National Association for Information Destruction) AAA certification is a globally recognized standard for companies providing secure data destruction services. It demonstrates that a vendor adheres to strict protocols designed to protect sensitive data and meet the most rigorous data protection standards. When it comes time to find an IT Asset Disposition partner,  working with a NAID AAA-certified partner offers several key benefits for businesses looking to mitigate risk and ensure compliance.

1. Rigorous Data Security and Destruction Standards

NAID AAA-certified vendors follow the most stringent data destruction standards, which include robust measures to safeguard confidential information throughout the IT asset disposition process.

2. Compliance and Auditing for Peace of Mind

Data destruction compliance is more critical than ever, especially with the increasing number of industry data protection regulations. NAID AAA certification includes thorough auditing and compliance checks, ensuring vendors meet or exceed legal and regulatory requirements.

4. Quality Control and Documentation

Quality control is a cornerstone of NAID AAA certification. Certified vendors must implement strict quality control measures to ensure data is securely destroyed and adequately documented.

Conclusion: Trust the Experts in Secure Data Destruction

While our data-driven environments are not changing, organizations must take every possible step to ensure that their sensitive information is securely destroyed when it’s no longer needed. NAID AAA certification offers a reliable and comprehensive standard for secure data destruction, providing businesses with the confidence that their IT asset disposition (ITAD) partner is fully committed to maintaining the highest levels of data security, compliance, and professionalism. By choosing a NAID AAA-certified ITAD partner, you ensure that your data is destroyed securely, your organization remains compliant, and your reputation stays intact. 

Corporate IT departments play a critical role in managing the entire lifecycle of a company’s technology assets, including ensuring the secure disposal of outdated or end-of-life (EOL) equipment. While many IT teams and sustainability experts recognize that reusing or reselling unused IT assets is the most eco-friendly approach, the disposal process can have potential risks. For instance, some companies turn to electronics brokers or platforms like eBay to sell EOL equipment. While these methods may seem convenient, they can pose significant risks if sensitive data is mishandled or disposal practices fail to comply with regulations. Let’s delve into why businesses should exercise caution before listing their IT assets on sites like eBay or selling to brokers.

The Risks of Selling IT Assets on eBay

Several examples highlight businesses that have not exercised due care when disposing of end-of-life IT electronics.  The result can be fines, reputation loss, and significant loss of shareholder value.

A NAID AAA (now iSigma) study found that 40% of used devices sold on platforms like eBay contained personally identifiable information (PII). PII includes everything from customer records to internal communications to passwords. Any of this information becoming public could easily be costly and cause your company to be fined or endure reputational damage.   Read more about the study here.

Additionally, Rapid7, a leading cybersecurity company, conducted an experiment in which they purchased medical infusion pumps from online resellers and uncovered sensitive authentication data from several healthcare facilities. If exploited by malicious actors, this data could have severe consequences for hospitals and medical providers who previously owned the equipment. Read more about their findings here.

These examples highlight the significant risks companies face when they fail to properly sanitize data before reselling or disposing of their old IT assets. A company may assume its IT Assets will be properly sanitized, but if it does not work with a properly credentialed ITAD company, it can still face severe consequences for mishandling its data disposal processes.

Take Morgan Stanley, for instance. In 2023, the financial institution was fined $163 million after a moving company they hired to decommission their data center failed to properly wipe sensitive data from devices. Instead of adequately sanitizing the data before reselling, the moving company worked with an unnamed ITAD company that sold the equipment online, exposing the personal information of 15 million people. Read more about this case here.

These cases and many others are stark reminders of why selling used IT equipment outside of the channels of a NAID-certified ITAD vendor is fraught with risk and can result in devastating data breaches, regulatory fines, and reputational damage.

How to Mitigate Risks Associated IT Asset Disposal

While it’s clear that selling IT equipment online can be risky, there are significant benefits to working with a certified IT asset disposal (ITAD) provider. Partnering with an ITAD vendor like Securis offers several advantages:

1. Certified Secure Data Sanitization or Destruction

A reputable ITAD vendor will ensure all device data is fully sanitized and/or destroyed. Certified vendors use NIST 800-88 to guide sanitization methods.  Certifications like NAID AAA and R2v3 ensure that the vendor follows rigorous data security and environmental sustainability standards. These certifications are open to spot checks on certified facilities, so high standards must be constantly maintained. Securis also has a trained Secure Data Destruction Specialist on staff to ensure we use the best, most current, and most secure data sanitization methods. 

2. Environmental Responsibility

E-waste is a growing concern, and responsibly recycling or reselling IT equipment helps prevent harmful pollution. A broker’s goal is to sell used computers for top dollar. Electronics with no value may end up in a landfill, resulting in environmental fines for the company that asked them to sell the equipment.  Companies can be liable for knowingly hiring an unqualified or unreliable ITAD vendor and for any environmental damage caused by improper disposal. If the company fails to conduct due diligence on the ITAD vendor’s practices, it may share some responsibility. There have been several cases where the EPA or states fined companies after their ITAD vendor left the business.   The EPA, OCC, or other government agencies may investigate a company’s practices for selecting and monitoring ITAD vendors. If the company is found to have inadequate oversight, it could face enforcement actions, even if the primary responsibility lies with the bankrupt ITAD vendor.

Companies should have contractual agreements that require their vendors to follow NAID AAA (information security) and R2v3 (environmental) best practices. They should also review third-party audits of their vendors and ensure that their ITAD vendors maintain liability insurance. R2v3-certified ITAD vendors are equipped to handle the environmentally safe disposal and recycling of electronic waste, ensuring that devices are reused or recycled in a way that meets EPA guidelines. By partnering with a trusted ITAD provider, companies can confidently meet their sustainability goals while reducing their carbon footprint. 

3. Compliance with Regulations

Disposing of IT assets improperly can lead to severe legal and financial consequences. Regulatory bodies like the SEC, OCC, and EPA have stringent requirements for data privacy and environmental impact. Working with a certified ITAD vendor mitigates the risk of non-compliance with these regulations. Additionally, ITAD vendors provide complete documentation and audit trails demonstrating compliance with data destruction laws and environmental standards. Certificates of Destruction are issued by certified ITAD vendors, which prove your data was properly destroyed. 

4. Vendor Accountability

When you work with a certified ITAD vendor, you are establishing a partnership with a company that you must ensure is held to high standards. Reputable ITAD vendors with certifications such as NAID AAA and R2v3 are regularly audited to ensure they meet industry benchmarks and comply with relevant regulations. Furthermore, by conducting thorough reference checks, scrutinizing online reviews, or even visiting an ITAD vendor’s facility, you can ensure that you have exercised due care and oversight of your ITAD vendor.

Why eBay Shouldn’t Be Your First Choice for IT Asset Disposal

In conclusion, selling end-of-life IT equipment on eBay or to the highest bidder may seem tempting, but the risks far outweigh the potential benefits. The possibility of exposing sensitive data, facing compliance penalties, or harming your company’s reputation is not worth the seemingly easy fix of an online sale.

By partnering with a certified ITAD vendor like Securis, you can ensure your company meets its data security, environmental, and compliance obligations. Our team of experts will securely wipe your devices, recycle e-waste responsibly, and provide you with complete documentation to ensure compliance with industry regulations. When it comes to IT asset disposal, it’s better to be safe than sorry. Partner with a trusted ITAD provider to ensure your end-of-life IT equipment is disposed of securely, responsibly, and compliantly.

In IT Asset Disposition (ITAD), one thing is crystal clear: accuracy and efficiency are paramount. The slightest error can have significant repercussions when managing data-bearing devices, especially at the end of their lifecycle. That’s where Securis comes in, with an innovative solution to change the game: DriveSnap AI.  

At Securis, we’ve always been committed to setting the highest standards in data security and IT asset management. Inventory Management is a crucial part of this process. Our proprietary AI technology, DriveSnap AI, enhances every step, from inventory scanning to secure destruction, ensuring that your assets are tracked precisely and processed without delay. In IT Asset Management for Asset Disposition, accuracy and efficiency are critical for a solid chain of custody. Asset scanning is the first crucial step in this process.

The Challenge of Manual IT Asset Tracking

Traditionally, IT asset tracking relies heavily on manual processes. Technicians and clients often face the daunting task of scanning product labels, which can be highly confusing. A single asset label can include a variety of sequences—model numbers, part numbers, serial numbers, etc that need to be recorded correctly. Take, for example, an asset label with two different serial numbers. If a technician scans one serial number, and a client scans the other, how can you be sure which number is correct? 

Smaller devices like SD cards may not even have a bar code to scan. The serial number is often printed in such small text that it’s difficult to read, forcing technicians to enter it manually. This process is both time-consuming and prone to human error. Incorrect number entries or the wrong interpretation of complex labels can compromise the accuracy of asset tracking. This slows the process and can create discrepancies that complicate the chain of custody. The result is confusion, inefficiency, and potentially costly mistakes.

DriveSnap AI: Revolutionizing Asset Tracking

This is where Securis’ cutting-edge AI-powered technology makes all the difference. DriveSNap AI automates and streamlines the entire inventory scanning process. Once the scan is complete, the DriveSnap AI algorithm takes over. It intelligently processes the image, accurately identifying and separating the different asset identifiers and organizing the data clearly. There’s no more ambiguity, errors, or slowdowns caused by manual data entry. In fact, our reports are more than 99% accurate, which is well over the industry standard for ITAD, which is about 85%.  Also,  if questions arise later about an asset that was physically destroyed, the entire label has been captured, so all information on the label that no longer exists in physical form is forever preserved digitally. 

A standout feature of DriveSnap AI is its ability to capture high-resolution photos of HDD and SSD labels, oftentimes providing the sole photographic record of each asset before destruction. This capability offers clients unparalleled transparency and ensures accuracy throughout the ITAD process. These photos are archived alongside job documentation and integrated into a secure database, accessible in real-time through Securis’ client portal. Clients can instantly review these records, track assets as they are scanned, and resolve discrepancies such as data mismatches or incorrect barcode scans by cross-referencing archived photos. While the certificate of destruction serves as the official proof of secure data destruction, the photographic records offer an unmatched layer of accountability and precision, setting Securis apart as an industry leader.

Key Benefits of DriveSnap AI-Powered IT Asset Tracking

1. Increased Efficiency
   Our AI solution speeds up the entire asset-tracking process. Gone are the days of manually scanning, interpreting, and entering data. The technology does the heavy lifting, allowing technicians to focus on more critical tasks and improving overall workflow.
2. Reduced Human Error
   By eliminating manual data entry, the chances of misidentifying or mistyping serial numbers are drastically reduced. This leads to more accurate asset tracking, which is crucial for maintaining compliance and safeguarding data security.
3. Streamlined Workflows
   With our AI-powered system, every step of the asset tracking process—from scanning to data entry—is automated and optimized. This streamlined approach reduces bottlenecks and helps teams work more efficiently, reducing turnaround times.
4. Enhanced Compliance and Data Quality
   In ITAD, compliance isn’t just important; it’s non-negotiable. Our AI technology ensures that your data is always accurate, up-to-date, and consistent, making compliance with industry regulations simpler and less stressful.
5. A Reliable Chain of Custody
   Maintaining a secure, reliable chain of custody is critical to IT asset disposition. With AI-powered tracking, you can rest assured knowing that every asset is properly logged, tracked, and processed from start to finish. This provides you with greater transparency and peace of mind.

Why Choose Securis?

When your end-of-life IT Assets no longer exist because they have been destroyed or recycled, the only proof you have of what happened to them is the remaining inventory report. 

Our AI-powered asset-tracking technology is one of the many ways we’re redefining the industry, allowing you to experience a new level of efficiency, accuracy, and confidence in your IT inventory-tracking process.  Your Inventory report will be available within 3 business days and 24/7 after that on our client portal.  

Trust Securis for all your IT asset disposition needs and ensure your data is secure, your assets are accurately tracked, and your processes are more efficient than ever. Whether managing large volumes of devices or ensuring that every asset is handled securely, Securis has the expertise and tools to meet your needs.

The Sarbanes-Oxley Act of 2002 (SOX), primarily known for its stringent financial reporting and corporate governance regulations, also has significant implications for corporate data management practices. One of the often overlooked aspects of SOX is its relevance to data destruction, a crucial component in maintaining compliance with data integrity and security standards. Here, we highlight some best practices for SOX compliance, especially regarding end-of-life electronics, ensuring companies protect and dispose of sensitive information appropriately.

Understanding the Sarbanes-Oxley Act

SOX was enacted in response to major corporate scandals like Enron and WorldCom to increase transparency in financial reporting and hold companies accountable for their financial practices. Key provisions include:

• Enhanced financial disclosures
• Increased corporate responsibility
• Stricter penalties for fraudulent financial activity
• Enhanced internal controls and audit requirements

Data Destruction and SOX Compliance

While SOX does not explicitly mandate data destruction, its requirements for record retention and internal controls imply a structured approach to handling and disposing of data, especially financial records. Here’s how SOX influences data destruction:

1. Record Retention Requirements

SOX Section 802 sets stringent guidelines on the retention of financial records.

 Companies are required to maintain accurate and detailed records for a specified period. These guidelines require a clear policy for the retention and eventual destruction of records once they are no longer needed. The destruction of records must be managed carefully to ensure compliance with these retention schedules.

2. Internal Controls and Procedures

SOX Sections 302 and 404 require companies to establish robust internal controls to ensure the integrity of financial reporting. This includes controls over how data is archived and destroyed. Adequate internal controls should address the following:

• Identification of data that needs to be retained
• Secure storage methods
• Proper authorization for data destruction
• Documentation of the destruction process

Failure to properly manage data destruction could result in loss of critical records, leading to non-compliance and potential penalties.

3. Preventing Fraud and Data Tampering

The prevention of fraud and data tampering is a core objective of SOX. Inadequate data destruction practices can leave sensitive financial data vulnerable to unauthorized access or tampering. By implementing secure data destruction policies, companies can protect against data breaches and ensure that obsolete records are permanently destroyed, thereby upholding the integrity of their financial reporting.  Partnering with an experienced data destruction partner can increase this protection level and add another layer of protection to your process.  Securis recently completed an on-site shredding job for a financial services company.  They told us that all hard drives had been removed and that we could recycle the eight server cabinets.  We found 86 drives (72 SSDs and 14 Hard Drives) upon inspection.  We shredded the 86 drives, saving the company from what could have been an expensive breach.  The missed 86 drives represented 15% of the total destroyed drives.

Best Practices for Data Destruction Under SOX

To align data destruction practices with SOX requirements, companies should consider the following best practices:

1. Develop a Comprehensive Data Retention and Destruction Policy

Create a clear policy that outlines the following:

• Retention periods for different types of records
• Procedures for secure destruction of paper and electronic records
• Roles and responsibilities for managing the process

2. Implement Secure Destruction Methods

Ensure that data is destroyed using methods that make it unrecoverable. This includes:

• Shredding for physical documents
• Degaussing or overwriting for magnetic media
• Wiping, Shredding, or Disintegration of electronic data

3. Audit and Monitor Compliance

Regularly audit data destruction processes to ensure compliance with SOX and internal policies. Monitoring should include:

• Verification of destruction methods
• Documentation of destruction activities, including a certificate of destruction 
• Regular reviews of policies and procedures

4. Employee Training and Awareness

Educate employees on the importance of data destruction and their role in ensuring compliance. Training programs should cover:

• Legal Requirements for data storage and disposal
• Company policies and procedures for data storage and disposal 

Conclusion

The Sarbanes-Oxley Act’s impact on data destruction is a critical but often underappreciated aspect of compliance. Companies can comply with SOX requirements and enhance their overall data security posture by understanding and implementing effective data destruction practices. Ensuring that obsolete data is properly destroyed protects against potential fraud, data breaches, and non-compliance penalties, ultimately contributing to a company’s integrity and trustworthiness. Partnering with a secure and certified data destruction and IT recycling partner like Securis can ensure your compliance with SOX and many other compliance standards. 

If you’re ready to responsibly dispose of your company’s IT assets, contact Securis today. We’re here to help you protect your data, the environment, and your bottom line.

Smartphones are indispensable in our daily lives. We use them to stay connected, work remotely, navigate cities, track fitness goals, manage our finances, and capture cherished memories. According to Reviews.org, Americans check their phones 144 times daily and spend over four hours daily on them. But when it’s time to upgrade, most of us assume that a factory reset wipes everything clean. That assumption is not just wrong—it’s risky.

Why We Upgrade—and What Happens Next

As smartphone technology evolves rapidly, most people upgrade regularly. These old phones don’t just vanish—they’re often traded in, sold, or handed down to someone else. Before that happens, we typically perform a factory reset. But here’s the problem: a factory reset doesn’t entirely delete your data.

What Factory Reset Really Does (and Doesn’t Do)

Many users believe a factory reset protects their data. But that’s a misconception. A reset removes the pointers to your data—not the data itself. On the surface, the phone looks fresh and empty. In reality, your personal and corporate information still lives on the device.

In a 2015 study by Blancco Technology Group and Kroll Ontrack, researchers purchased over 120 used phones online. They found that 35% of those phones still contained recoverable data—including texts, emails, photos, and more.

“People think their data’s been destroyed, and really all you’re doing [with a factory reset] is removing the table of contents. The rest of the chapters of the book are sitting there waiting to be discovered.”   — Pat Clawson, CEO, Blancco Technology Group

Security Risks by Operating System

Apple iOS: Strongest Native Protection

Apple uses hardware-based encryption. After a factory reset, the encryption key is deleted, rendering the remaining data unreadable. While not infallible, this makes data recovery extremely difficult.

Android: Ongoing Vulnerabilities

Android devices—especially those powered by Qualcomm—are far more susceptible. That’s because they often store encryption keys in software rather than hardware. Once the key is exposed, data can be accessed. Recent attacks using brute-force tactics have compromised millions of Android phones.

Windows Phone: Easy Targets

A factory reset on a Windows Phone simply removes data pointers. The actual data remains intact and can be recovered with basic tools.

Mobile Data Erasure: The Secure Solution

Proper security comes from using software that meets NIST 800-88 standards for data sanitization. Mobile data erasure doesn’t just hide your data—it overwrites it, making it completely unrecoverable.

Benefits of Mobile Data Erasure:

• Overwrites all data multiple times
• Compliant with HIPAA, GDPR, CCPA, and other data regulations
• Generates proof of erasure through certification
• Can be performed on-site or remotely

Whether you’re an individual protecting personal data or an organization safeguarding proprietary or regulated information, certified mobile data erasure is the only reliable choice.

Securis offers professional mobile data erasure services at our NAID AAA-rated facilities. We’ve tested and vetted the top four software vendors, so you don’t have to guess what’s safe.

Physical Destruction: For When Erasure Isn’t Enough

When dealing with highly sensitive or classified data—like information created by federal agencies—a more aggressive method is required: NIST 800-88 Destroy.

What It Involves:

• Battery removal (to prevent fires)
• Physical shredding or disintegration

Shredding destroys the phone’s components and storage, making data recovery impossible. However, it also prevents the device from being reused or resold. That’s why it’s best reserved for high-risk cases. At Securis, Phones are not just shredded; they are disintegrated into pulp, ensuring nothing remains. Work with a certified R2v3 electronics recycler like Securis to reduce environmental impact.

Final Thoughts 

As smartphones become even more central to our lives, so do the risks of mishandling their data. A factory reset isn’t enough. If you’re serious about protecting sensitive personnel or professional information, don’t cut corners. Choose certified data erasure or physical destruction.

Need Help Disposing of Mobile Devices Securely?
Securis offers compliant, certified, and environmentally responsible smartphone data destruction. Contact us today to schedule a secure pickup or learn more.

Research for this article:

1) Privacy for Sale: A Study on Data Security in Used Mobile Devices & Hard Drives Blancco Technology Group and Kroll Ontrack, October 2015 

R2v3 is a comprehensive sustainability certification assuring the highest global electronics reuse and recycling standards.

In today’s fast-paced technological environment, businesses must effectively manage and dispose of outdated electronic assets, including computers, tablets, smartphones, and storage devices. This process, known as asset disposition, is essential for keeping equipment current while ensuring the safe and environmentally compliant handling of electronic waste (e-waste). Partnering with an R2v3-certified e-waste recycling company is the most secure and cost-effective approach to managing the inevitable IT refreshes that your company will need.

When evaluating potential providers for responsible e-waste disposal, verifying their claims regarding secure data destruction and environmentally friendly recycling practices is crucial. How can you know if they are being truthful? R2v3 certification is a reliable indicator that a vendor meets stringent requirements for electronics recycling and refurbishment. For some companies, R2v3 certification is a nice to-have feature, but Federal agencies are required to dispose of electronic assets in an environmentally responsible way as outlined in GSA Bulletin FMR B-34 Disposal of Federal Electronic Assets. FMR B-34 requires Federal Electronic Asset (FEA) recyclers to be R2 certified.

The R2v3 certification is not merely a management system but a comprehensive sustainability standard aimed at achieving positive outcomes in electronic waste management. As an R2v3 Certified Facility, we undergo independent audits to ensure compliance with the highest global electronics reuse and recycling standards. In addition, any services we perform nationwide via our mobile services adhere to the same strict standards, with all assets returned to our facility for responsible R2 certified recycling.

What is R2v3 Certification?

The Responsible Recycling (R2v3) certification is a globally acknowledged electronics recycling and refurbishment standard. Developed by Sustainable Electronics Recycling International (SERI), the R2v3 standard mandates that certified facilities adhere to strict environmental, health, safety, and data security protocols. It is the most widely adopted sustainability standard for electronics recycling and refurbishment, applicable to facilities of all sizes and locations.

What is the Difference between R2 and R2v3 Certification? 

R2 and R2v3 are both certifications for responsible electronics recycling, but R2v3 is the latest and more comprehensive version. R2 (Responsible Recycling) was initially developed in 2008 and has undergone several iterations. R2v3, released in 2020, is the most recent version of the standard. R2v3 expands on the original R2 standard with more stringent and detailed requirements in areas of data security, specialty processes, facility certification (R2v3 requires each individual facility to be certified independently, unlike previous versions that allowed multiple sites under one certification), strengthened environmental health and safety standards and heightened downstream tracking requirements. While R2 and R2v3 certifications aim to ensure responsible electronics recycling, R2v3 represents a significant upgrade with more comprehensive, flexible, and stringent requirements to address modern industry challenges and environmental concerns.

Benefits of Using an R2v3-Certified Recycler for IT Asset Disposition

Data Security and Compliance

One of the primary concerns in asset disposition is ensuring data security in ITAD. 

R2-certified e-waste recycling services must implement strict data security protocols to prevent breaches and unauthorized access to sensitive information. This includes documented processes for data sanitization tailored to various device types and sensitivity levels and access restriction to authorized personnel only. 

Certified facilities must maintain controls for data protection throughout the recycling process, including secure storage and handling of devices containing sensitive information. R2v3-certified recyclers must use robust media sanitization methods, such as data wiping, magnetic degaussing, and physical destruction, to thoroughly and irreversibly erase data from devices. In addition, they must adhere to specific time frames for performing this sanitization to minimize risks further.

R2v3 certification also ensures that recyclers have quality management systems (ISO 9001) and environmental management systems (ISO 14001) certifications. This helps companies avoid fines and legal issues associated with improper e-waste disposal.  It also provides peace of mind for the client, knowing that all regulatory requirements are met. SERI conducts spot inspections of R2 facilities, so ongoing compliance is assured.  

Assured Environmental Responsibility

Many companies have corporate social responsibility (CSR) considerations to fulfill. They must adhere to electronic waste disposal standards and e-waste legal regulations, ensuring that hazardous material disposal is properly managed. They must also implement best practices for recycling electronic waste that maximize material recovery and reuse, and minimize landfill use. Making headlines for illegally dumping electronic waste would have far-reaching reputational consequences for many companies. 

R2v3-certified companies must follow rigorous environmental practices to minimize the impact of e-waste and demonstrate responsible recycling practices and environmental responsibility in ITAD.  The R2 certification applies to environmental responsibility at the vendor facility. It extends environmental protections beyond the primary facility, requiring full tracking and documentation of e-waste as it moves through the recycling chain. This requires R2v3 certified vendors to ensure their downstream partners also adhere to strict e-waste recycling standards. Knowing that your vendor is R2v3 certified allows companies needing IT asset recycling and recovery to ensure they can increase ESG scores and fulfill CSR goals simply by working with a partner with this certification. 

Reputation and Trust

Partnering with an R2v3 certified recycler enhances a company’s reputation by demonstrating a commitment to responsible e-waste management. This builds trust with customers, stakeholders, and employees and aligns with corporate social responsibility (CSR) initiatives.  

R2v3 certification is not just earned once, annual audits are required as well as documentation of process improvements and updates to maintain certification, ensuring ongoing compliance and commitment to excellence in the field of  IT asset recycling and recovery.  These audits make sure that the R2v3 certified vendor is fulfilling all of the requirements of R2v3 certification on an ongoing basis, and that all workers are always properly trained on data security procedures. Internal data security audits are also required to assess conformance with customer requirements and R2v3 standards. In addition, certified vendors must stay updated on evolving data protection regulations and industry best practices. 

Partnering with R2v3-certified vendors demonstrates a commitment to sustainability and responsible business practices. This can lead to enhanced brand image and increased customer loyalty, as well the potential for attracting environmentally conscious investors to your company. 

R2v3 certification ensures safe and compliant ITAD processes

R2v3-certified companies follow standardized and transparent processes for e-waste management compliance. This includes thorough documentation and reporting, which is essential for auditing and tracking purposes. Strict chain of custody controls and downstream due diligence documentation is required, including the tracking of all electronic materials from receipt to final disposition, documentation of downstream recycling partners and their practices as well as verification of final material disposition. 

In addition, Organizations that achieve an R2v3 certification must establish a comprehensive management system that includes policies and procedures covering all aspects of operations, including the implementation of safety measures to protect workers from hazards and proper training on the safe handling of materials and equipment.

The following records and reports must also be maintained:

• Inventory tracking records
• Inbound and outbound shipment documentation
• Data sanitization and destruction records
• Testing and auditing device records
• Training records
• Internal audit reports
• Corrective action records
• Facility inspection reports
• Accident and incident reports
• Management review meeting minutes
• Customer complaints and feedback
• Supplier evaluation records
• Equipment calibration and maintenance logs

By maintaining thorough documentation and reporting systems across these areas, organizations demonstrate their adherence to R2v3 standards and maintain certification. The process requires meticulous record-keeping and a commitment to transparency throughout all operations related to electronic recycling and data destruction.

Economic Benefits

By partnering with an R2v3-certified recycler, companies can also realize economic benefits. R2v3 certified recyclers must efficiently recover valuable materials from e-waste, which can be refurbished and resold, thus reducing the overall cost of asset disposition. Having an R2v3 certification supports a circular economy, meaning that a vendor will ensure that all devices are used as long as possible, and then when devices can no longer be used, refurbish electronic devices and their components wherever possible. At the true end of life, a circular economy means recovering materials so they can become part of something new, whether that’s a new electronic device or something entirely different.  

R2v3-certified vendors adhere to stringent data security and environmental standards, which helps minimize legal and financial risks for their business partners. This can lead to lower insurance costs, reduced risk of data breaches and associated penalties, and minimized environmental liability for your company.  

R2v3 certified vendors often have more efficient processes for handling end-of-life electronics, resulting in lower disposal costs for old IT equipment, potential revenue or rebates from the resale of refurbished devices, and reduced expenses related to data destruction and environmental compliance. 

In addition, R2v3 certification ensures that vendors are up-to-date with the latest regulations. This helps businesses avoid costly fines and penalties, streamline compliance efforts, and reduce the resources needed for regulatory management. 

Conclusion – Enhance Your Brand Reputation With R2v3-certified E-waste Recycling

In an era where sustainability, data security, and e-waste regulatory compliance are paramount, choosing an R2v3-certified e-waste recycling company for asset disposition is a smart and responsible decision. Responsible ITAD vendor selection ensures the secure and environmentally responsible handling of electronic assets, reinforces a company’s commitment to ethical practices, and enhances its reputation. The R2v3 standard is regularly updated to address evolving industry needs and challenges. By partnering with an R2v3-certified recycler, your company can confidently manage its e-waste, knowing it complies with industry standards and contributes to a more sustainable future. 

R2v3 isn’t just a data security, OR environmental, OR worker health and safety standard. It is an electronics sustainability standard, which means it is a data security standard, AND an environmental standard, AND a standard that protects worker health and safety. That means when you choose an R2v3 Certified Facility like Securis, you check many boxes in your ITAD vendor selection process.

Key Factors in Choosing a Secure and Responsible IT Asset Disposition (ITAD) Partner

In today’s rapidly evolving technological landscape, responsible e-waste management has become a critical concern for businesses of all sizes. As organizations regularly refresh their IT assets, partnering with a reliable and certified IT Asset Disposition (ITAD) vendor to sanitize and recycle e-waste is essential to ensure security, accuracy, and sustainability throughout the electronics recycling and disposal process. This blog post will explore key factors when selecting a responsible e-waste recycling partner who can provide sustainable e-waste recycling solutions.

What is IT Asset Disposition (ITAD)?

IT Asset Disposition is the process of securely and responsibly disposing of end-of-life IT equipment such as computers, tablets, smartphones, and storage devices. Since these devices often contain sensitive information and hazardous materials, proper disposal is crucial for data security and environmental protection.  So, how do you choose a responsible e-waste recycler who can ensure the safe and eco-friendly disposal of old electronics? Read on. 

Critical Considerations for Choosing an IT Asset Disposition Partner

 

Security

Electronic devices often contain sensitive information. A responsible e-waste partner should have robust data destruction processes to ensure your data is securely erased or destroyed. Look for partners who:

• Can evaluate end-of-life equipment with a thorough understanding of data sensitivity and a plan for media sanitization and destruction when required
• Employs data erasure and destruction methods that meet or exceed state and national standards (e.g., NIST 800-88)
  • Your partner should offer data wiping to purge standards, allowing for the safe re-use of some assets
  • Your partner should offer degaussing equipment that meets NSA standards
  • Your partner should offer hard drive shredding equipment on the NSA-approved list that can disintegrate sensitive data to 2mm particles
• Hold up-to-date industry standard certifications such as:
  • ISO 14001: This standard specifies requirements for an effective environmental management system (EMS), indicating the recycler’s commitment to minimizing environmental impact
  • ISO 9001:2015:  An internationally recognized standard for quality management systems (QMS)
  • ISO 45001: An international standard that specifies requirements for an occupational health and safety (OH&S) management system
• Maintain NAID AAA certification for both mobile and plant-based operations
• Offer compliance with regulations based on your industry
  • HIPPA, HITECH, OSHA, Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, FACTA Disposal Rule, FERPA, etc.
• Offer GPS-monitored transportation 
• Allow witnesses for data destruction

Accuracy

Transparency is a crucial indicator of a responsible e-waste partner. Ideally, an ITAD partner should provide comprehensive and accurate reporting for the entire chain of custody. Ensure your chosen vendor:

• Offers a detailed audit trail for all processed assets from initial collection to final processing.
• Provides greater than 99% accurate reporting on each asset
• Issues certificates of destruction upon completion
• Makes documentation available online for easy access
• Offers weight and LEED reporting
• Implements two-step verification of captured data

Sustainability

E-waste contains hazardous materials such as lead, mercury, and cadmium, which can contaminate soil and water if not handled correctly. Additionally, e-waste often contains valuable materials like gold, silver, and copper that can be recovered and reused. Responsible and ethical e-waste management ensures these materials are properly processed, reducing environmental harm and conserving natural resources. Your ITAD partner should:

• Hold an R2v3 certification to prove their responsible recycling practices: The R2v3 standard focuses on environmental, health, safety, and data security practices, ensuring e-waste is processed responsibly. If a vendor has this certification, you can be sure that they have met a high standard for recycling, not just in the facility but also for any additional downstream processing. In addition, spot checks from SERI ensure that your vendor continues to comply with these rigorous certification standards
• Prioritize reuse and employ environmentally friendly practices for assets that must be recycled
• Verify the vendor can ensure that electronics are responsibly reused or recycled at every step in the downstream recycling process
• Maximize value recovery through resale or reuse of sanitized assets
• Offer a transparent revenue-sharing model
• Suports Donation Programs

• Bonus: Increase your ESG goals further by partnering with a company that has programs that support local communities, such as providing job opportunities for disabled workers or hosting community e-wase recycling events

Additional Considerations

Beyond security, accuracy, and sustainability, consider the following factors. 

• Does your vendor have a Certified Secure Destruction Specialist® (CSDS®) on staff? 
• Is the vendor capable of handling your specific asset types and volumes?
• Do they provide end-to-end logistics?
• Do they have choices for on/off-site data destruction?
• Do they offer flexibility in tailoring services to your needs?
• Are there convenient collection services such as secure onsite collection bins or storm cases that can be sent through the mail?
• Do options such as mobile service allow service at your site or facility, enabling you to witness the entire process?
• Do they have restrictive or hard-to-break service contracts? 
• Is there evidence that the vendor uses ethical practices to ensure safe working conditions and fair employee labor practices?
• Does online customer feedback provide insights into the reliability and reputation of the e-waste partner? Look for online reviews on platforms like Google Reviews, Yelp, or on industry-specific forums, check testimonials or references that the vendor might provide upon request 

• Experience: How long has the vendor been in business?  Do they have a strong record of experience in the industry?

Conclusion

Selecting a responsible e-waste partner is a critical decision that impacts your organization’s security, compliance, and environmental footprint. By carefully evaluating potential ITAD vendors based on the criteria outlined above, you can ensure a secure, accurate, and sustainable IT asset disposition process. Remember, the right partner will not only protect your sensitive data but also contribute to a more sustainable future for our planet

What is the Gramm-Leach-Bliley Act?

Financial Institutions must comply with information security and privacy regulations when they retire end-of-life computers, networking devices, servers, phones, and tablets. This article explains one of those compliance standards, the Gramm-Leach-Bliley Act (GLBA). By working with the right IT Asset Disposition Partner, your company can reduce the risk of a breach like the one that occurred at Morgan Stanley and comply with GLBA and other compliance standards. The GLBA, enacted in 1999, primarily focuses on protecting consumer financial information held by financial institutions. It includes provisions to safeguard sensitive data and mandates specific requirements for data destruction as part of its broader privacy and security framework.

The GLBA, also known as the Financial Services Modernization Act, has three main components:

1. The Financial Privacy Rule: Governs the collection and disclosure of consumers’ personal financial information by financial institutions.
2. The Safeguards Rule: Requires financial institutions to implement security measures to protect customer information.
3. The Pretexting Provisions: Protect consumers from individuals who obtain personal information under false pretenses.

Data Destruction under the GLBA

While the GLBA does not have explicit data destruction requirements, its mandates imply the need for proper disposal of consumer information to prevent unauthorized access and ensure data security. The critical consideration here is the Safeguards Rule, which focuses on maintaining customer information’s confidentiality, integrity, and security.

The Safeguards Rule

The Safeguards Rule took effect in 2003, but after public comment, the FTC amended it in 2021 to make sure the Rule keeps pace with current technology. “According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).”1  The rule compels financial institutions to develop, implement, and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. Data destruction is an integral part of this security program. Here’s how the Safeguards Rule translates into data destruction requirements:

Key Points of the Safeguards Rule

1. Comprehensive Security Program:
   • Financial institutions must develop, implement, and maintain a written comprehensive information security program that includes administrative, technical, and physical safeguards.
2. Risk Assessment:
   • Institutions must conduct risk assessments to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of their customer information.
   • This includes risks in the storage, processing, and disposal of information.
3. Design and Implementation of Safeguards:
   • Based on the risk assessment, institutions must design and implement safeguards to control the identified risks.
   • This includes developing policies and procedures to ensure secure data handling and disposal practices. Choosing the right data destruction partner can critically influence these safeguards. 
4. Regular Testing and Monitoring:
   • Institutions must regularly test and monitor the effectiveness of their safeguards.
   • This includes periodic review and adjustment of data destruction practices to ensure they mitigate identified risks effectively.

Third-Party Management:

Ensure third-party service providers handling data destruction can safeguard customer information by following GLBA requirements. This includes due diligence in selecting vendors, 3rd party risk assessments, and agreements specifying data destruction standards.

Documentation and Audit Trails:

Maintain documentation of data destruction activities, including the types of data destroyed or overwritten, methods used, and verification of destruction.  This information should be readily available for audit in your IT Asset Management system or the portal of your ITAD vendor.   This audit trail can be reviewed to ensure compliance with the Safeguards Rule. In addition to an audit, ensure you receive a Certificate of Destruction from a certified IT asset disposition vendor. 

Incident Response:

Develop an incident response plan for addressing and mitigating any breaches related to data destruction.  If an IT asset goes missing, it should be investigated.   IT Asset Management best practices allow organizations to understand where assets are at all times.  Ensuring all assets are logged and inventoried and that records are kept current will allow you to examine where an asset was lost if it cannot be accounted for later.  

Incident response should include procedures for investigating and remediating instances where your IT Department or ITAD vendor did not follow best practices for data sanitization or destruction.

Conclusion

The Gramm-Leach-Bliley Act’s emphasis on protecting consumer financial information inherently requires robust data destruction practices. Through the Safeguards Rule, the GLBA mandates financial institutions to establish or procure comprehensive security programs that include secure data disposal. Working with an experienced and certified ITAD partner like Securis, financial institutions can safeguard sensitive information, maintain consumer trust, protect shareholders, and ensure regulatory compliance. 

 

1  https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know

Finding Balance Between Information Security and Sustainability

Electronic waste disposal (e-waste) has become a pressing issue in today’s technology-driven world. E-waste, which includes discarded electronic devices like computers, smartphones, and other data-bearing equipment, presents significant sustainability, budgetary, and data security challenges.  According to the EPA, only 12.5 percent of U.S. E-waste is properly recycled. E-waste represents just 2 percent of America’s waste in landfills but makes up 70 percent of overall toxic waste.

Companies and government entities must balance the need to comply with data security regulations and dispose of e-waste in the least ecologically damaging way possible while managing their budgets by avoiding exorbitant disposal costs. Organizations that focus too much on information security will likely blow out their budgets and won’t meet their sustainability goals.   Organizations that focus too much on sustainability or cost could create a situation where they have a significant data breach.

An Information Technology Asset Disposition (ITAD) company that employs Certified Secure Data Destruction Specialists (CSDS) can ask you questions about your requirements and help you determine the most effective method of computer recycling.

Data Security

Data security is a paramount concern when disposing of e-waste. Electronic devices often contain sensitive personal and corporate information that, if improperly handled, can lead to data breaches and identity theft.   Technology is constantly changing, and our teams regularly find data on company devices that their IT teams miss.  Working with an expert service provider meets the best practice of separation of duty and provides a double check to your IT teams.

Ensuring that data is irretrievably destroyed before reuse or recycling is crucial. For example, Morgan Stanley was fined 100 Million dollars after hiring a company with no experience or expertise in data destruction to decommission thousands of hard drives and servers.   In addition a Healthcare Provider in Maine exposed the medical record of 100,000 citizens because of improper data sanitization practices. ITAD vendors that employ CSDS and are NAID AAA Certified can help your organization comply with security best practices.

Disposal Costs

The cost of e-waste disposal can be a significant barrier for many organizations. Balancing the financial aspect of e-waste management with the need for data security and environmental protection is a top priority for many organizations.   Organizations who evaluate price alone could risk fines, their reputation, and future stock valuation.

Cost-Effective Disposal Solutions:

1. Bulk Disposal Discounts: Organizations can negotiate bulk disposal agreements and long-term contracts with certified recyclers to reduce per-unit costs.

2. Resale: Thoroughly sanitized servers and drives can be resold, reducing the volume of e-waste and offsetting disposal costs through a value recovery program

Conclusion:

In summary, balancing data security, environmental concerns, and disposal costs requires partnering with an industry leader that ensures secure and environmentally sound computer recycling processes while offering cost-effective solutions. Vendors with industry certifications in data destruction and environmentally friendly recycling and a robust value recovery program, are best positioned to help advise your organization on asset management best practices and effectively dispose of IT Assets.