Is Your Smartphone Data Safe after a Factory Reset?

Smartphones have become indispensable in our daily lives, revolutionizing how we communicate, work, and navigate the world. They allow us to stay connected with loved ones through calls, messages, and social media, access information instantly, from news to directions, manage our schedules and boost productivity, capture and share life’s moments through photos and videos, entertain ourselves with games, movies, and music and even monitor our health and fitness goals.   According to a survey from Reviews.org, Americans check their phones an average of 144 times a day and spend four hours and 25 minutes daily on their phones. It’s safe to say these devices are firmly entrenched in our lives. We don’t think much about what happens to the data on these phones when we upgrade. Does a factory reset do the job of erasing all of our data as we assume it will?  Read on to find out.

The Upgrade Cycle

Because mobile devices have become such an essential part of most people’s lives, they will likely upgrade frequently as technology advances and new features are added. What happens to the millions of phones that are no longer wanted?  Sometimes, they are traded for credit towards a new device, and then those devices are sold on the secondary market. Sometimes, they get passed on to friends or relatives.  We do this after performing a factory reset that we believe wipes all data from the phone, but those beliefs are not actually true, and a factory reset can still leave us vulnerable.  When it comes to organizations, failing to eliminate data from company mobile devices properly can result in severe financial and reputation consequences. 

The Limitations of Factory Reset

Many users believe performing a factory reset is sufficient to protect their data when disposing of an old smartphone. However, this common misconception can lead to significant privacy and security risks. Most people don’t know that factory reset only removes the pointers to data, not the data itself. The device may appear on the surface to be new and clean. However, skilled individuals can still recover “deleted” information remaining in the device’s internal storage and on external secure digital (SD) cards using specialized software. In a 2015 study, Blancco Technology Group and Kroll Ontrack purchased over 120 second-hand drives and mobile devices from Amazon, eBay, and Gazelle to determine if residual data could be recovered after they were resold. Of the mobile devices studied, 35% had residual data.  So, the sensitive and personal data you think you responsibly removed may remain accessible to future device owners.  This vulnerability highlights the need for more robust data protection measures when upgrading or disposing of your smartphone, especially when these devices contain private company information. 

Factory reset has limitations

“People think their data’s been destroyed, and really all you’re doing [with a factory reset] is removing the table of contents. The rest of the chapters of the book are sitting there waiting to be discovered.”   — Pat Clawson, CEO, Blancco Technology Group

Security Limitations by OS

Apple iOS: The safest option, Apple uses sophisticated encryption to render any data left on the device after a factory reset unreadable. 

Android:  Android continues to experience significant security limitations. Most recently, media reports indicate hackers have used brute force attacks to break into tens of millions of Android devices thanks to a series of security issues linked to Android kernel flaws and Qualcomm processors. Unlike iOS, Qualcomm-powered devices store the encryption key in software, which leaves them vulnerable. Once a hacker has the key, all data can be unlocked.

Windows Phone: When performing a factory reset on a Windows Phone, the pointers to the data are removed, but the data itself remains intact, making it easy for someone with easy-to-use data recovery software to recover the data.

Blackberry: The BlackBerry factory reset only eliminates the pointers to the phone’s data; it does not overwrite it. The company currently does not turn on encryption by default.

Mobile Data Erasure: A Secure Alternative

Mobile data erasure presents a superior solution for those seeking a more secure option to protect sensitive information. With Mobile Phone Data Erasure, all data – both personal and corporate – is overwritten, erased, overwritten again, and certified as unrecoverable to anyone else.

Benefits of Mobile Data Erasure:

  • Overwrites all data on the device, making recovery virtually impossible
  • Complies with various data protection regulations
  • Provides certification of erasure for peace of mind
  • It can be performed remotely or on-site 
Safe erasure of mobile phone data

Organizations can use mobile data erasure techniques to ensure that their employees’ personal information, financial data, and other sensitive content on their mobile phones are irrecoverable. Securis offers mobile data erasure services that can be performed onsite at your offices or our NAID AAA-rated facilities. 

In conclusion, as smartphones continue to play an increasingly vital role in our lives, it’s essential to consider the security implications of upgrading or disposing of these devices. While factory resets may seem sufficient, they leave users vulnerable to potential data breaches. By opting for more secure methods like mobile data erasure, we can enjoy the benefits of smartphone technology while protecting our privacy and security in the digital age.

Research for this article:
1) Privacy for Sale: A Study on Data Security in Used Mobile Devices & Hard Drives Blancco Technology Group and Kroll Ontrack, October 2015 

Why choose an R2v3-certified e-waste Recycling Company for ITAD?

R2v3 is a comprehensive sustainability certification assuring the highest global electronics reuse and recycling standards.

In today’s fast-paced technological environment, businesses must effectively manage and dispose of outdated electronic assets, including computers, tablets, smartphones, and storage devices. This process, known as asset disposition, is essential for keeping equipment current while ensuring the safe and environmentally compliant handling of electronic waste (e-waste). Partnering with an R2v3-certified e-waste recycling company is the most secure and cost-effective approach to managing the inevitable IT refreshes that your company will need. 

When evaluating potential providers for responsible e-waste disposal, verifying their claims regarding secure data destruction and environmentally friendly recycling practices is crucial. How can you know if they are being truthful? R2v3 certification is a reliable indicator that a vendor meets stringent requirements for electronics recycling and refurbishment. This certification is not merely a management system but a comprehensive sustainability standard aimed at achieving positive outcomes in electronic waste management. As an R2v3 Certified Facility, we undergo independent audits to ensure compliance with the highest global electronics reuse and recycling standards.

What is R2v3 Certification?

 Sustainable Electronics Recycling International (SERI)The Responsible Recycling (R2v3) certification is a globally acknowledged electronics recycling and refurbishment standard. Developed by Sustainable Electronics Recycling International (SERI), the R2v3 standard mandates that certified facilities adhere to strict environmental, health, safety, and data security protocols. It is the most widely adopted sustainability standard for electronics recycling and refurbishment, applicable to facilities of all sizes and locations.

What is the Difference between R2 and R2v3 Certification? 

R2 and R2v3 are both certifications for responsible electronics recycling, but R2v3 is the latest and more comprehensive version. R2 (Responsible Recycling) was initially developed in 2008 and has undergone several iterations. R2v3, released in 2020, is the most recent version of the standard. R2v3 expands on the original R2 standard with more stringent and detailed requirements in areas of data security, specialty processes, facility certification (R2v3 requires each individual facility to be certified independently, unlike previous versions that allowed multiple sites under one certification), strengthened environmental health and safety standards and heightened downstream tracking requirements. While R2 and R2v3 certifications aim to ensure responsible electronics recycling, R2v3 represents a significant upgrade with more comprehensive, flexible, and stringent requirements to address modern industry challenges and environmental concerns.

R2 Certification is what separates self-made claims by companies from those that have been audited and verified to actually be doing the right things. That’s a big difference, and it is what the world has come to value in R2-certified facilities.” – Corey Dehmey, CEO  of SERI 

Benefits of Using an R2v3-Certified Recycler for IT Asset Disposition

Data Security and Compliance

Data Security and ComplianceOne of the primary concerns in asset disposition is ensuring data security in ITAD. 

R2-certified e-waste recycling services must implement strict data security protocols to prevent breaches and unauthorized access to sensitive information. This includes documented processes for data sanitization tailored to various device types and sensitivity levels and access restriction to authorized personnel only. 

Certified facilities must maintain controls for data protection throughout the recycling process, including secure storage and handling of devices containing sensitive information. R2v3-certified recyclers must use robust media sanitization methods, such as data wiping, magnetic degaussing, and physical destruction, to thoroughly and irreversibly erase data from devices. In addition, they must adhere to specific time frames for performing this sanitization to minimize risks further.

R2v3 certification also ensures that recyclers have quality management systems (ISO 9001) and environmental management systems (ISO 14001) certifications. This helps companies avoid fines and legal issues associated with improper e-waste disposal.  It also provides peace of mind for the client, knowing that all regulatory requirements are met. SERI conducts spot inspections of R2 facilities, so ongoing compliance is assured.  

Assured Environmental Responsibility

Assured Environmental ResponsibilityMany companies have corporate social responsibility (CSR) considerations to fulfill. They must adhere to electronic waste disposal standards and e-waste legal regulations, ensuring that hazardous material disposal is properly managed. They must also implement best practices for recycling electronic waste that maximize material recovery and reuse, and minimize landfill use. 

R2v3-certified companies must follow rigorous environmental practices to minimize the impact of e-waste and demonstrate responsible recycling practices and environmental responsibility in ITAD.  The R2 certification applies to environmental responsibility at the vendor facility. It extends environmental protections beyond the primary facility, requiring full tracking and documentation of e-waste as it moves through the recycling chain. This requires R2v3 certified vendors to ensure their downstream partners also adhere to strict e-waste recycling standards. Knowing that your vendor is R2v3 certified allows companies needing IT asset recycling and recovery to ensure they can increase ESG scores and fulfill CSR goals simply by working with a partner with this certification. 

Reputation and Trust

R2v3 certification is how you know your ITAD vendor has completed rigourous certification standardsPartnering with an R2v3 certified recycler enhances a company’s reputation by demonstrating a commitment to responsible e-waste management. This builds trust with customers, stakeholders, and employees and aligns with corporate social responsibility (CSR) initiatives.  

R2v3 certification is not just earned once, annual audits are required as well as documentation of process improvements and updates to maintain certification, ensuring ongoing compliance and commitment to excellence in the field of  IT asset recycling and recovery.  These audits make sure that the R2v3 certified vendor is fulfilling all of the requirements of R2v3 certification on an ongoing basis, and that all workers are always properly trained on data security procedures. Internal data security audits are also required to assess conformance with customer requirements and R2v3 standards. In addition, certified vendors must stay updated on evolving data protection regulations and industry best practices. 

Partnering with R2v3-certified vendors demonstrates a commitment to sustainability and responsible business practices. This can lead to enhanced brand image and increased customer loyalty, as well the potential for attracting environmentally conscious investors to your company. 

“R2 sets a high bar for facilities who process used electronics for reuse and recycling. It’s comprehensive, including best practices for protecting the environment, data, the health and safety of workers, and communities all around the world. That’s why customers can feel confident working with R2 Certified partners will help support critical internal ESG, data security, and sustainability goals.”  – Mike Easterbrook, Chief of Global Standards

R2v3 certification ensures safe and compliant ITAD processes

R2v3 certification ensures safe and compliant ITAD processesR2v3-certified companies follow standardized and transparent processes for e-waste management compliance. This includes thorough documentation and reporting, which is essential for auditing and tracking purposes. Strict chain of custody controls and downstream due diligence documentation is required, including the tracking of all electronic materials from receipt to final disposition, documentation of downstream recycling partners and their practices as well as verification of final material disposition. 

In addition, Organizations that achieve an R2v3 certification must establish a comprehensive management system that includes policies and procedures covering all aspects of operations, including the implementation of safety measures to protect workers from hazards and proper training on the safe handling of materials and equipment.

The following records and reports must also be maintained:

  • Inventory tracking records
  • Inbound and outbound shipment documentation
  • Data sanitization and destruction records
  • Testing and auditing device records
  • Training records
  • Internal audit reports
  • Corrective action records
  • Facility inspection reports
  • Accident and incident reports
  • Management review meeting minutes
  • Customer complaints and feedback
  • Supplier evaluation records
  • Equipment calibration and maintenance logs

By maintaining thorough documentation and reporting systems across these areas, organizations demonstrate their adherence to R2v3 standards and maintain certification. The process requires meticulous record-keeping and a commitment to transparency throughout all operations related to electronic recycling and data destruction.

Economic Benefits

R2v3 certified recyclers must efficiently recover valuable materials from e-wasteBy partnering with an R2v3-certified recycler, companies can also realize economic benefits. R2v3 certified recyclers must efficiently recover valuable materials from e-waste, which can be refurbished and resold, thus reducing the overall cost of asset disposition. Having an R2v3 certification supports a circular economy, meaning that a vendor will ensure that all devices are used as long as possible, and then when devices can no longer be used, refurbish electronic devices and their components wherever possible. At the true end of life, a circular economy means recovering materials so they can become part of something new, whether that’s a new electronic device or something entirely different.  

R2v3-certified vendors adhere to stringent data security and environmental standards, which helps minimize legal and financial risks for their business partners. This can lead to lower insurance costs, reduced risk of data breaches and associated penalties, and minimized environmental liability for your company.  

R2v3 certified vendors often have more efficient processes for handling end-of-life electronics, resulting in lower disposal costs for old IT equipment, potential revenue or rebates from the resale of refurbished devices, and reduced expenses related to data destruction and environmental compliance. 

In addition, R2v3 certification ensures that vendors are up-to-date with the latest regulations. This helps businesses avoid costly fines and penalties, streamline compliance efforts, and reduce the resources needed for regulatory management. 

Conclusion – Enhance Your Brand Reputation With R2v3-certified E-waste Recycling

In an era where sustainability, data security, and e-waste regulatory compliance are paramount, choosing an R2v3-certified e-waste recycling company for asset disposition is a smart and responsible decision. Responsible ITAD vendor selection ensures the secure and environmentally responsible handling of electronic assets, reinforces a company’s commitment to ethical practices, and enhances its reputation. The R2v3 standard is regularly updated to address evolving industry needs and challenges. By partnering with an R2v3-certified recycler, your company can confidently manage its e-waste, knowing it complies with industry standards and contributes to a more sustainable future. 

R2v3 isn’t just a data security, OR environmental, OR worker health and safety standard. It is an electronics sustainability standard, which means it is a data security standard, AND an environmental standard, AND a standard that protects worker health and safety. That means when you choose an R2v3 Certified Facility like Securis, you check many boxes in your ITAD vendor selection process.

Top IT Asset Disposition (ITAD) Companies

Finding the top IT Asset Disposition (ITAD) companies can be challenging. This regularly updated list has been designed to help you identify the best options for your company based on some key factors. First, we discuss the factors to consider when choosing your ITAD partner, and we have a longer blog on that subject here. Then, we will provide a list of ITAD providers that you can choose from to find the best partner to meet your organization’s specific IT asset disposition needs. When making your final decision, consider scheduling consultations with multiple providers to assess their specific offerings and how well they align with your organization’s priorities regarding data security, environmental impact, and cost. 

What is ITAD?

ITAD is short-term for IT Asset disposition.  ITAD is the process every company must go through when refreshing IT Assets such as computers, tablets, smartphones, and storage devices. Because these devices often contain sensitive information and environmentally hazardous materials, disposal of end-of-life electronics is not as simple as throwing them in the trash.  ITAD vendors should bring Security, Accuracy, and Sustainability to your IT asset disposition process. Here are some questions to ask as you are assessing your various options:

Security

When selecting an ITAD vendor, security should be a top priority. A reputable vendor should provide comprehensive security measures addressing every aspect of the asset disposition process. This begins with a thorough evaluation of end-of-life equipment to inform decision-making about which data erasure and/or destruction methods should be employed and should extend to considerations such as transportation and logistics.

Certifications such as ISO-9001:2015, ISO 14001:1015, ISO 45001:2018, and NAID AAA certification for mobile and plant-based facilities can also inform an ITAD vendor’s commitment to data security. Compliance with industry-specific regulations is also important.  You should be aware of data destruction-related regulations specific to your industry, such as HIPAA, HITECH, or Gramm-Leach Bliley, CMMC, etc and be sure that your ITAD vendor complies with them.

Secure

The vendor should also be open to arranging site visits, talking with their references, and allowing you to assess their logistic and security requirements firsthand. Employee screening is another critical aspect of security. A trustworthy vendor will conduct thorough background checks on their employees, including fingerprinting and drug testing, and provide ongoing, intensive security training. These measures help ensure that reliable, well-trained professionals handle your sensitive data and assets throughout the disposition process.

Accuracy

A reputable ITAD vendor should provide comprehensive and accurate reporting on all processed assets. This includes maintaining a detailed audit trail that tracks each asset from when it enters its custody until its final disposition. While the industry average accuracy in ITAD reporting is 85%, you should look for a vendor who can exceed this number and provide highly accurate reporting, ideally with greater than 99% precision. To ensure the utmost accuracy in data capture, the vendor should implement a two-step verification process for all captured data, minimizing the risk of errors or discrepancies. After the asset disposition process, the vendor should furnish a certificate of destruction. This document is official proof that the assets have been properly disposed of and that any data contained within has been securely destroyed. 

In addition to basic asset tracking, a top-tier IT asset disposition vendor will go above and beyond by providing weight and LEED (Leadership in Energy and Environmental Design) reporting. This information is valuable for organizations looking to quantify their environmental impact and potentially earn credits for sustainable practices. 

Accurate

Finally, the vendor should offer a client portal to empower clients with full visibility into their asset disposition process. This portal should provide unlimited access to inventory reporting, allowing clients to review asset status, track progress, and generate reports as needed. Such a feature demonstrates the vendor’s commitment to transparency and client empowerment while streamlining their customers’ asset management process.

Sustainability 

When selecting an ITAD vendor, it’s crucial to prioritize sustainability and environmental responsibility. The ideal ITAD partner should prioritize sustainability through a two-pronged approach. First, they should focus on extending the life of IT assets through refurbishment and reuse whenever possible. This approach not only benefits the environment by extending the lifecycle of IT equipment and contributing to a circular economy but also provides financial advantages to your company. Second, for assets that cannot be reused, the vendor should employ environmentally friendly disposal methods that minimize the impact on ecosystems. 

A reputable vendor should hold certifications such as R2v3, which ensure adherence to responsible recycling practices and environmental standards. These certifications have rigorous requirements, demonstrate the vendor’s commitment to sustainable ITAD processes, and assure that they follow industry best practices. R2V3 certification ensures comprehensive environmental compliance, including agreements with all downstream vendors to dispose of sensitive materials properly and prevent environmental harm in vulnerable regions due to unethical e-waste recycling practices. 

sustainable (1)

Additional considerations

In addition to security, accuracy, and sustainability, other considerations exist when choosing your ITAD vendor. A quality vendor should be able to handle your specific asset types and volumes and have the logistics and transportation capabilities to support your needs. This includes scaling services up or down based on your requirements and tailoring their offerings to your unique situation.

End-to-end services are also important, so you only have to vet one vendor who can then handle everything from logistics and data destruction to remarketing and recycling. The vendor should offer on-site and off-site data destruction options, ideally with NAID AAA-certified mobile trucks and facilities. Convenient collection services are also important, whether through scheduled pick-ups, accessible drop-off locations, or mail-in options.

Flexibility is key when it comes to contracts and equipment. Be wary of vendors that lock you into long-term contracts. An established reputation for excellent service and reliability is also critical. Look for solid testimonials from clients in similar industries to gauge the vendor’s track record. Finally, responsive customer support can significantly improve your ITAD experience. A dedicated project manager can ensure that any issues or questions are addressed promptly, helping to streamline the entire ITAD process and provide peace of mind.

Securis

Securis provides secure, accurate, sustainable, certified, and compliant on-site and off-site data sanitization and IT asset disposal and recycling for PCs, laptops, hard drives, solid-state drives, smartphones, servers, and other e-waste using NSA-approved degaussing and drive shredding technology and NIST 800-88 compliant drive wiping.   Many Securis customers are in highly regulated industries such as government, healthcare, and financial services.  In response, Securis has spent more than 20 years developing best practices for destroying classified and highly sensitive data.  Securis holds certifications for ISO 9001, ISO 14001, and ISO 45001, as well as a NAID AAA (i-sigma) certification. In addition, Securis is certified by the DLA (Defense Logistics Information Service) to store and transport military critical technical data and by the Department of Transportation to transport e-waste materials.  Securis also complies with relevant regulations, such as HIPAA, HITECH, OSHA, Gramm-Leach Bliley, FERPA, and many more. Securis is also R2V3 certified to responsibly remarket or recycle every component in your retired electronic devices, ensuring e-waste stays out of landfills and your ESG rating is increased. Securis also has a Certified Secure Destruction Specialist® (CSDS®) on staff, so you can be sure regulatory compliance, information security, and risk management protocols are always top-tier.

Securis provides a thorough chain of custody and a transparent and well-documented process for your IT asset disposition projects, culminating in a certificate of destruction, all readily accessible to you 24/7 from their Client Portal.  Inventory reports have been demonstrated to be greater than 99% accurate.   Securis’ value recovery program assures the best possible return for any residual value in your end-of-life IT assets.  Securis has more than 50 five-star reviews on Google and positive reviews on Gartner.  Securis provides services throughout the continental U.S.

At a Glance:

  • Company Type: Private
  • Year Founded: 2000
  • Website: https://securis.com/ 
  • Headquarters Location: Virginia, USA
  • No. of Employees: 51-200
  • Reviews: As of 3 Oct. 2024, Securis has an Overall Rating of 5 out of 5 in the IT Asset Disposition market, based on 4 reviews on Gartner Peer Insights™, Trustpilot – No Reviews Google: 4.8 out of 5 based on 76 reviews

Bottom Line: Securis is the best overall choice for companies looking for secure, accurate, and sustainable ITAD services. Securis offers military-grade certifications, ESG reporting, and flexible nationwide IT asset disposition services.

Iron MountainIron Mountain

Iron Mountain is best known for its records management capabilities, which historically have been paper and tape storage, backup, and recovery services.  They are one of the largest companies in the United States and have a recognizable brand name globally.  Iron Mountain entered the ITAD business in 2021 by acquiring IT Renew, based in Newark, California. In November 2023, Iron Mountain completed the acquisition of Regency Technologies, expanding its presence in the IT asset disposition market.  In September 2024, Iron Mountain also acquired Wisetek, adding to its portfolio of ITAD acquisitions. 

Iron Mountain now provides IT Asset Disposition services as part of its broader IT Asset Lifecycle Management (ALM) offerings, which include data destruction, asset remarketing, e-waste recycling, and comprehensive reporting.

At a Glance:

  • Company Type: Public
  • Year Founded: 1936
  • Website:  http://www.ironmountain.com 
  • Headquarters Location: Boston, USA
  • No. of Employees: 10001+
  • Reviews: As of 3 Oct. 2024, Iron Mountain has an Overall Rating of 3.7 out of 5 in the IT Asset Disposition market, based on 2 reviews on Gartner Peer Insights™, Trustpilot – 1.4 based on 67 reviews.  Google: none found

Bottom Line: Iron Mountain offers a comprehensive set of services but may not be best of breed for all of them. Companies are likely to choose them for ITAD services, with an existing procurement relationship is a key factor.

HOBI International Inc

HOBI International

HOBI International, Inc. provides IT asset disposition and managed mobile services. The company specializes in sustainable solutions for managing and disposing of global IT and mobile assets for businesses. HOBI’s services include data security and erasure, mobility managed services, reverse logistics, data center services, enterprise asset services, and environmental services, with systems designed to maximize a client’s return on obsolete assets while minimizing processing costs.  Hobi processes more than 1 million individual assets annually across its three facilities in Dallas, Phoenix, and its original location in Batavia, Illinois. 

HOBI also offers a custom-designed data management system with concise reporting on logistics, costs, asset serialization and configuration, redeployment schedules, sales history, and scrap summaries. 

At a Glance:

  • Company Type: Private
  • Year Founded: 1992
  • Website: https://hobi.com/
  • Head Office Location: Batavia, Illinois, United States
  • Reviews: As of  3 Oct. 2024, HOBI has not been rated on Gartner Peer Insights™, 1.0 based on 1 review on Yelp No other reviews found

Bottom Line: HOBI maintains R2v3, RIOS, and ISO 14002 certifications and is a WBE-certified company but does not have a NAID-certified facility.

DELLDELL

Dell offers end-to-end device lifecycle management, including inventory tracking, equipment repair/replacement, upgrades, and responsible disposition. This can simplify IT asset management for companies with large, dispersed workforces. Dell manages the entire IT asset disposition process, including pickup logistics for any leased or owned hardware brand, secure data wiping following NIST SP 800-88 R1 standards, device resale or recycling, and online tracking through Dell’s TechDirect portal. Dell has a strong focus on sustainability and circular economy principles. They aim to recycle or reuse an equivalent product for every product a customer buys. 

Dell has expanded its Asset Recovery Services to 35 countries outside the U.S., covering Canada, Europe, the Middle East, Africa, and Asia. This makes Dell a viable option for multinational corporations. While Dell can handle multi-vendor assets, its ITAD services encourage the continued use of Dell products, potentially limiting flexibility in IT procurement decisions. While Dell offers some flexibility, its services may not be as customizable as those of specialized ITAD providers. In addition, Dell uses third-party partners for some aspects of disposition. 

At a Glance:

  • Company Type: Public
  • Year Founded: 1984
  • Website:https://www.dell.com
  • Headquarters Location: Round Rock, Texas, USA
  • No. of Employees: Approximately 120,000
  • Reviews: As of 3 Oct. 2024, Dell has an Overall Rating of 5 out of 5 in the IT Asset Disposition market, based on 1 reviews on Gartner Peer Insights™, Trustpilot – 1.5 based on 286 reviews.  Google: none found

Bottom Line: Customers who are exclusive users of Dell servers, storage, and laptops are most likely to consider using them for ITAD services.

Ingram Micro

INGRAM MicroIngram Micro is an American distributor of information technology products and services. In February 2016, it was acquired by Chinese conglomerate HNA Group. In May 2018, it acquired CloudBlue, which offers cloud commerce services. Ingram Micro’s approach to ITAD is comprehensive and focused on risk management, logistics, asset repair, and refurbishment, and maximizing residual asset value. 

Ingram Micro offers onsite and offsite data erasure and destruction services, including degaussing and physical shredding. Its industry sectors include enterprise, government, manufacturing, legal, retail, and healthcare. Ingram uses a proprietary system called BlueIQ for global asset tracking and intelligence throughout the ITAD process and also performs re-sales through a platform named RENUGO.

At a Glance:

  • Company Type: Private
  • Year Founded: 1979
  • Website: http://www.ingrammicro.com 
  • Headquarters Location: Irvine, USA
  • No. of Employees: 10001+
  • Reviews: As of 3 Oct. 2024, Ingram Micro has an Overall Rating of 5 out of 5 in the IT Asset Disposition market, based on 1 reviews on Gartner Peer Insights™, Trustpilot – 1.4 based on 127 reviews.  Google: none found

Bottom Line: As a large distributor of IT Services, customers have access to Ingram Micro Service through a large network of value-added resellers

HPE 

HPE

HPE (Hewlett Packard Enterprise) offers comprehensive IT Asset Disposition services as part of its IT asset lifecycle management solutions. HPE prioritizes the reuse of IT assets over recycling, supporting the management of multi-generational environments. This strategy aligns with sustainability goals by extending the life of IT products and reducing environmental impact.  HPE provides asset recovery services, including collecting, inventorying, transporting, sorting, and processing IT products for recycling or remarketing.  

HPE partners with other ITAD companies to source used HPE computers and to subcontract ITAD services. Devices are processed through HP-approved partners and audited by a third party. If equipment cannot be repurposed, it is responsibly recycled. HPE offers a full suite of IT asset lifecycle management solutions, including the option to purchase pre-owned technology. It also has a large global presence, offering services in multiple countries.  However, there are service limitations with HPE, as in many countries, the HP ITAD Service is currently available for direct customers only. In addition, onsite decommissioning services are only available in Australia, Germany, the United Kingdom, and the United States. 

At a Glance:

  • ​​Company Type: Public
  • Year Founded: 2015
  • Website: http://hpe.com 
  • Headquarters Location: Houston, US
  • No. of Employees: 10001+
  • Reviews: As of 3 Oct. 2024, HPE has an Overall Rating of 4 out of 5 in the IT Asset Disposition market, based on 1 reviews on Gartner Peer Insights™, Trustpilot – 1.2 based on 7,174 reviews  Google: none found

Bottom Line: HPE is best suited for companies that are committed users of HPE equipment and often reuse HPE equipment for different employees.  

ERI

ERIERI is one of the largest and most well-known ITAD companies. It claims 

to be the largest fully integrated IT and electronics asset disposition provider in the United States and possibly the world. ERI maintains NAID AAA,  R2, and e-stewards certifications. In 2021, it announced an investment by the private equity firm Closed Loop Partners. 

ERI uses its partner network to provide services in the U.S. and 46 countries. It offers a full range of ITAD services, including data destruction, asset tracking and reporting, repair and reuse, parts harvesting, recycling, compliance management, and device remarketing. ERI also ensures regulatory compliance and meets or surpasses corporate risk management requirements.

At a Glance:

  • ​​Company Type: Private
  • Year Founded: 2002
  • Website: https://eridirect.com 
  • Headquarters Location: Fresno, California 
  • No. of Employees: Approximately 1000
  • Reviews: As of 3 Oct. 2024, ERI has not been rated on Gartner Peer Insights™, Trustpilot – no reviews found Google: no reviews found

Bottom Line: Customers looking for an international presence and a fully integrated ITAD supply chain may likely choose ERI.

ER2

ER2

ER2 provides IT Asset purchasing, installation, tracking, and disposal services. ER2 operates in Arizona, California, Tennessee, Nebraska, Florida, and Texas but offers worldwide service.  ER2 is a private company specializing in technology life cycle solutions, primarily serving Fortune 1000 clients. 

The company was founded in 2011 and has shown significant growth since its inception, being recognized as one of the fastest-growing companies in the US for multiple years. ER2 focuses on providing complete IT asset management services, from installation to deployment, while maintaining a commitment to social and environmental responsibility

At a Glance:

  • ​​Company Type: Private
  • Year Founded: 2011
  • Website: https://er2.com 
  • Headquarters Location: Memphis, Tennessee,
  • No. of Employees: 120
  • Reviews: Reviews: As of 3 Oct. 2024, ER2 has not been rated on Gartner Peer Insights™, Trustpilot – no reviews found Google: no reviews found

Bottom Line: ER2 is well suited to companies that want to work with one vendor to manage the entire IT lifecycle, from purchasing and installing to disposing of end-of-life equipment.

Dynamic Lifecycle Innovations

Think DYnamic websiteIn 2018, Dynamic Recycling changed its name to Dynamic Lifecycle Innovations to reflect a dedication to providing clients with customized, secure, and cost-effective solutions for all stages of the IT lifecycle, including e-recycling, materials recovery, refurbishment, or decommissioning outdated IT assets.  Dynamic Lifecycle Innovations is a full-service electronics and materials lifecycle management corporation providing solutions for IT asset disposition, data security, product refurbishment, remarketing and resale, electronics recycling, legislative compliance, metals recovery, and logistics.  

Dynamic is certified for NAID AAA, R2v3, E-stewards, ISO 9002, ISO 14001, ISO 45001.  With physical locations in Onalaska, Wis. and Nashville, Tenn., the company claims to service 100 countries across six continents. Dynamic has a carbon calculator tool that includes details for 30 different categories of e-waste, comprising of both whole units and component parts

At a Glance:

  • ​​Company Type: Private
  • Year Founded: 2007
  • Website: https://thinkdynamic.com/ 
  • No. of Employees: 201-500 employees
  • Headquarters Location: Onalaska, Wisconsin 
  • Reviews: As of 3 Oct. 2024, Dynamic Lifecycle Solutions has not been rated on Gartner Peer Insights™, Trustpilot – no reviews found Google: 4.3 based on 26 reviews  Yelp: 3.0 out of 4 based on 4 reviews

Bottom Line: Best for companies who value extremely detailed ESG reporting.

Cascade Asset Management

Cascade websiteCascade Asset Management has over 20 years of experience in the ITAD industry. It specializes in healthcare, finance and insurance, education, government, and technology. Cascade is NAID AAA certified, e-stewards certified, ISO 9001 and ISO 14001 certified, and PCI-DSS (Payment Card Industry Data Security Standard) compliant. 

Cascade offers a full range of ITAD services, including on-site inventory and data destruction, secure logistics and transportation, asset testing, erasure, and unlocking, and has options for asset resale, recycling, donation, redeployment, or return to the company. Cascade has a value recovery program in the form of rebates for assets with residual value.

At a Glance

  • ​​Company Type: Private 
  • Year Founded: 1999
  • Website: https://cascade-assets.com/ 
  • No. of Employees: more than 100
  • Headquarters Location: Madison, Wisconsin
  • Reviews: As of 3 Oct. 2024, Cascade Asset Management has not been rated on Gartner Peer Insights™, Trustpilot: No reviews found, Google: No reviews found

Bottom Line: Cascade is a good choice for companies in the Cascades freight zone, which includes Wisconsin, Illinois, Minnesota, Iowa, Indiana, Ohio, Michigan, Kentucky, and Florida. Also, while Cascade is NAID, e-Stewards ISO 9001, and ISO 1400 certified, if your company requires R2v3 certification, this may not be the best choice. 

Sims Lifecycle Services

Sims lifecycle websiteSLS specializes in managing retired electronic equipment, components, and metals.  They primarily cater to businesses, data centers, and manufacturers. The company offers services such as secure and compliant global IT asset disposition (ITAD), e-waste recycling, data center decommissioning, data destruction, and refurbishing, repairing, and restoring materials for continued use.  

Sims holds comprehensive certifications and provides online reporting. It operates globally with centers throughout the Americas, Europe, the Middle East, Africa, and Asia-Pacific regions. This extensive network allows it to support multinational companies and large data centers worldwide. The company also emphasizes sustainability, offering tools like a sustainability calculator to help clients quantify carbon emissions avoided through IT asset reuse and recycling.

At a Glance

  • ​​Company Type: Public
  • Year Founded: 2002
  • Website: https://www.simslifecycle.com/ 
  • No. of Employees: Over 4,000 employees globally
  • Headquarters Location: West Chicago, Illinois, 
  • Reviews: As of 3 Oct. 2024, Sims Lifecycles services has not been rated on Gartner Peer Insights™, Trustpilot: no reviews found Google: no reviews found Yelp: 3.6 out of 5 based on 13 reviews

Bottom line: SIMS is a good choice for global companies that need a vendor to participate in all aspects of the IT asset lifecycle, from procurement to maintenance to disposition. 

SK tes

SKtes website

SK tes specializes in sustainable technology services throughout the lifecycle of IT assets, including deployment and commissioning of technology devices, IT asset disposition (ITAD), battery recycling, and materials recovery. With facilities in 22 countries, SK tes offers service worldwide. They provide end-to-end lifecycle management for technology assets, from deployment to recycling. The company has developed proprietary processes for recycling and materials recovery, such as its lithium battery recycling technology particularly from electric vehicles.

SK tes places a strong emphasis on sustainability through electronics refurbishment.  The SK tes Consumer Solutions division offers data secure refurbishment, repair and remarketing services for consumer returns, trade-in and excess consumer electronics. They also boast a 99% recovery rate for processed materials and have committed to repurpose 1 billion kilograms of assets by 2030. 

At a Glance

  • ​​Company Type: Private
  • Year Founded: 2005 as TES rebranded in 2024 to SK tes
  • Website:https://english.tesgroup.de/ 
  • No. of Employees: Around 1000
  • Headquarters Location: Jurong Industrial Estate, Singapore
  • Reviews: As of 3 Oct. 2024, SK tes has not been rated on Gartner Peer Insights™, Trustpilot: No reviews found, Google: No reviews found

Bottom Line: SK tes is best for global companies that are more focused on reselling retired assets or have large quantities of commodities such as lithium batteries that need to be properly recycled.

What to Look for in a Responsible E-Waste Recycling Partner

Choosing an ItAD PartnerKey Factors in Choosing a Secure and Responsible IT Asset Disposition (ITAD) Partner

In today’s rapidly evolving technological landscape, responsible e-waste management has become a critical concern for businesses of all sizes. As organizations regularly refresh their IT assets, partnering with a reliable and certified IT Asset Disposition (ITAD) vendor to sanitize and recycle e-waste is essential to ensure security, accuracy, and sustainability throughout the electronics recycling and disposal process. This blog post will explore key factors when selecting a responsible e-waste recycling partner who can provide sustainable e-waste recycling solutions.

What is IT Asset Disposition (ITAD)?

IT Asset Disposition is the process of securely and responsibly disposing of end-of-life IT equipment such as computers, tablets, smartphones, and storage devices. Since these devices often contain sensitive information and hazardous materials, proper disposal is crucial for data security and environmental protection.  So, how do you choose a responsible e-waste recycler who can ensure the safe and eco-friendly disposal of old electronics? Read on. 

Critical Considerations for Choosing an IT Asset Disposition Partner

 

Security

This NSA approved disintegrator shreds data to 2mm pulp

Electronic devices often contain sensitive information. A responsible e-waste partner should have robust data destruction processes to ensure your data is securely erased or destroyed. Look for partners who:

  • Can evaluate end-of-life equipment with a thorough understanding of data sensitivity and a plan for media sanitization and destruction when required
  • Employs data erasure and destruction methods that meet or exceed state and national standards (e.g., NIST 800-88)
    • Your partner should offer data wiping to purge standards, allowing for the safe re-use of some assets
    • Your partner should offer degaussing equipment that meets NSA standards
    • Your partner should offer hard drive shredding equipment on the NSA-approved list that can disintegrate sensitive data to 2mm particles
  • Hold up-to-date industry standard certifications such as:
    • ISO 14001: This standard specifies requirements for an effective environmental management system (EMS), indicating the recycler’s commitment to minimizing environmental impact
    • ISO 9001:2015:  An internationally recognized standard for quality management systems (QMS)
    • ISO 45001: An international standard that specifies requirements for an occupational health and safety (OH&S) management system
  • Maintain NAID AAA certification for both mobile and plant-based operations
  • Offer compliance with regulations based on your industry
    • HIPPA, HITECH, OSHA, Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, FACTA Disposal Rule, FERPA, etc.
  • Offer GPS-monitored transportation 
  • Allow witnesses for data destruction

Accuracy

Our Client Portal is available 24/7Transparency is a crucial indicator of a responsible e-waste partner. Ideally, an ITAD partner should provide comprehensive and accurate reporting for the entire chain of custody. Ensure your chosen vendor:

  • Offers a detailed audit trail for all processed assets from initial collection to final processing.
  • Provides greater than 99% accurate reporting on each asset
  • Issues certificates of destruction upon completion
  • Makes documentation available online for easy access
  • Offers weight and LEED reporting
  • Implements two-step verification of captured data

Sustainability

Each component is responsibly recycled

E-waste contains hazardous materials such as lead, mercury, and cadmium, which can contaminate soil and water if not handled correctly. Additionally, e-waste often contains valuable materials like gold, silver, and copper that can be recovered and reused. Responsible and ethical e-waste management ensures these materials are properly processed, reducing environmental harm and conserving natural resources. Your ITAD partner should:

  • Hold an R2v3 certification to prove their responsible recycling practices: The R2v3 standard focuses on environmental, health, safety, and data security practices, ensuring e-waste is processed responsibly. If a vendor has this certification, you can be sure that they have met a high standard for recycling, not just in the facility but also for any additional downstream processing. In addition, spot checks from SERI ensure that your vendor continues to comply with these rigorous certification standards
  • Prioritize reuse and employ environmentally friendly practices for assets that must be recycled
  • Verify the vendor can ensure that electronics are responsibly reused or recycled at every step in the downstream recycling process
  • Maximize value recovery through resale or reuse of sanitized assets
  • Offer a transparent revenue-sharing model
  • Suports Donation Programs
  • Bonus: Increase your ESG goals further by partnering with a company that has programs that support local communities, such as providing job opportunities for disabled workers or hosting community e-wase recycling events

Additional Considerations

Secure Securis Mobile Shredding and PickupBeyond security, accuracy, and sustainability, consider the following factors. 

  • Does your vendor have a Certified Secure Destruction Specialist® (CSDS®) on staff? 
  • Is the vendor capable of handling your specific asset types and volumes?
  • Do they provide end-to-end logistics?
  • Do they have choices for on/off-site data destruction?
  • Do they offer flexibility in tailoring services to your needs?
  • Are there convenient collection services such as secure onsite collection bins or storm cases that can be sent through the mail?
  • Do options such as mobile service allow service at your site or facility, enabling you to witness the entire process?
  • Do they have restrictive or hard-to-break service contracts? 
  • Is there evidence that the vendor uses ethical practices to ensure safe working conditions and fair employee labor practices?
  • Does online customer feedback provide insights into the reliability and reputation of the e-waste partner? Look for online reviews on platforms like Google Reviews, Yelp, or on industry-specific forums, check testimonials or references that the vendor might provide upon request 
  • Experience: How long has the vendor been in business?  Do they have a strong record of experience in the industry?

Conclusion

Selecting a responsible e-waste partner is a critical decision that impacts your organization’s security, compliance, and environmental footprint. By carefully evaluating potential ITAD vendors based on the criteria outlined above, you can ensure a secure, accurate, and sustainable IT asset disposition process. Remember, the right partner will not only protect your sensitive data but also contribute to a more sustainable future for our planet

Financial Institutions Need Secure Data Destruction Policies to Comply With The Gramm-Leach-Bliley Act (GLBA)

What is the Gramm-Leach-Bliley Act?

Financial Institutions must comply with information security and privacy regulations when they retire end-of-life computers, networking devices, servers, phones, and tablets. This article explains one of those compliance standards, the Gramm-Leach-Bliley Act (GLBA). By working with the right IT Asset Disposition Partner, your company can reduce the risk of a breach like the one that occurred at Morgan Stanley and comply with GLBA and other compliance standards. The GLBA, enacted in 1999, primarily focuses on protecting consumer financial information held by financial institutions. It includes provisions to safeguard sensitive data and mandates specific requirements for data destruction as part of its broader privacy and security framework.

GBLA Gramm-Leach-Bliley Act

The GLBA, also known as the Financial Services Modernization Act, has three main components:

  1. The Financial Privacy Rule: Governs the collection and disclosure of consumers’ personal financial information by financial institutions.
  2. The Safeguards Rule: Requires financial institutions to implement security measures to protect customer information.
  3. The Pretexting Provisions: Protect consumers from individuals who obtain personal information under false pretenses.
information security

Data Destruction under the GLBA

While the GLBA does not have explicit data destruction requirements, its mandates imply the need for proper disposal of consumer information to prevent unauthorized access and ensure data security. The critical consideration here is the Safeguards Rule, which focuses on maintaining customer information’s confidentiality, integrity, and security.

The Safeguards Rule

The Safeguards Rule took effect in 2003, but after public comment, the FTC amended it in 2021 to make sure the Rule keeps pace with current technology. “According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).”1  The rule compels financial institutions to develop, implement, and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. Data destruction is an integral part of this security program. Here’s how the Safeguards Rule translates into data destruction requirements:

Safeguard rules

Key Points of the Safeguards Rule

  1. Comprehensive Security Program:
    • Financial institutions must develop, implement, and maintain a written comprehensive information security program that includes administrative, technical, and physical safeguards.
  2. Risk Assessment:
    • Institutions must conduct risk assessments to identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of their customer information.
    • This includes risks in the storage, processing, and disposal of information.
  3. Design and Implementation of Safeguards:
    • Based on the risk assessment, institutions must design and implement safeguards to control the identified risks.
    • This includes developing policies and procedures to ensure secure data handling and disposal practices. Choosing the right data destruction partner can critically influence these safeguards. 
  4. Regular Testing and Monitoring:
    • Institutions must regularly test and monitor the effectiveness of their safeguards.
    • This includes periodic review and adjustment of data destruction practices to ensure they mitigate identified risks effectively.

Securis performed on-site shredding for a financial services company. They told us that all hard drives were removed and that we could recycle the 8 server cabinets. Upon inspection, we found 86 drives (72 SSDs and 14 Hard Drives). We shredded the 86 drives, saving the company from what could have been an expensive breach. The 86 drives represented 15% of the total drives that were missed.

Data disintegration protects sensitive information

Best Practices for Data Destruction under the GLBA

Policies and Procedures:

Institutions should develop clear policies and procedures for IT Asset Disposition (ITAD) and Data Destruction. This includes outlining methods for securely destroying differing data types (e.g., paper records and electronic data).

Secure Methods:

Ensure your ITAD service partner utilizes secure data destruction methods for digital data, such as shredding, incineration, degaussing, or NIST 800-88 and IEEE-compliant software-based overwriting techniques. The chosen method should render the data unreadable and irrecoverable.

Employee Training:

Train IT employees on the importance of data sanitization and the specific procedures they must follow. Employees should understand the risks associated with improper disposal and the legal obligations under GLBA.

Hard drive shredding

Third-Party Management:

Ensure third-party service providers handling data destruction can safeguard customer information by following GLBA requirements. This includes due diligence in selecting vendors, 3rd party risk assessments, and agreements specifying data destruction standards.

Documentation and Audit Trails:

Maintain documentation of data destruction activities, including the types of data destroyed or overwritten, methods used, and verification of destruction.  This information should be readily available for audit in your IT Asset Management system or the portal of your ITAD vendor.   This audit trail can be reviewed to ensure compliance with the Safeguards Rule. In addition to an audit, ensure you receive a Certificate of Destruction from a certified IT asset disposition vendor. 

Incident Response:

Develop an incident response plan for addressing and mitigating any breaches related to data destruction.  If an IT asset goes missing, it should be investigated.   IT Asset Management best practices allow organizations to understand where assets are at all times.  Ensuring all assets are logged and inventoried and that records are kept current will allow you to examine where an asset was lost if it cannot be accounted for later.  

Incident response should include procedures for investigating and remediating instances where your IT Department or ITAD vendor did not follow best practices for data sanitization or destruction.

Conclusion

The Gramm-Leach-Bliley Act’s emphasis on protecting consumer financial information inherently requires robust data destruction practices. Through the Safeguards Rule, the GLBA mandates financial institutions to establish or procure comprehensive security programs that include secure data disposal. Working with an experienced and certified ITAD partner like Securis, financial institutions can safeguard sensitive information, maintain consumer trust, protect shareholders, and ensure regulatory compliance. 

 

https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know

Balancing Data Security, Sustainability, and Disposal Costs for IT Asset Disposition (ITAD)

Finding Balance

Electronic waste disposal (e-waste) has become a pressing issue in today’s technology-driven world. E-waste, which includes discarded electronic devices like computers, smartphones, and other data-bearing equipment, presents significant sustainability, budgetary, and data security challenges.  According to the EPA, only 12.5 percent of U.S. E-waste is properly recycled. E-waste represents just 2 percent of America’s waste in landfills but makes up 70 percent of overall toxic waste.

Companies and government entities must balance the need to comply with data security regulations and dispose of e-waste in the least ecologically damaging way possible while managing their budgets by avoiding exorbitant disposal costs. Organizations that focus too much on information security will likely blow out their budgets and won’t meet their sustainability goals.   Organizations that focus too much on sustainability or cost could create a situation where they have a significant data breach.

An Information Technology Asset Disposition (ITAD) company that employs Certified Secure Data Destruction Specialists (CSDS) can ask you questions about your requirements and help you determine the most effective method of computer recycling.

Data Security

Data security is a paramount concern when disposing of e-waste. Electronic devices often contain sensitive personal and corporate information that, if improperly handled, can lead to data breaches and identity theft.   Technology is constantly changing, and our teams regularly find data on company devices that their IT teams miss.  Working with an expert service provider meets the best practice of separation of duty and provides a double check to your IT teams.

Data security is a paramount concern when disposing of e-waste

Ensuring that data is irretrievably destroyed before reuse or recycling is crucial. For example, Morgan Stanley was fined 100 Million dollars after hiring a company with no experience or expertise in data destruction to decommission thousands of hard drives and servers.   In addition a Healthcare Provider in Maine exposed the medical record of 100,000 citizens because of improper data sanitization practices. ITAD vendors that employ CSDS and are NAID AAA Certified can help your organization comply with security best practices.

Environmental Concerns

Improper disposal of e-waste can have severe environmental consequences. Electronic devices contain hazardous materials like lead, mercury, and cadmium, which can leach into soil and water, causing pollution and health risks and even fines.   If your ITAD vendor or their downstream recycling vendors don’t follow the law and go out of business your company could be at risk.

E-waste damages the environment

Strategies for Minimizing Environmental Impact:

1. Reuse: An ITAD service provider may be able to resell late-model computers, which is the best way to lower your carbon footprint. Before selling, your ITAD provider must follow NIST 800-88 or IEEE best practices to remove all data from storage devices.

2. Recycling: Older electronics and computers that must be shredded because they have classified information on them may have limited value. In these cases, recycling individual components ensures that valuable materials are recovered and reused, reducing the need for raw material extraction and minimizing environmental damage. Partnering with an IT disposal vendor with a robust recycling and reuse plan simplifies this process.

3. Responsible Disposal: Work with R2v3 certified e-waste recyclers who follow environmentally sound practices, including the safe handling and disposal of hazardous substances. Sending e-waste overseas could violate laws and create security risks.   A NAID AAA and R2v3 certification means your ITAD vendor is required to follow strict standards. R2v3 certification involves rigorous audits by an independent third party to evaluate recycling practices in over 50 areas of operational and environmental performance. R2v3 is the leading standard for the electronics recycling industry, ensuring practices that protect the environment, human health, safety, and the security of the recycling process.

Disposal Costs

The cost of e-waste disposal can be a significant barrier for many organizations. Balancing the financial aspect of e-waste management with the need for data security and environmental protection is a top priority for many organizations.   Organizations who evaluate price alone could risk fines, their reputation, and future stock valuation.

Cost-Effective Disposal Solutions:

1. Bulk Disposal Discounts: Organizations can negotiate bulk disposal agreements and long-term contracts with certified recyclers to reduce per-unit costs.

2. Resale: Thoroughly sanitized servers and drives can be resold, reducing the volume of e-waste and offsetting disposal costs through a value recovery program

Disposal costs

Conclusion:

In summary, balancing data security, environmental concerns, and disposal costs requires partnering with an industry leader that ensures secure and environmentally sound computer recycling processes while offering cost-effective solutions. Vendors with industry certifications in data destruction and environmentally friendly recycling and a robust value recovery program, are best positioned to help advise your organization on asset management best practices and effectively dispose of IT Assets.

Federal Tech Podcast with Securis’ Sal Salvetti

Moderator John Gilroy interviews Securis Director of Operations Sal Salvetti for the Federal Tech Podcast

Podcast link: https://podcasts.apple.com/us/podcast/ep-166-the-most-important-tech-question-that-nobody-asks/id1612819978?i=1000663400507

This conversation between host John Gilroy, moderator of the Federal Tech Podcast, and guest Sal Salvetti, of Securis, concerns the secure data destruction of electronic devices, specifically hard drives and solid state drives, used by federal agencies and organizations.

Key Points

  • Many organizations don’t properly dispose of old hard drives, which can lead to data breaches and hefty fines.
  • Securis offers various data sanitization methods depending on the information’s classification: degaussing, shredding, disintegration, and incineration.
  • Securis is certified by several organizations and follows strict guidelines to ensure secure data destruction.
  • They offer on-site and off-site data destruction services to meet the needs of different clients.
  • Securis also resells refurbished equipment and recycles materials from old electronics.

Here are some conversation highlights:

  • The importance of secure data destruction for federal agencies handling sensitive information.
  • Different data sanitization methods and when to use each one.
  • Options for secure disposal of various electronic devices, including cell phones and tablets.
  • How to avoid mistakes like throwing away hard drives without proper data erasure.
  • The environmental benefits of responsible IT asset disposition.

Sal in Fed Tech podcastTRANSCRIPT

John Gilroy: Hey, John Gilroy here.  Everybody knows there are an estimated 300 data centers in Northern Virginia. Very few people know what happens when they upgrade those servers in the data center. Today, we found out.

John Gilroy:    Hit the music, Manny.

<VOICE>  Welcome to the Federal Tech Podcast, where industry leaders share insights on innovation with a focus on reducing cost and improving security for federal technology. If you like the Federal Tech Podcast, please support us by giving us a rating and review on Apple Podcast.

John Gilroy:  Welcome to the Federal Tech Podcast, a podcast that connects you to federal technology leaders.  My name is John Gilroy, and I will be your moderator. Our guest today is John Salvetti.    He’s the executive vice president of a company called Securis, S-E-C-U-R-I-S.   I would be remiss if I didn’t tell our audience that we are recording this from Monk’s Barbecue in lovely downtown Percival, Virginia.  This is a high-class joint, Sal.

John Gilroy:    And so I’ve seen this thing from iSigma, and it says, here’s the headline.  Personally identifiable information was found on 40% of used devices in the largest study to date.  So my personal stuff on those servers in Ashburn can be recovered.   What happens in this whole transition and upgrading?

Sal Salvetti:  So one of the options you gave me, I could tell you if you’re out of your mind, right?  But yeah, you’re out of your mind, but nothing to do with that, okay?  No, it’s great to meet you, John. Great to be here as part of your Federal Tech Podcast.  And so yeah, that’s true.

Sal Salvetti:  There are organizations out there when they want to, they’re under the life cycle for their hard drives, or their solid-state drives, laptops, desktops, anything that’s data-bearing, you want to make sure you dispose of it properly.  And that’s what we do.  We are an ITAD company, IT Asset Disposition.

Sal in Fed Tech podcast

 

Sal Salvetti:  Some people use the D as in disposal, but we will bring that from, we’ll pick it up from you and bring it to our location and shred it as one of the ways of dealing with it.  Or we could actually take care of it at your location and we could either shred it or disintegrate it, depending on what type of equipment it is.

John Gilroy: Now, Sal, I’ve driven through Ashburn a million times.  In fact, I recorded a podcast a couple of times at Monks, at the Ford’s Fish Shack, right there.

Sal Salvetti:  I know what you’re talking about.

John Gilroy:    And I’ve never thought about what happens to those servers, but obviously, they’ve got servers in there. There’s new hard drives, new Nvidia drives and graphics chips, and so they take them out. So what kind of choices does a federal agency have when they’re upgrading some of their data centers?

Sal Salvetti:  So one of the things you want to look at is it an end of life piece of equipment.  As you look at it, if it’s end of life and there’s no reuse or recycling, no reuse that you can do to it. We will help you look at that. So here is a server.  We look at the server. If we think it can be resold, which should be good out there because that’s great of not having something end up in a landfill, we will take it off your hands.

We will bring it to our location.  We will refurbish and resell, for example, on either a wholesale or a eBay or Shopify type website.

Sal Salvetti:  So that’s if it can be resold.  If it’s end of life, we want to make sure that it does not end up in a landfill. In fact, only about 18% of e-waste, electronic waste out there gets properly disposed of. We are one of the ones who can dispose of it properly. We have so many certifications that are along with that.

Sal Salvetti:  So let’s talk about if we want to dispose of it.  We’ll bring it to our location. We will actually disassemble it.  We’ll take it down to its component parts because of the focus materials that are in there.  Gold, silver, platinum, palladium and copper.  And then we will go ahead and resell that for reuse out there on the open market. Some of them might have some plastic. We also take apart the plastic and we build a plastic and we resell that also for reuse.

John Gilroy:    So Sal, in doing my research for this interview, I came across an acronym that I’ve never heard before and maybe other listeners have, but it’s a Certified Data Destruction Specialist, a CSDS.  So that’s the certification we’re talking about here, huh?

Sal Salvetti:  Yes, we have them in our organization and really it’s just like any certifications out there, you don’t want to just operate off of what you think is right. There’s formal organizations that show you the proper processes to follow and also keep you updated on the rules, regulations and policies that are out there.

John Gilroy:    Let’s talk about commercial company in Chicago, say. If they do not dispose of hard drives properly, can they get fined?

Sal Salvetti:  They sure can. There’s been, in the news, there’s been people who have been fined.  Let me see, there was Morgan Stanley. That was the breach that I was trying to think of.  Morgan Stanley data breach, $35 million fine. Health Reach in Maine, 100,000 citizens had their information exposed just due to bad data sanitization. State of New Jersey, 79% of their laptops that they auctioned to the public had data on them. So besides thinking about getting fined with improper disposal of it, you’ll also get fined for actually not taking care of personally identified information on those hard drives.

John Gilroy:    Okay, fines are one thing.  Let’s go back and talk about the military and maybe some three-letter agencies and other organizations. And I’m gonna quote a movie, the movie is Forrest Gump.

Sal Salvetti:  Okay.

John Gilroy:    And Lieutenant Dan famously said, don’t do anything stupid. And I think when you have upgrading equipment, you have hard drives you’re replacing, you don’t wanna do anything stupid. So what kind of guidelines can you give our federal listeners for not doing anything stupid, replacing their existing hard drives?

Sal Salvetti:  What we found, it’s actually funny, but not in a laughing manner so much, is that, like I mentioned earlier, really about the 18% only disposing of properly, there’s no reason to just, once you upgrade, everybody goes through their life cycle replacement. Once they get the new stuff, they actually kind of forget about the old stuff.

John Gilroy:    Right, a typical human.

Sal Salvetti:  Yeah, and they’ll put it in, they’ll just stash it away, until somebody comes into the organization, opens up a closet and things are, old stuff is falling on top of them, and that’s when they call us.  So if you want to go ahead and dispose of that equipment properly, and we’re the ones, we can actually do it, we can shred your hard drives.

Sal Salvetti:  So once again, think of data bearing devices, and I’ll just talk about hard disk drives and solid state drives for right now, in addition to that, we can also shred laptops and desktops. But a hard disk drive, there’s different regulations out there.  It all falls under the umbrella of sanitizing the information. Depends on the classification of that information, of how far you want to go with sanitizing it.

Sal Salvetti:  And underneath that sanitize umbrella, there’s different classifications depending on the document that you’re looking at. So for example, the NSA uses degauss, disintegrate and incinerate, burning it, smelting it, all right.

Sal Salvetti:  Another degaussing, that renders the equipment, what it does, think about what degaussing does.  It destroys the magnets in there. So now you can ever use that again. Disintegration, that’s for a solid state drive. And there are machines out there and we have one of them that are certified to disintegrate down to the two-millimeter-size particle.

Sal in Fed Tech podcast

Sal Salvetti:  So when you think of two millimeter, just think of walking on the beach. That’s what it’s looking like, all right.  And then for incineration, that’s just thrown in a big furnace and nothing’s on that.

Sal Salvetti:  If you talk about the NIST special publication 800-88, revision one, because that’s important, you can clear, purge or destroy. And then, of course, and then you have the subcategories underneath that.  And I’ll just throw a little vignette out there. So I was on Wheel of Fortune.  When I was spinning the wheel on Wheel of Fortune, they have this thing called a mystery round. And it’s two wedges that are on the wheel.  Underneath one of the wedge, we’ve got to land on it. If you call the letter, it’s in the puzzle, you get to pick up the wedge.  One of them is going to have $10,000 underneath it.

One’s going to be bankrupt.  It’s a guess. You don’t want to turn your data sanitizing process into a guess. Calling us, we’re the experts, we can remove all the mystery from any mystery wedge that you have out there.

00:08:42.460 –> 00:08:51.320

John Gilroy:    The mystery for many of our listeners is the budget mystery of when do you use software to clear your old hard drives?  When do you have it shredded?  When’s it disintegrated? I guess smelt it or something. So what kind of guidelines do we have here? Is it just the type of information or there’s budget considerations here too, aren’t there Sal?

00:09:02.500 –> 00:09:02.960

Sal Salvetti:  There are.  So think of cost versus security versus sustainability.

Yeah, I always like to explain it as a thing of going into the car wash. You could do the basic level of service and that gets you a certain level.  Or you could say, okay, I want to wash it, but I want to dry it.  I want to wax it. I want to clear coat it. I want to get the tires worked on.

Sal Salvetti:  So we can work with you on what you actually need and what you want. And we’re going to make it so you don’t overpay for what you need based on the level of what the information is. Now, for example, there may be some information you don’t have a choice.  It’s because it was this.  You remember the classifications level out there are confidential, secret, and top secret. So if something falls in there, there is no choice.  You must either disintegrate or you must work this for your destruction.

Sal Salvetti:  But if there’s not, if it’s a lesser classification of information and you just want to make sure it’s not available to the public, we will take you through the various options.  Like I said earlier, the degauze, the shredding, disintegration and incineration.

John Gilroy:    Now, Sal, you company is very successful, very well known all over the world.  There’s questions I think people would ask of how.  Okay, so do I get in my little truck and drive my hard drives over to your office?  Do you come to me? Do I FedEx them to you?  I guess there’s gotta be, depending on the agency, a certain chain of command here, there’s certain security here.

Sal Salvetti:  So the answer to that is yes, yes and yes.  All right, that’s one thing that we differ from a lot of other organizations out there.  We run the whole gamut under the ITAD, once again, the IT asset disposition process.  All right, so let’s just go back to step one of what you asked about, John.

How can I, I’m an organization, I have my hard disk drive, I have it in my possession, what do I do? So it all depends on the classification of the information for one thing.  So we can go to your location, our trucks, our capability is mobile. We have a mobile capability that has the shredder, disintegrator, and the degausser inside of the truck.

Sal Salvetti:  What’s important about that when we go to your location to do it, is that we are self-sufficient.  The truck has its own power. So it’s not like we’re gonna be bothering you. Once we pick up whatever equipment we have to pick up, we’re not, hey, I need to plug in, where’s your plug here?  No, we can pull off of the, wherever we’re at by the office, by the, you know, the dock and move away and do whatever equipment we want.

Sal Salvetti:  Some people want to do it onsite because they want to just keep an eye on it. Now, if it’s a lesser level of classification, we’ll bring it back to our facility and we have all the same capabilities inside of our warehouse. And then, but if it’s incineration, that’s where we actually have to go third party.

John Gilroy:    And when you say shredding, I think paper. So nothing to do with paper, shredding hard drives.

Sal Salvetti:  There’s different capabilities out there. We have two different ones that meet industry standards. We will put a hard drive into a shredder and one of them gets it down to inch and a half strips. One of it gets it down to one inch strips. What I talked about for the solid state drives previously, we get it down to two millimeter, which is the one that is NSA certified.

John Gilroy:    Your company is Securis, S-E-C-U-R-I-S.  And what I’m going to do is in the show notes for this, I’m going to include a video testimonial from your customers.  Can explain a lot of these concepts you’re talking about because some are kind of interesting.

John Gilroy:    So look for that video and I’ll put it in the show notes.

John Gilroy:    When I lived in old town Alexandria, my next door neighbors worked for a three letter organization and they always had good stories and we were good friends.    And it would seem to me that an organization like that might have very, very sense of information in the hard drive and then what they might want to do is have armed guards physically take it to your location and observe it being shredded.

John Gilroy:    I mean, this happens in Washington DC, I’m sure.  I mean, yeah, I think that’s what happens, isn’t it?

Sal Salvetti:  So we have had, we’ve picked up equipment from a place that’s been escorted back to our facility.  And because of the capacity of it, they wanted to use the bigger shredder to, you know, it’s throughput. And they have sat there and watched us shred. They’ve, I’ll just say observed, observed us, take apart cell phones, remove the battery and put it through the shredder.  Yeah, they watched us take apart laptops, remove the battery, take out the, whatever the hard drive is, the regular SSD or not, and shred those too.

John Gilroy:    You know, I talked about Forrest Gump and don’t do anything stupid.  I never even thought of cell phones.   I mean, cell phones could have compromising information on them.  I mean, who thinks about that?

Sal in Fed Tech podcast
Sal Salvetti:  And we do.

John Gilroy:    Yeah, and tablets. Wait a minute, I’m thinking about tablets now, and of course laptops and desktops and servers, but it’s not just servers in Ashburn, huh?

Sal Salvetti:  Think about anything that has data on it and you don’t want it to end up in the wrong hands, right?  And I’ll go back.  There may be something on there where I want to give you this hard drive.  I want you to just, I’ll use the vernacular, wipe it, erase the data that’s on there, but if you resell it, I’d like to get a little kickback on what you resell.

Sal Salvetti:  So when you talk about the budget numbers, if there’s the ability to say at the level of classification, it doesn’t have to be shredded so it’s not used, doesn’t have to be degaussed so it can’t be used, we will sell it and we will give you a rebate according to the proceeds from that sale.

John Gilroy:    I was listening to a podcast with a person at NIH, joking all kinds of information.  It would seem to me that there would be medical studies that have personally identified information but have much more sensitive information.

John Gilroy:    So someone at HHS or NIH, they may say, no, no, no, we want a NSA certified shredder and that’s what you provide.  I mean, I never thought a NSA, of all the things NSA does, really they worry about hard drive shredding machines?

Sal Salvetti:  Yeah, the big one that they do this certification on are the SSDs because that’s where everybody’s going now, even though we still have quite a few hard drives out there, the solid state drive, more information, smaller, that type of thing and you want to get it down so any adversary out there, it could be because of where we are in DC, any adversary, you do not want them getting any information off of that.

Sal Salvetti:  And the NSA will say, if you use this piece of equipment, now they’ll certify different companies that are out there and we have then purchased that equipment from that company who makes those machines. We don’t make the machines, we use the machines, just like anything else.

So they will say, I want this done to that level of destruction so there’s nothing I have to worry about.

John Gilroy:    So as an individual, let’s say I buy a new iPhone.

Sal Salvetti:  Yep.

John Gilroy:    My old iPhone and I trade it in, is that doing something stupid or is that a reasonable thing for normal human beings or not worry about that?

Sal Salvetti:  You better take out the SIM card and anything else that can hold that on there.

John Gilroy:    Yeah.

Sal Salvetti:  So it’s, and to be on the safe side, give it to us and we’ll make sure there’s no data on it.  Maybe we resell it.  And now this is for big organizations. We don’t want you driving up to our door and say, here’s my cell phone.  No, we want a thousand of them at a time.

John Gilroy:    It makes sense.

Sal Salvetti:  And we can make sure that the information’s off and we can either resell, like I said, or we shred it.

John Gilroy:    I, maybe I’ve read, I have watched too many Jason Bourne movies, but I have this image. I’m looking at you taking notes going, okay, so let’s say an operative named Kurt.  So he goes out and he does some dumpster diving behind a company and pulls out some hard drives. I mean, has that even happened?

Sal Salvetti:  There’s no doubt in my mind that that has happened.  People, whether it’s incompetence or laziness or a combination of the two, right? Or just not knowing. Ignorance is one of them also. It’s like, hey, I can just toss this stuff. So, like I said, no mystery wedges, no gambling. Let us get the equipment and clear the information that needs to be cleared off of it.

John Gilroy:    Most of my interviews have been about newer systems, designing systems.  It seems like this is a checkbox that’s not checked on the life cycle of hardware.  It’s not on the list or maybe very few companies think.

I’m sure that the three other agents think about it, but look at NIH or HHS. They have information that’s just as sensitive and maybe there are people working there that don’t know about Securis.

Sal Salvetti:  That’s a great observation.  There’s been an evolution in people thinking about how easy it was or is for information to be pulled off of this stuff and those hard drives or SSDs that end up in the wrong hands.  It’s great to see the level of information and education that’s out there so then they know, hey, look us up.:  We already know. Hey, if you don’t remember anything about today’s podcast, remember four things, all right?

Sal Salvetti:  Remember our name, Securis, so our website’s securis.com, and remember if you want industry standard making it happen the right way, we are secure, we have great accountability and sustainability.

John Gilroy:    Okay, you were on Wheel of Fortune, is that right?

Sal Salvetti:  I was, yes.  Twice actually, John, twice.

John Gilroy:    So Wheel of Fortune, let’s say a topic comes up and it’s ESG.

Sal Salvetti:  So the topic would be Jeopardy, or yeah, Jeopardy, not Wheel of Fortune.

John Gilroy:    So what is ESG, and what’s it got to do with hard drives?

Sal Salvetti:  Yeah, the big thing we like to hone in on that one besides the E and the G is just the sustainability aspect.  And that goes back to, years and years, people just, remember, the landfills.You would just take it to the landfill, no matter what it was. Think about big TVs, the cathode ray tube TVs. Think about flat screen TVs, which we treat as somewhat disposable right now.

Sal Salvetti:  A lot of people will just chuck them into the landfill. Well, we’re getting better about that. We want to sustain the environment. It’s bad for the environment to have the plastics that don’t decay for hundreds of years, or the toxic metals that are in there. So bring it to us.  We’ll take it through its end of life, so that’s what we want to say.

Sal Salvetti:  We are the pros in making sure that you, as an organization, can say, I have done my part for the environment, and I am disposing of this equipment properly.  In fact, we will produce a sustainability report for you based off of, right now we’re looking at about 23 different factors as part of that report

John Gilroy:    Sal, several years ago, I had a podcast called Inside Data Centers, and I would literally go inside a data center and record it and talk about heating and cooling.  I mean, all kinds of issues that no one ever thinks about. You wouldn’t even want to guess that large organizations like, I’m gonna name names here, like Jerry Seinfeld, so I’m gonna name names like Google, Microsoft.  I imagine they have life cycle policies for this or are you part and parcel?  Do you contract with them or do you normally contract with federal agencies?  So what’s the typical relationship you have with one of these bigger companies?

Sal Salvetti:  So those hyperscalers out there, they’re doing their own stuff now because they like to keep it in house.  So the Amazon Web Services out there, they’re not gonna call us up.  Now they did about five years ago and we got until they figured out what they needed to do, and we actually got them through the process to clear and dispose of their equipment properly.

Sal Salvetti:  But the other ones out there, there may be an owner of a data center and they have tenants inside of that.:  So they want us to take care of their tenants because the tenants are going through life cycle replacement.

Okay, I got this stuff, who do you want me to call?  Hey, I know Securis.

Sal Salvetti:  Or it could be just the tenant itself says, hey, Securis is gonna be coming in here to take care of our life cycle replacement. We’ll go in there, we’ll take the server cabinets out, we’ll decommission to a level.  There’s a certain level that we want them to get to a point on the decommissioning.

Sal Salvetti:  And we’ll be, in one of our jobs, we actually rolled the stuff out a half a mile, because you’ve seen some of the size of those data centers. So from the cage in the data center to the truck, half a mile, and we did it about 25 trips that way.

John Gilroy:    Wow, that’s a trouble.  I know one thing about the data center people is that they don’t talk about who their customers are.  It’s like, who’s in here?  Well, we can’t say.  There could be sensitive organizations, not sensitive organizations. When you look at the future of this whole idea of making sure the swoles of your equipment, where do you see it had anything?  More and more people could be coming.  Or do you think there’s gonna be an incident where a dumpster diver grabs something and it compromises some organizations?  Some organizations, let’s say.

Sal Salvetti:  Yeah, so we like to use just to gauge trends right now.  We’re tracking the numbers that are coming in for hard drives and SSDs and see if, what I call it, the lines are crossing. Are we finally seeing the downhill spiral in hard drives and the uphill starting to go up in the quantity of SSDs? It hasn’t happened yet. There’s a lot of hard drives out there.  Another funny, flat screen TVs still going up.

Sal Salvetti:  You know, we’re not talking about the data and stuff like that, but think about other things that we do for the environment. We’re gonna have a flat screen TV and we’ll once again disassemble it and get it to the right location so it doesn’t end up in a landfill.

John Gilroy:    I’m asking a question about data centers. I was at Monks Barbecue two weeks ago. I was with my neighbors, walked down here, we had some lunch and he works for a large organization and he said, you know, John, all those data centers in Ashburn, they may have to get like a nuclear reactor to power them.

John Gilroy:    They don’t have power.  This is a problem that’s not going away.  I mean, artificial intelligence, it’s such a strain on so many data centers and they’re constantly buying new equipment and guess what that means is this existing equipment has to be replaced. So this isn’t a problem that’s going away.

John Gilroy:    It’s kind of like car repair.  That problem isn’t going away.  The whole idea of replenishing equipment and new technology and new servers, it’s just something we can’t get away from.

Sal Salvetti:  That’s exactly right and that’s one of the things that we’ve noticed now is we’re starting to get more servers. Obviously we’re in a great location.Northern Virginia, like you said, I think you said the number really got 358 or something like that of the data centers and yeah, they’re going through their life cycle replacement and by the way, it’s not a normal life cycle replacement anymore.

Sal Salvetti:  As technology advances to AI, that’s going to require more powerful servers.  So the old stuff, all right, now by the way, the old stuff to them, there are still some, we can still get that reused at the clients in other locations who may say, this is still good for me.  I’m going through my life cycle replacement, but I’m not up to AI yet.  So it is a constant revolving door right now of all the equipment that we’re getting, especially what you see in the data centers.

John Gilroy:    Yeah, what equipment brokers say is used is not a four letter word for certain businesses.

Sal Salvetti:  Exactly, and especially going overseas. We have clients that are overseas.

John Gilroy:    So I didn’t realize that. I mean, not just the United States, you go overseas as well.

Sal Salvetti:  So on our equipment, we have some buyers who then will move the equipment, whether it’s wholesale laptops, wholesale desktops, servers, switches, you know, think of anything you think can be reused.  Our country is so advanced compared to a lot of countries out there. They would love our older stuff and they are buying it.

John Gilroy:    It’s astounding to me.  I interviewed someone from the Navy and they were talking about a ship and they said, you know what, it’s kind of like a floating data center. The ships now are like floating data centers.  And so they have to worry about energy and guess what they have to worry about?   Upgrades.

John Gilroy:    And I’m sure there are ships coming in to Norfolk or somewhere where they’re going to have to replace the servers and then what do you do with that information? There’s a shredding application right there, isn’t it?

Sal Salvetti:  Exactly.  So as it is, we stand ready to support everybody and anyone out there who needs any kind of secure data destruction and or at least decommissioning of their equipment. And that’s what I say, if you don’t remember too much from this and me talking, securis.com, we are ready to support.

Sal Salvetti:  And by the way, and what you’re seeing, there’s always something in the news of somebody who has a data breach about something. I mentioned a few earlier, but it always seems to be happening and it doesn’t need to, just call us.

John Gilroy:    This has been a wonderful interview.  You have been listening to the Federal Tech Podcast with John Gilroy.  I’d like to thank my guest, John Salvetti, Executive Vice President at Securis, S-E-C-U-R-I-S.

<v SPEAKER_2>Thanks for listening to the Federal Tech Podcast.

<v SPEAKER_2>If you like the Federal Tech Podcast, please support us by giving us a rating and review on Apple Podcast.

NIST 800-88: Secure Data Destruction Standards for Media Sanitization

NIST 800-88 Guidelines for Secure Data Destruction

In today’s data-driven world, where information is both currency and vulnerability, ensuring secure data destruction is paramount. A company will inevitably have computers and data drives that have reached the end of their useful life, but adopting robust standards for data destruction is essential if your company handles sensitive data that you would not want to fall into the wrong hands. Enter NIST 800-88, a set of guidelines for media sanitization based on determining the best methods for data sanitization or destruction after classifying the data into clear, purge, or destroy categories. Established by the National Institute of Standards and Technology (NIST) the NIST 800-88 guidelines provide standards to guide companies in choosing the best method of destruction for each classification. 

NIST 800-88 Guidelines
NIST

Understanding NIST 800-88

NIST Special Publication 800-88, formally titled “Guidelines for Media Sanitization,” is a comprehensive resource for organizations and individuals seeking to dispose of data-bearing media securely. Initially published in 2006 and subsequently revised, this document provides guidelines for effectively sanitizing various media types, including hard drives, solid-state drives, optical media, etc. The U.S. Federal government requires this standard and many private businesses and organizations have also adopted it.

The Importance of Secure Data Destruction

Why is secure data destruction so crucial? The answer lies in mitigating the risk of data breaches and unauthorized access. When data is no longer needed, simply deleting files or formatting drives is insufficient. Sophisticated data recovery techniques can retrieve sensitive information, posing significant security threats. Secure data destruction ensures that information is irretrievably erased, safeguarding against data leaks and identity theft.

Classified data destruction

Critical Principles of NIST 800-88

NIST 800-88 outlines several key principles for secure data destruction:

Media Sanitization Categories 

The guidelines categorize data based on sensitivity, which helps determine the appropriate sanitization method. Highly sensitive information, such as classified or confidential data, requires more stringent sanitization than less sensitive data. The guidelines categorize media sanitization into three levels: Clear, Purge, and Destroy. Each level corresponds to different methods and levels of assurance in data sanitization.

  1. Clear: Clearing involves removing data from storage media through methods that render the data unreadable but may still be recoverable through advanced techniques. It’s suitable for media that will be reused within an organization.
  2. Purge: Purging ensures that data is irreversibly removed and cannot be reconstructed or retrieved. This level of sanitization is recommended when media will be released from organizational control or repurposed within the organization.
  3. Destroy: Destruction methods physically render the media unusable and unreadable. This level is appropriate when the media will not be reused or if there is any risk of sensitive data being recovered.

Federal Data Classification and Media Sanitization Best Practices

Federal Data Classification and Media Sanitization Best Practices

Commercial Data Classification and Media Sanitization Best Practices

Commercial Data Classification and Data Sanitization Best Practices*These are common customer examples based on our experience. Your CISO (Chief Information Security Officer) should approve the data sanitization or destruction method.

What to Look for in an IT Asset Disposal Partner

Adhering to NIST 800-88 standards requires careful planning and execution. Companies must balance concerns about the risks of harming the environment with e-waste, ensuring they comply with data security standards such as NIST 800-88 and the costs of disposing of end-of-life equipment. Look for companies that can assure you are compliant with NIST 800-88 standards by: 

ITAD Balance Cost Security Sustainability for e-Waste
  • Working with You to Develop a Sanitization Policy: Your data destruction provider should establish clear policies and procedures for data destruction based on NIST guidelines.
  • Selecting Appropriate Methods: Based on the sensitivity of the data, type of media, and intended reuse or disposal, choose a provider who will work with you to determine if your electronics need to be wiped, degaussed, shredded or disintegrated, or some combination of those data destruction methods.   A Certified Secure Data Destruction Specialist (CSDS) at Securis can help you balance security, disposal costs, and environmental concerns.
  • Employ Certified Tools and Services: Your IT Asset Disposition Provider should be able to purge data to NIST 800-88 standards and shred confidential or classified media down to NSA-approved standards of 2mm. Securis can offer these services on-site at your offices or off-site at our secure facilities. 
  • Verification and Documentation:  Regardless of the sanitization methodology, it’s crucial to verify the effectiveness of the process and maintain proper documentation to demonstrate compliance with security policies and regulations. Ensure you are provided with detailed inventory lists that can be easily accessed. These lists should be detailed, accurate, and provided promptly after completing your asset destruction project. At the end of the asset destruction process, you should be provided with an official certificate of destruction that you can use in any future audit.

NIST 800-88 Secure Data Destruction with Securis

In an age where data privacy and security are paramount, adhering to established standards for data destruction is non-negotiable. NIST 800-88 is the most widely adopted standard and provides a comprehensive framework for effectively sanitizing any and all data-bearing media, helping organizations and individuals mitigate the risk of data breaches and protect sensitive information.

By understanding the principles outlined in NIST 800-88 and working with a data destruction provider, like Securis, who can implement robust data destruction and media sanitization practices, you can ensure that data is securely managed throughout its lifecycle, safeguarding privacy and trust for your company.  

Other Data Sanitization and Destruction Standards include IEEE 2883-2022, NSA/CSS Policy Manual 9-12, and DoD 5220.22-M.  For most government contractors, military branches, and data protection experts, the 2006 DoD 5220.22-M standard has been replaced with the NIST 800-88 (1 Pass) standard.  The 2022 IEEE standard focuses on technology created after the latest revision to NIST 800-88 (2014) and clarifies much of the confusion that often exists in data erasure guidance.

HITECH Compliance: Secure Medical Equipment Recycling & Data Destruction

In this article, learn:

  • What is the HITECH Act?
  • How do medical equipment recycling and data destruction support HITECH compliance?
  • How does Securis assist with the proper disposal of electronic medical equipment?

HITECH complianceIn the digital age, where data reigns supreme and information proliferates across numerous platforms and devices, safeguarding sensitive medical data is paramount. The Health Information Technology for Economic and Clinical Health Act (HITECH) is a crucial piece of legislation in the United States that aims to enhance the protection of electronic health information. Among its provisions lies a critical aspect often overlooked: the secure and proper disposal of electronic medical equipment, including secure data destruction.

Mishandling sensitive patient information can lead to severe repercussions, including privacy breaches and financial penalties. Securely destroying medical records involves the systematic and irreversible deletion of data from electronic devices, such as computer hard drives or data storage devices in medical equipment, to prevent unauthorized access or retrieval. This process is essential for protecting patient confidentiality and HITECH compliance. 

What Is the HITECH Act?

HIPPA requirementsEnacted in 2009, the HITECH Act was introduced as part of the American Recovery and Reinvestment Act (ARRA). Its primary objective was to promote the adoption and meaningful use of health information technology, thereby improving healthcare quality, safety, and efficiency. 

Among its various provisions, the HITECH Act strengthened the privacy and security protections outlined in the Health Insurance Portability and Accountability Act (HIPAA). It extended the scope of HIPAA by encompassing business associates of covered entities, mandating stricter enforcement, and imposing substantial penalties for non-compliance.

Key Provisions of the HITECH Act Include:

  • Expansion of HIPAA Regulations:

proper disposal of electronic medical equipmentThe HITECH Act extends the scope of HIPAA by imposing stricter requirements on covered entities and their business associates regarding the security and privacy of electronic health information.

  • Breach Notification Requirements:

Covered entities must notify individuals and relevant authorities in case of a breach involving their protected health information (PHI), promoting transparency and accountability.

  • Enforcement and Penalties:

The HITECH Act introduced enhanced enforcement mechanisms and increased penalties for HIPAA violations, including fines for non-compliance with data security standards.

HITECH Compliance and Secure Data Destruction

What is the HITECH ActAmong the HITECH Act’s requirements lies a critical aspect often overlooked: the secure destruction of data on medical equipment and any computers or electronic devices used in a medical setting.  

Mishandling sensitive patient health information can lead to severe repercussions, including privacy breaches and financial penalties. 

Secure data destruction involves the systematic and irreversible deletion of data from electronic devices, such as computer hard drives or data storage devices in medical equipment, to prevent unauthorized access or retrieval. This process is essential for protecting patient confidentiality and maintaining HITECH compliance. 

Here’s how the HITECH Act is relevant to secure medical equipment recycling and data destruction:

  • Protection of Patient Privacy:

The HITECH Act emphasizes the importance of protecting the privacy and confidentiality of patient health information. Securely destroying data ensures that sensitive information stored on computers and medical equipment is inaccessible to unauthorized individuals.

  • Compliance With Regulatory Requirements:

Healthcare organizations must comply with the security and privacy standards outlined in the HITECH Act to avoid penalties and maintain regulatory compliance. Secure data destruction is crucial to these requirements, demonstrating adherence to best practices in safeguarding electronic health information.

  • The HITECH Act: The HITECH Act: medical equipment disposalRisk Management and Data Breach Prevention:

Healthcare providers can mitigate the risk of data breaches and unauthorized access to patient information by implementing proper data destruction protocols. This proactive approach aligns with the HITECH Act’s objectives of enhancing data security and protecting individuals’ rights to privacy.

  • Lifecycle Management of Medical Equipment:

Medical devices and equipment often contain sensitive patient data, such as electronic health records (EHRs) or diagnostic images. When decommissioning or disposing of such equipment, healthcare facilities must ensure that all data stored on these devices is securely erased to prevent potential data breaches.

Securis Ensures HIPAA & HITECH Act Compliance With Reliable Medical Equipment Recycling Services

how to recycle medical equipmentAs healthcare organizations continue to embrace innovative digital technologies to enhance patient care and administrative efficiency, protecting electronic health information will remain a top priority. 

The HITECH Act serves as a cornerstone in safeguarding patients’ medical records and privacy, with provisions that extend to secure data destructionon computers and hard drives. This includes the encryption and transmission of data and its disposal at the end of its lifecycle. 

Secure medical equipment recycling and data destruction are essential to mitigate the risk of data breaches and safeguard patient privacy. When these electronic devices reach the end of their usefulness or are decommissioned, it is imperative to ensure that any stored electronic information is irreversibly erased to mitigate the risk of unauthorized access or data breaches.

By working with a fully compliant and experienced company like Securis, healthcare entities can uphold their obligations under the HITECH Act while fostering trust among patients and stakeholders in the digital healthcare landscape. Our transparent and trusted process from project analysis to project completion guarantees the proper disposal of electronic medical equipment and the secure destruction of its data.i. 

We invite you to learn more about the data destruction process at Securis and how we can fulfill your medical asset disposal project.

How to Send ESG Ratings Up and Data Security Risk Down

Environmental, Social, and Governance (ESG) ratings are increasingly scrutinized in today’s corporate landscape, leaving many companies searching for ways to improve their eco-friendly practices.  ITAD (IT Asset Disposition) is one area where a company can make decisions that significantly impact its ESG score. However, companies need to consider data security in addition to ESG-boosting practices when disposing of end-of-life electronics. 

ESG scoreEvery year, companies dispose of countless tons of electronic waste (also known as e-waste) often with little consideration for environmental consequences. In fact, according to the World Economic Forum, “The United States generates about 46 pounds of e-waste per capita annually, according to the United Nations 2020 e-waste monitoring report. Globally, 53.6 million metric tons of e-waste are produced every year worlwide, the analysis estimates. Maybe unsurprisingly, but still alarmingly, only about 17% of this waste is properly collected, documented, and recycled across the globe each year. Much of the remaining 83% of e-waste sits idle in homes and businesses or is disposed of improperly, according to the analysis.*1 

E-waste often contains hazardous substances like cadmium, lead, arsenic, and polyvinyl chlorides (PVC), which can lead to soil, water, and air contamination with far-reaching ecological consequences. 

The Importance of R2v3 Certification 

R2v3 certified The best way to increase your ESG score when you are ready to dispose of end-of-life equipment is to make sure that you are working with an R2v3-certified company that understands the circular economy of technology. This type of company can make sure that every component of an electronic device is reused or recycled to maximize the value of the waste or to make sure that it is disposed of in a way that causes minimal harm to the environment. 

Support a Circular Economy 

support a circular economy

Working with a company committed to re-using all possible components of your retired electronics allows companies to develop a more sustainable and efficient economic model regarding the lifecycle of their electronic devices, resulting in improved ESG ratings. 

Once decommissioned, Securis processes each component using a procedure that determines if a component has any residual value. If so, that value is shared with our clients in our Value Recovery Program; if not, each component is recycled in the most environmentally friendly way possible. We even require our downstream vendors to sign an Agreement for the Responsible Disposal of Sensitive Materials. 

Prioritize Data Security While Improving ESG Ratings

While increasing ESG ratings is an admirable goal for any company, prioritizing data security is paramount when disposing of electronic equipment. This is because devices such as servers, laptops, and hard drives often contain sensitive information. 

shredding electronic wastePartnering with a certified IT asset disposition (ITAD) specialist like Securis can ensure that data is securely destroyed to NSA standards before equipment is decommissioned. 

In addition to knowing that you are working with a responsible partner in decommissioning and recycling your assets, you need proof that shows exactly what your company decommissioned and recycled. 

Working with a company that provides detailed inventory lists and a certified Certificate of Destruction can provide physical proof that your company is a responsible steward of the environment, making the right choices to protect the planet. 

The inventory lists do not yet have ESG ratings, but they will detail all re-used or responsibly recycled assets. By keeping those end-of-life electronics out of landfills, you contribute to a circular economy of technology and increase that all-important ESG score.

certified data destructionSecuris Makes the Following Environmental Commitments: 

  • Securis will not export electronics to developing countries and continents like China, India, and Africa to comply with the Basel Action Network (BAN). 
  • Securis will commit to doing all it can to recycle 100% of everything it receives. 
  • Securis will continually look for ways to improve e-waste recycling efficiency. 
  • Securis will exceed U.S. federal recycling mandates to comply with the widely adopted international standard. 
  • All downstream processors receiving shredded material from Securis must complete an Agreement for Responsible Disposal of Sensitive Materials. 
  • Currently, all magnetic media is incinerated using the cleanest methods available. Smelting documentation can be provided upon request. 
  • All metal-based material is sent to a domestic-based refinery for refinement based on its content.

boost your ESG ratingBuild a Sustainable Future & Boost Your ESG Score

By embracing compliant, certified, and responsible IT Asset decommissioning and recycling vendors like Securis and adopting responsible e-waste management practices, companies can assure their data security and improve their ESG ratings while contributing to a sustainable future for generations. 

Contact Securis today for more information.

1) https://www.weforum.org/agenda/2023/03/the-enormous-opportunity-of-e-waste-recycling/#:~:text= Globally%2C%2053.6%20million%20metric%20tons,across%20the%20globe%20each%20year