Avoid a Million-Dollar Mistake: How to Get IT Asset Disposal Right in Healthcare

Patient EPHI must be protectedWhy Proper IT Asset Disposal Matters in Healthcare

In 2023, the Kaiser Foundation Health Plan and Hospitals paid $49 million in penalties after protected health information (PHI) was found in unsecured trash bins. This major HIPAA violation reminds us that even trusted healthcare brands can mishandle IT asset disposal (ITAD)—with devastating results.

Whether you’re a hospital system, medical practice, or healthcare IT administrator, the message is clear:

 

Improper IT asset disposition poses compliance risks, financial risks, and reputational threats.

The stakes couldn’t be higher when it comes to retiring outdated tech. Patient data security, regulatory compliance, and environmental responsibility are non-negotiable. Missteps in healthcare are costly—legally, financially, and reputationally.

A well-structured IT Asset Disposition (ITAD) strategy is your best defense. Here’s how to get it right—and why your current process may put your organization at serious risk.

What Happens If Healthcare Organizations Mishandle IT Asset Disposal?

Disposing of outdated IT assets isn’t as simple as tossing them in a bin or selling them on eBay. Improper IT asset disposal in healthcare directly threatens your patients, your compliance standing, and your bottom line. The consequences of improper ITAD in healthcare include:

HIPPA rules demand secure IT Asset disposalHIPAA and HITECH Violations:

  • Every device storing electronic Protected Health Information (e-PHI) must be securely sanitized or destroyed. Otherwise, your organization could face severe penalties, lawsuits, reputation damage, and even the loss of its license.

Data Breaches

  • Old hard drives, medical equipment with embedded memory, and unsecured devices can contain e-PHI, which can then be exploited.
  • One breach can cost millions in legal fees and breach notification expenses.

Environmental Penalties

  • IT assets often contain hazardous materials, including mercury, lead, or cadmium.
  • Improper disposal can trigger EPA and state fines for violating e-waste laws, as well as create a PR backlash.

How to Stay HIPAA-Compliant and Secure When Disposing of IT Assets

1. Follow HIPAA and HITECH

To be fully compliant with regulations such as HIPAA and HITECH, your ITAD process must include methods aligned with NIST 800-88 standards, including:

2. Work With a Certified ITAD Vendor

Choose a provider that is:

  • NAID AAA Certified (for data destruction security)
  • R2v3 Certified (for responsible electronics recycling)
  • Experienced with healthcare- industry-specific compliance standards

Working with an experienced vendor also prevents critical oversights—like the discovery that 13 infusion pumps were resold with wireless authentication data intact. Secuirs would not have allowed that to happen. 

3. Secure the Chain of Custody

You can’t protect what you can’t track. Look for:

4. Train Your Team

Even the best ITAD plan can fail if employees mishandle devices. Offer regular training on:

  • Identifying ePHI risks.
  • Secure handling and disposal procedures.
  • Incident reporting for missing or misplaced assets.

5. Audit Your ITAD Program Regularly

Compliance isn’t a set-it-and-forget-it task. Regular internal audits ensure your ITAD workflows meet HIPAA, HITECH, and NIST 800-88 expectations and adapt to evolving threats.

  • Conduct internal audits of your ITAD processes
  • Confirm compliance with HIPAA, HITECH, and NIST standards
  • Patch workflow gaps fast

Ready to make sure your IT Asset Disposal meets all healthcare regulations? Contact Securis Now

sustainability in IT Asset DisposalSustainable ITAD: Good for Compliance, Great for the Planet

Working with a certified ITAD partner who is R2v3 certified also supports sustainability goals:

  • E-Waste Reduction – R2v3 certified ITAD vendors ensure that old medical and IT equipment is responsibly disposed of, keeping it out of landfills.
  • Reuse & Repurposing – Secure data sanitization allows IT equipment to be refurbished and resold, reducing the demand for new resources.
  • Financial Recovery – Decommissioned IT assets can be resold, helping your organization recover value and reinvest in newer, more energy-efficient technology.
  • Certified Green Practices – ITAD providers with R2v3 certification follow strict environmental standards to ensure ethical e-waste management.
  • Corporate Donation for unneeded Assets – Allows your company to make transformational changes in the lives of others.

Why Healthcare Leaders Trust Securis with IT Asset Disposition

There’s no room for shortcuts when retiring IT equipment in a healthcare setting. At Securis, we understand that protecting patient data, maintaining regulatory compliance, and safeguarding your organization’s reputation are mission-critical.

That’s why leading hospitals, health systems, and medical practices turn to Securis for healthcare-specific ITAD services that are:

  • 🔐 Secure – We follow NIST 800-88 data destruction protocols and offer HIPAA-compliant shredding, degaussing, and 2mm SSD disintegration, with locked-chain-of-custody protocols and Certificates of Destruction for every job.
  • 🎯Accurate – Audit-ready documentation available 24/7 on our client portal, including Certificates of Destruction to prove compliance every time plus Triple Checks at every step to ensure nothing gets missed.
  • ♻️ Sustainable – From responsible recycling and e-waste diversion to certified refurbishing and value recovery, our green ITAD solutions help you meet your ESG goals while doing right by the planet.
  • 📜 Compliant – Securis is NAID AAA and R2v3 Certified, ensuring your IT asset disposal meets the highest data security and environmental responsibility standards—every time, with no exceptions.

We don’t just check the boxes, we help you avoid the headlines.

Whether decommissioning dated IT assets or upgrading clinical devices, Securis gives you confidence that every asset is handled with the care, compliance, and accountability that healthcare demands.

📞 Schedule Your Free Healthcare ITAD Risk Assessment

Avoid fines, breaches, and compliance failures. Partner with Securis to develop a secure, accurate, and sustainable IT asset disposal strategy that meets HIPAA, HITECH, and NIST 800-88 standards.

👉 Contact Securis today to start your healthcare ITAD risk-free consultation.

___________________________________________________________________________

💬 Common Questions About Healthcare ITAD

What is HIPAA-compliant IT asset disposal?

HIPAA-compliant ITAD includes secure destruction methods (like shredding, degaussing, or disintegration) that prevent unauthorized access to ePHI and are documented via Certificates of Destruction.

What regulations apply to IT asset disposal in healthcare?

  • HIPAA: Requires secure disposal of devices storing ePHI
  • HITECH: Enhances enforcement and breach notification rules
  • EPA and state laws: Govern the disposal of e-waste and hazardous materials

Why do healthcare organizations choose Securis for ITAD?

Securis provides:

  • NIST 800-88-compliant data destruction
  • HIPAA and HITECH expertise
  • R2v3-certified recycling
  • Secure, verifiable chain of custody

For more HIPPA Frequently Asked Questions click here!

Why Choose Securis? IT Asset Disposition That IT Pros Count On

IT Asset Disposition Data Breach? Not on our watch.

Managing end-of-life IT assets without opening the door to security breaches, compliance violations, or logistical chaos? That’s your job. Making sure that never happens? That’s ours. With 25+ years of experience supporting IT professionals in highly regulated industries, Securis delivers audit-ready, end-to-end IT Asset Disposition (ITAD) that’s secure, accurate, and environmentally responsible—by design.

🔐 Security-First ITAD for Zero-Tolerance Environments

Improperly handled IT assets are a silent liability. One overlooked hard drive, one unsecured disposal, and you’re facing a compliance crisis.

Securis provides federal, state, and industry compliance for security-conscious organizations:

  • Compliant with NIST 800-88 and NISPOM 32 media sanitization guidelines
  • Fully NAID AAA and R2v3 certified to support mandates like HIPAA, GLBA, HITECH, SOX, FFIEC, and more
  • Trusted by federal and defense agencies as a GSA and DLA-certified vendor

We provide:

✅ On-site data destruction services: degaussing, HDD shredding, and 2mm disintegration for SSDs, mobile phones, thumb drives, and SD cards
✅ Fully secured mobile data destruction services
✅ Uniformed, background-checked staff trained in chain-of-custody protocol
✅ Detailed and accurate asset tracking from pickup through certified destruction

🧾 Inventory Accuracy That’s Audit-Ready—Every Time

Spreadsheets and guesswork don’t cut it when auditors come calling. That’s why Securis built a more intelligent system.

No gaps. No scrambling for proof. Just clean, compliant records—always ready.

🌍 Responsible Decommissioning with ROI in Mind

You’re not just disposing of IT gear but also accountable for sustainability, compliance, and savvy budgeting.

With Securis, you get:

🔧 Tailored to Your Workflow, Not the Other Way Around

Whether you’re decommissioning a central data center or sunsetting devices across dozens of remote sites, Securis scales with you.

  • Custom pickup scheduling
  •  On-site or off-site destruction options
  • Serialized, trackable reporting

Let’s Make ITAD the Easiest Part of Your Job

IT asset managers are under more pressure than ever. One mistake can cost your organization its data, dollars, and reputation.

Let Securis be the partner you can rely on. We take the risk off your plate and replace it with a trustworthy system.

📞 Call 866-609-2731 or visit securis.com to schedule your consultation today.

It’s Not Over ‘Til It’s Secure: The IT Asset Disposal Risk You Can’t Ignore

Upgrading your tech is exciting. The disposal of IT assets? Not so much. Most companies focus on identifying and procuring the latest and greatest in tech but often fail to realize that outdated computers, laptops, servers, mobile devices, and printers can become significant liabilities if not properly handled. From data breaches to regulatory fines, improper electronic waste disposal risks are bigger than you think—and they’re growing.

💣 Retired Devices Still Contain Dangerous and Sometimes Hidden Data

Just because a device is now offline doesn’t mean it’s no longer a data breach risk. Hard drives, SSDs, and storage media still house sensitive data, even after files are “deleted” or a device is restored with a factory reset.   Hackers know this. So do dark web resellers. And they’re betting your disposal process isn’t airtight. 29% of data breaches are tied to misconfigured or improperly decommissioned assets and sometimes even missed data storage devices.

Simply reformatting a drive isn’t enough. Without professional hard drive destruction services or data sanitization, residual information can be recovered and weaponized, even on factory reset devices. Selling your retired computers and devices on eBay may be a tempting way to deal with your IT assets that are no longer in use, but the dangers are very real, and your devices are not safe with just a factory reset

🧠 Fact: According to a Blancco Technology Group and Kroll Ontrack study, 57 percent of used mobile devices and 75 percent of used drives purchased from Amazon, eBay, and Gazelle contain residual data.

Hidden data may be lurking in your end of life IT Assets

 

Your Intellectual Property Could Be at Risk

intellecual property risks

Those “old” devices might still contain:

  • Trade secrets
  • Source code
  • Product plans
  • Internal emails and contracts

One improperly disposed hard drive can lead to corporate espionage, lawsuits, or a loss of competitive advantage, making hard drive shredding and secure destruction critical, not optional.

🧠 Fact: 47% of U.S. businesses have experienced data breaches, and improperly disposed devices are often the root cause.

ITAD Compliance

⚖️ Compliance Doesn’t End at Retirement

Regulations like HIPAA, The Gramm-Leach-Bliley Act, SOX, and HITECH require secure disposal of data and IT assets. A proper IT asset disposition (ITAD) program isn’t just best practice; it’s legally essential.

Fail to comply? You’re looking at:

Compliance doesn’t end when a device leaves the desk—it ends when a certificate of destruction verifies that it has been destroyed or sanitized to NIST 800-88 compliance standards.  

sustainable electronic waste

♻️ Electronic Waste is a Legal and Environmental Minefield

E-waste recycling isn’t just about being green (though that is important to many companies) it’s also about avoiding liability. Your end-of-life electronics likely contain hazardous materials like mercury, lead, and cadmium. Improper e-waste disposal can:

  • Pollute the environment
  • Harm public health
  • Violate local, state, and federal laws
  • Attract negative press

Certified R2v3 electronics recycling helps protect both your brand and the planet. When you partner with an R2v3 certified vendor, you can ensure that you are doing right by the planet and don’t leave your company open to legal issues

IT value recovery

💸 There’s Value in That “Junk”

In addition to the sustainability risks of improper IT Asset disposal, many retired devices can still be refurbished safely and then resold. When businesses skip proper IT asset recovery, they miss out on:

  • Recovering residual value
  • Reducing e-waste
  • Supporting sustainability goals

You’re losing money and momentum if your disposal strategy doesn’t include certified electronics recycling. Read how Securis has been able to transform lives through electronics recycling. 

📉 A Breach Can Destroy More Than Just Data

The consequences of poor IT asset disposal can include:

  • PR disasters
  • Loss of customers
  • Decreased investor confidence
  • Operational downtime

News spreads fast. A breach linked to poor e-waste disposal can undo years of brand-building overnight. When data breaches or e-waste disposal violations hit the headlines, the damage is swift and lasting. Customers leave. Partners question your security posture. Trust evaporates.

So What’s the Solution?

A strong IT asset disposition strategy starts with treating the disposal of IT assets as a security function—not a side task. Here’s how to get there:

✅ Build a Secure, Compliant ITAD Process:

  • Sanitize Devices Properly: Use professional-grade wiping, degaussing, or physical destruction based on data sensitivity.
  • Use Certified Vendors: Look for R2v3 or e-Stewards certifications.
  • Document Everything: Make sure your vendor creates a transparent chain of custody and disposal records.
  • Track Every Asset: Know what you’re retiring, where it is, and where it’s going.
  • Train Your Team: Everyone handling devices should understand the risks and protocols.
  • Audit Regularly: Check that policies are being followed—and updated with current laws.
  • Explore Value Recovery: Partner with vendors who offer secure remarketing of eligible devices.
  • Prioritize Secure Logistics: Ensure devices are protected in transit from start to finish.

 

🔐 Partner with Experienced ITAD Experts Who Do It Right

At Securis, we offer 25 years of experience in secure, accurate, and sustainable solutions for:

At Securis, we help organizations like yours protect data, stay compliant, and meet sustainability goals—without the stress of handling it alone.

Whether you’re in healthcare, finance, academia, government, a government consultant, or any regulated industry, we’ve seen what can go wrong and know how to prevent it. 

Our mission: Help you eliminate risk, ensure compliance, and support ESG goals without losing sleep over what’s inside that old server. Learn more about what to look for in an e-waste recycling partner.  

Don’t let yesterday’s tech become tomorrow’s headline.
Let’s make your IT asset disposal secure, accurate, and sustainable.

📞 Ready to talk? Visit securis.com to learn more.

Top Data Center Decommissioning Companies

Top Data Center Decommissioning Companies: Secure, Accurate, Sustainable and Compliant Decommissioning Services

As enterprises modernize their IT infrastructure, migrate to the cloud, or need to relocate, the demand for expert data center decommissioning continues to rise. Decommissioning a data center isn’t just about powering down servers. Decommissioning data center equipment involves secure data destruction, hardware removal, cable and rack de-installation, and environmentally responsible e-waste recycling. In some cases, an HVAC technician or electrician may also be required.

To protect sensitive data, ensure compliance with industry regulations, and support sustainability goals, organizations turn to top-tier data center decommissioning providers offering end-to-end IT asset disposition (ITAD), data center infrastructure, and data center decommissioning services.

The companies highlighted below specialize in secure data center shutdowns, including services such as on-site hard drive shredding, chain-of-custody tracking, IT Asset Auditing, data center asset recovery, and certified electronics recycling. With proven track records, industry certifications, and scalable solutions, these providers help ensure your data center decommissioning process is secure, compliant, and cost-effective.

Data Decommissioning Services Companies Featured:

Securis

1. Securis

Headquarters: Chantilly, Virginia, USA
Company Type: Private
Size: About 100 employees
Locations: Nationwide service with several U.S. recycling facilities.
Overview: With over 20 years of experience, Securis specializes in secure, accurate, and sustainable IT asset disposition (ITAD) and e-waste recycling. Securis offers comprehensive data center decommissioning services, including on-site and off-site data destruction, equipment removal, and R2v3-certified recycling. Certifications such as ISO 14001, ISO 9001, ISO 45001, and NAID AAA certification for mobile and plant-based operations ensure that partnering with Securis will allow you to meet strict Federal, State, and industry-specific compliance and environmental responsibility standards. Securis is also certified by the Defense Logistics Information Service to store and transport military data and holds a GSA contract. Securis uses cutting-edge AI technology to vastly exceed the average inventory accuracy by 14% with a stunning 99% accuracy rate. Securis provides detailed reporting, which is available on the client portal 24×7.
Strengths: Securis has great reviews and past performance in highly regulated industries such as the federal government, financial services, and healthcare.
Considerations: Securis partners with several companies for smart hands, HVAC, cabling, and electrical services.

b612

2. B-612

Headquarters: New York, New York, USA
Company Type: Private
Size: 50+
Locations: Their team provides remote support and will travel to data centers worldwide.
Overview: Specialising in managing network infrastructure in Data Centres on behalf of a wide range of colocation users, B-612 offers a comprehensive suite of tailored Remote Hands & Eyes solutions to help customers drive service availability up, and network management costs down.
Strengths: They can offer support services to maintain networking equipment and servers, including remote hands and data center decommissioning.
Considerations: They partner with a NAID AAA-certified company for data destruction and an R2-certified company for electronics recycling.

JCBE3. JCBE Business Solutions

Headquarters: Gaithersburg, Maryland
Company Type: Private
Size: Small boutique company
Locations: Single headquarters with a focus on regional services
Overview: JCBE Inc. is a Minority Woman-Owned Small Business headquartered in Gaithersburg, Maryland, specializing in comprehensive IT asset management and e-waste recycling services. Established in 2009, JCBE offers various services, including IT asset management, value recovery services, maintenance, and PC recycling. Their PC Recycling Services provide fast, efficient, and environmentally safe disposal processes for non-functional or outdated equipment. JCBE is certified as an SBA 8(a) WOSB, MDOT MBE, DBE, and SBE business.
Strengths: JCBE Inc. has past performance with federal, state, and local governments.
Considerations: JCBE partners with an R2-certified recycling facility.

CompuDynamics4. Compu Dynamics

Headquarters: Sterling, Virginia, USA
Company Type: Private
Size: 100+ employees
Locations: Nationwide service
Overview: For over 30 years, Compu Dynamics has provided data center infrastructure solutions, including equipment decommissioning, installation, and maintenance. Their expertise lies in the physical aspects of data center operations, making them a one-stop shop for infrastructure changes. Compu Dynamics emphasizes hands-on support, ensuring smooth transitions and minimizing downtime during decommissioning projects.
Strengths: Ideal for customers with electrical or HVAC needs as part of the decommissioning project.
Considerations: While not as focused as some, their broad data center infrastructure capabilities could be an asset to some customers.

Syntetic5. Synetic Technologies

Headquarters: Kansas City, Missouri, USA
Company Type: Private
Size: About 75 employees
Locations: Central U.S.
Overview: Synetic Technologies, with over 15 years of experience, focuses on data security and environmentally responsible ITAD solutions. Their services include on-site data destruction, logistics management, equipment removal, and asset remarketing. Holding R2, NAID, ISO 1400, ISO 9001, and ISO 45001 certifications, Synetic emphasizes workplace safety and eco-friendly practices. The company also offers detailed chain-of-custody tracking, ensuring clients maintain complete control and visibility during decommissioning.
Strengths: They have past performance servicing the needs of K-12 and Telecommunications companies.
Considerations: They partner to extend their reach outside their primary geographic area.

Park Place6. Park Place Technologies

Headquarters: Cleveland, Ohio
Company Type: Private
Size: 180 employees
Locations: Worldwide storage locations for supporting 3rd-party server/storage support contracts
Overview: As a global leader in data center and networking optimization, they work with over 21,000 companies worldwide, boosting infrastructure performance and Uptime, maximizing IT staff, and stretching budgets.
Strengths: They take a different approach than electronics recycling companies in that they provide third-party support contracts, data center decommissioning, and smart hands services.
Considerations: They may outsource some services, such as drive shredding

ERI7. ERI Direct

Headquarters: Fresno, California, USA
Company Type: Private
Size: Approximately 1,000 employees
Locations: Eight facilities
Overview: Founded in 2002, ERI Direct is one of the largest fully integrated ITAD and electronic waste recycling companies in North America. The company processes millions of pounds of electronics annually, offering services like secure data destruction, large-scale recycling, and IT asset remarketing. ERI ensures security and environmental compliance with R2, e-Stewards, and ISO 9001, ISO 45001, and ISO 14001 certifications. Their vertically integrated model allows them to handle projects of any size while maintaining efficiency and transparency.
Strengths: ERI’s nationwide presence and high-capacity facilities make it a good choice for nationwide enterprises that need to manage large volumes of equipment.
Considerations: Some users report delays in service during peak project periods.

EXIT8. exIT Technologies

Headquarters: Naples, Florida, USA
Company Type: Private
Size: Small boutique services firm
Locations: Nationwide services through partnerships
Overview: Established in 1989, Exit Technologies has decades of experience in IT asset recovery and data center decommissioning. Its services include hardware removal, secure data destruction, and equipment resale. The company is R2 and ISO 14001 certified and focuses on helping clients recover maximum value from retired IT assets. Exit Technologies prides itself on fast turnaround times and a consultative approach, ensuring projects align with clients’ timelines and goals.
Strengths: Exit Technologies may be a good choice for businesses that must decommission large-scale data centers quickly.
Considerations: Their reliance on partner networks for some services could be a drawback for clients preferring a full-service partner.

Compucycle9. CompuCycle

Headquarters: Houston, Texas, USA
Company Type: Private
Size: 50+
Locations: Headquarters in Houston with national service reach
Overview: CompuCycle has over 25 years of experience in ITAD, specializing in data destruction, electronics recycling, and equipment remarketing. They are R2 certified and focus on sustainable practices, offering innovative solutions like automated shredding processes. CompuCycle’s services include customized logistics, providing flexibility for businesses of all sizes. Their commitment to transparency and detailed reporting helps clients comply with regulatory standards.
Strengths: CompuCycle’s adaptability and customer service could be an asset.
Considerations: Some reviews indicate a lack of scalability for large or complex decommissioning projects.

 

 

Wesco10. Wesco

Headquarters: Pittsburgh, Pennsylvania, USA
Company Type: Public (NYSE: WCC)
Size: Global Fortune 500 company with over 20,000 employees
Locations: Extensive global network
Overview: Wesco is a Fortune 500 company with over 100 years of experience in electrical and IT solutions. Their data center decommissioning services include equipment removal, secure data sanitization, and asset recovery. With a global presence and vast resources, Wesco can manage large-scale, complex projects. Their integrated approach to IT and electrical systems ensures clients receive comprehensive solutions.
Strengths: In addition to data center decommissioning services, they offer security, electrical, networking, lighting, and power distribution solutions.
Considerations: Their broad focus on multiple solutions may not provide the specialization some organizations require.

Choosing the Right Data Center Decommissioning Partner

Selecting the right partner for your data center decommissioning project depends on your organization’s specific needs, whether maximizing data security, ensuring full regulatory compliance, supporting sustainability goals, or all of the above. The companies featured here bring a range of strengths, offering tailored solutions for data centers of all sizes and complexities.

For organizations that demand secure, accurate, and sustainable IT asset disposition (ITAD)—from on-site data destruction to e-waste recycling and chain-of-custody documentation—Securis delivers unmatched peace of mind. With deep expertise in data center decommissioning, Securis ensures your retired infrastructure is handled with precision, care, and compliance with your business demands.

🔒 Secure ✅ Accurate ♻️ Sustainable

Contact Securis today to plan a worry-free data center decommissioning strategy that protects your data, brand, and bottom line.

Hidden Data Risks: The ITAD Oversights That Put Your Business at Risk

Are You Really Destroying All Data? Most Companies Aren’t.

Every company handling end-of-life IT equipment has a top requirement—secure equipment disposal. Yet, even the most diligent organizations routinely miss hidden data-bearing devices, exposing themselves to serious security risks. Hard drives, SSDs, and even embedded storage in modern electronics are often missed, leaving sensitive information vulnerable to breaches. Gartner research indicates that a considerable percentage of IT assets, around 30%, can be lost or unaccounted for. This “loss” can manifest in various ways, including physical loss, misplacement, or “ghosting” (assets that are active but not tracked).

data storage can hide in copy machines

 

The Hidden Data Risks Lurking in Your IT Assets

Even security-conscious organizations fail to account for all data storage devices. Here are real-world examples of how missed hard drives and other storage media can lead to serious vulnerabilities:

  • Governmental Vulnerabilities: Securis found Top Secret diagrams for a key U.S. Government building mixed in with discarded items during a routine electronics recycling pickup. Without thorough IT asset disposition (ITAD) procedures, this could have led to a catastrophic security breach.
  • Financial Industry Oversights: A financial services company, confident in its IT asset management, had already shredded its own drives. Yet, Securis’ triple-check process found an unaccounted-for storage drive hidden in a copier—a device often overlooked as a data risk as well as three additional items that were not in the companies inventory list. These overlooked assets could have led to a major compliance failure.
  • Server Room Blunders: Another financial services client assured Securis that all hard drives had been removed from eight decommissioned server cabinets. Upon our close inspection, 86 drives (72 SSDs and 14 HDDs) were discovered—a staggering 15% of the total drives assumed to have been removed. 
  • Telecom Mishaps: A major telecom company decommissioned 300 servers, claiming all storage had been stripped. Securis uncovered 30 overlooked hard drives—each containing potentially sensitive data.

Hidden data may be lurking in your end of life IT Assets

 

Government Reports Confirm Data Disposal Failures

data is inside of medical devices also

Medical Devices: The Overlooked Data Risk

It’s not just traditional IT equipment—embedded storage in medical devices and equipment is often overlooked. A recent study found that 13 infusion pump devices still contained wireless authentication data when resold on secondary markets. 

Accordingly, the Federal Register recently proposed a new rule to strengthen the cybersecurity of electronic protected health information. This proposed rule strengthens overall cybersecurity measures and supports the ongoing requirement for robust data destruction practices to protect ePHI.

 

How Securis Prevents Costly Mistakes

Securis’ Secure, Accurate, and Sustainable IT asset disposition approach ensures no storage device is left behind:

  • Securis performs a triple check as part of their ITAD service Triple-Check Guarantee: Multi-step verification ensures hidden drives don’t slip through the cracks.
  • Separation of Duties: Independent verification eliminates single points of failure.
  • NAID-Certified Hard Drive Shredding & Data Wiping: Securis ensures 100% data destruction with documented proof, whether on-site or off-site.

 

Choosing the Right ITAD Partner: What to Look For

Who you choose as your IT asset disposal partner matters. Securis helps companies avoid costly data breaches by ensuring every data-bearing device is identified and destroyed. Some best practices you can use to choose a vendor include:

  • Certifications:  Does the vendor have NAID AAA Certification for on and off-site destruction?
  • Nationwide Coverage:   Can they collect and process IT assets from multiple locations?
  • Experience:  Nothing can replace experience.  Experienced vendors know where to look for hidden storage devices.
  • certificate of destructionCapabilities:  Can the vendor perform shredding to required destruction standards for various assets and storage media types? Do they provide a strong chain of custody and certificates of destruction?

 

Secure Your IT Assets Today

Don’t risk a data breach by overlooking hidden storage devices. Securis ensures 100% secure IT asset disposal with industry-leading ITAD services.

🔹 Contact Securis today for a customized IT asset recycling and secure data destruction plan.

What is a Certificate of Data Destruction?

What Is a Certificate of Data Destruction—and Why It Matters to Your Organization

A Certificate of Destruction is critical for your Compliance Documentation:

If your organization handles sensitive data, you know that deleting a file isn’t enough. When IT assets reach end-of-life, secure data destruction is critical for security, compliance, and legal protection. That’s where a Certificate of Data Destruction comes in.

Proof of Compliance for Secure IT Asset Disposal

A Certificate of Data Destruction from Securis is your documented proof that retired electronic equipment has been processed according to the highest security and compliance standards. This certificate verifies that your organization’s data has been destroyed in full compliance with NAID AAA Certification, NIST 800-88, Department of Defense, NSA guidelines, and key regulatory frameworks, including HIPAA, HITECH, FACTA, and GLBA.

Built-In Peace of Mind for IT and Compliance Leaders

Whether you’re a CIO, IT Manager, Compliance Officer, or Procurement Director, Securis helps you eliminate risk by providing a fully managed, auditable, and secure IT asset disposition (ITAD) solution.

From the moment your equipment is picked up, Securis secures the chain of custody with locked bins and trucks. Once it arrives at one of our secure facilities, each asset is scanned and cataloged using proprietary software, recording:

  • Make and model
  • Serial numbers (if available)
  • Asset tag IDs
  • Unique Securis key with job number and destruction status

These layers of documentation offer multiple ways to identify every asset, enabling airtight audit trails and easy reporting. In addition, our DriveSnap AI proprietary AI scanning technology assures photographic evidence of asset information for all destroyed assets that still exist even after the asset has been destroyed.  

certificate of data destruction

Why a Certificate of Data Destruction Protects Your Business

A properly issued Certificate of Destruction is more than a formality—it’s a critical compliance document that:

  • Protects against fines for improper data handling
  • Demonstrates due diligence during audits or investigations
  • Reduces legal liability in the event of a breach or data exposure

Whether decommissioning a single hard drive or an entire data center, having documented proof of secure data destruction is essential for regulatory compliance and brand protection.

See It with Your Own Eyes: Witnessed Destruction Available

Need to see the data destruction process firsthand? We offer two options:

  1. On-site services with our mobile shredding units. These units can degauss, shred, and even micro-shred end-of-life IT Assets on-site
  2. Witnessed destruction at a Securis facility

For high-security environments like healthcare, defense, or financial services, we offer micro-shredding to pulverize devices down to NSA-recommended 2mm particles—ideal for SSDs and other high-density data storage that can’t be degaussed or shredded by conventional means.

Real-Time Inventory and Certificates—Accessible Anytime

When your IT asset disposal project is complete, Securis provides:

  • A detailed inventory report of all devices, including make, model, and serial number
  • A Certificate of Destruction for each asset destroyed or wiped to NIST 800-88 standards
  • 24/7 access via our secure client portal, making audits, compliance checks, and reporting effortless

Secure, Accurate, and Sustainable

Securis is more than just a data destruction company—we’re your partner in secure IT asset disposal and sustainable e-waste recycling. Every step of our process ensures your assets are handled securely, accurately, and sustainably. 

Ready to Protect Your Organization from Data Liability?
Contact Securis today to learn how our certified, audited, and fully secure IT asset disposal services can help you stay compliant, protected, and ahead of risk.

 

FAQ's for Certificates of Destruction

A Certificate of Data Destruction is an official document that verifies your organization’s electronic data has been securely and permanently destroyed. It includes key details such as asset types, serial numbers, and destruction methods—ensuring compliance with industry standards like NIST 800-88, HIPAA, and NAID AAA.

This certificate protects your organization by proving due diligence in data handling. It can help you avoid regulatory fines, reduce legal liability, and demonstrate compliance during audits or investigations.

Any organization handling sensitive, regulated, or personally identifiable information—such as those in healthcare, finance, education, or government—should obtain a Certificate of Destruction when disposing of IT assets.

A Securis Certificate of Destruction includes:

  • Company Name
  • Date of Service

  • Destruction Type (e.g., degaussing, shredding, micro-shredding)

  • Job Number

While not always legally required, it is often strongly recommended for proving compliance with laws like HIPAA, FACTA, and GLBA. In some regulated industries, having verifiable proof of secure data destruction is essential for meeting audit requirements.

Securis follows a strict chain-of-custody protocol, uses certified destruction methods, and documents every step of the IT asset disposition process. Our proprietary DriveSnap AI captures photographic evidence of each asset, even after destruction, for complete traceability.

Yes. Securis offers both on-site mobile shredding and witnessed destruction at our secure facilities. This is especially valuable for high-security environments or organizations with strict compliance requirements.

You can access your certificates and destruction reports anytime through the secure Securis client portal. Reports are available in real time and can be used for audits, compliance reviews, and internal documentation.

Hardware Asset Management Challenges for Companies with Remote Employees

This is the transcript of a conversation about Hardware Asset Management between and Jeremy Boerger, the author of the Pragmatic ITAM Method and a consultant who helps large organizations implement IT Hardware Asset Management solutions. You can find Jeremy at: https://www.itamcoaches.com

00:00:04:07 – 00:00:38:01

Kurt Greening

So welcome, everybody. Today, I am joined by Jeremy Berger, the creator of the pragmatic ITAM method and a consultant who helps large organizations implement great IT asset management. Jeremy’s been solving problems in this area since 2000, and he uses data theory, automation, self-governance, while others just are answering questions or excuse me, answering tickets and running inventory reports. We’re talking about hardware asset management today, but Jeremy also helps people solve problems with software asset management. SaaS, spend management, and financial operations. Now, there is a lot of debate today about remote work. Many companies are ordering at least a partial return to office, but the IT asset management problems for remote organizations, or at least people who are hybrid, they’re not going away. 

So my name is Kurt Greening. If you don’t know me, I am an executive VP with Securis. Our primary business, is IT asset disposition, but we also help companies manage the hardware assets of remote employees. Jeremy, thank you for joining us today. 

Jeremy Boerger

It’s my pleasure. Kurt, thank you for having me. 

Kurt Greening

Awesome. So I have a few questions for you as, industry expert. First one I would, love if you can share some of the challenges that you may have noticed in your career when it comes to managing remote employees hardware assets.

Jeremy Boerger

Yeah. So the, the biggest challenge is getting to them,  that’s the real problem. It’s either getting that hardware out to the end user and then getting it back when that end user, goes away or goes through a, refresh, and they get new equipment. now you’ve also got, a secondary problem with the communication piece. Inside the United States, we’ve got a much more robust data infrastructure. Most organizations, especially when, hybrid work was first being experimented with, maybe you had the old twisted pair, riding alongside your home phone line. Remember when we had home phones? Yeah. and that was a real challenge for no other reason than just to get the disposition of that device. Is it on? Is it working? Is it getting patched? nowadays we’ve got high-speed connectivity all over the place. for the most part. And so that kind of concern goes away. But the real challenge is getting the device and the entire setup over to the end user and then getting it back when they’re done with it.

Kurt Greening

Yeah. I worked for a remote-only company, so that was interesting. I actually did all of my interviews on, video. Via zoom. it’s a little nerve-wracking to accept a job that way, but onboarding, was also, completely remote. And, you know, you mentioned some of the challenges. I think getting the equipment is a challenge. If I were to, I would make a challenge getting the equipment back, especially with a less-than-happy employee. It’d be an even bigger challenge if you don’t make that super easy as an IP asset manager or a helpdesk organization. I don’t think you’re going to get that equipment back in a timely manner.

Jeremy Boerger

Right. You’re right. And in so when you’re dealing with that, you’re really as an asset manager, you’ve got to make a calculation. risk calculation in your head. once the real value of that device, sometimes it’s the value of the device itself. Don’t get me wrong. I work for an organization that does, animation, computer animation for entertainment, cartoons, and all of that stuff, that’s some high-powered stuff that is cranking along, doing ray tracing and, generating the frames. So there is still value in that. But for most organizations where the real value is, is in the intellectual property, in the data that’s stored on that device. So one of the ways that you can get around that problem is to have a more robust data destruction, cooling, and methodology that if you can remotely eliminate access to the IP from that device, that sometimes will alleviate some of the risk.

00:05:27:05 – 00:05:55:02

Kurt Greening

So that is a good point. Jeremy, you’re about to get into my next question. Which are some of, what are some of the software tools that are available to help improve, cybersecurity saying you mentioned remote wipe. you know, typically, most of my customers here at Securus, they’re using like, an end user management software or a mobile device management software. you know, to help with, you know, to help manage that solution. But other than that, or maybe talk about some of those features or other tools similar to that, that that make managing those, remote and user devices a lot easier.

Jeremy Boerger

 Right. So, it, it’s tough to be able to talk about them because the technology itself is actually rather simple.  It is just being able to have an inventory and the tool being able to reach out and send commands, to that device. from either a pre boot or, or a stance or an operating system where really there’s new tools that are coming on all the time. what I recommend for as part of our pragmatic ITAM  method is stick with the easy ones.

Intune for your Windows devices. Jamf for Apple. There’s others that will also do the work, but those those two are the big ones, and they will get the job done. Encryption,  also seems to have we’ll also have some, remote destruction or, magic bullet commands. sometimes that can go on. And with the, when you start talking about phones and contact lists and the, two factor authentication with some of those, oh, you know, the random number generators, in those password like that.

Those will also work so that you can lock down and immobilize the device, make it useless. not only does it protect any of the random bits that might still be on that device, but also gives, an incentive for the end user to give it up and send it back home, because they’re not going to be able to do anything with it anyway.

Kurt Greening

Yeah. I mean, I understand that some of these solutions also offer like GPS tracking. You mentioned enforcing specific cyber security policies to make sure that they’re safe on the on the network. You know, they might be working in conjunction with anti-virus software or, you know, more sophisticated, tools that are out there, you know, so I think all of those can be incredibly helpful.

Jeremy Boerger

Oh, yeah. And, you know, it’s what I, what I see in my book, you know, the best tool for the job is the one you’ve already got. So use the stuff that you’ve already got access to. Again, Intune is already there. If you’ve got a Windows volume license agreement or you’re part of the, you’re, you’ve got access to, oh, crud. What are they calling their Azure? what they’re calling their device, their cloud system.

Kurt Greening

 And they used to call it. oh, I forgot. I think it’s now M365. But, you know, some of the really advanced security features might be the M5. or E5 offering. 

Jeremy Boerger

Yeah. Yeah. And then actually brings up a good question, or a good thought as well. The proliferation of cloud storage remote backups mean that the risk of loss of the IP, the at the risk of the access of the loss of intellectual property or for an organization actually helps become minimized because so long as that device is inoperable, they have a backup copy that they can reach into. Any data or, intellectual property or whatever other files are needed.

00:10:00:12 – 00:10:16:03

Kurt Greening

I think you did a great job talking about how many of these, software tools can help remotely support these users and help with IT asset management. But there are certain problems that can’t be solved remotely with software. Can you give me an example of some of the challenges that organizations run into with remote employees? 

Jeremy Boerger

You know, I am old enough to remember the old joke about the, the end user who plugged the, following the instructions to the letter plugged the, power strip into the power strip. I don’t know if we can solve that one, with software, but, you know, in today’s age, there’s a lot of, the the end user is a lot more savvy around technology, but some of the problems that you that you’re going to struggle with, are going to be the usability and the process side. And if you don’t have robust processes, around things like data handling and, inventory management and, recovery processes, what are those steps to get those devices back? You’re going to struggle. and there’s not much just throwing another magic bullet, piece of software at that problem is not going to make the poor processes go away.

Kurt Greening

Yeah, I mean, that’s true. I mean, I’ve talked to many of my friends that work in that helpdesk, and some of them are incredible at this job, in their job. They’re they’re highly committed. They tell me stories of, hey, I did everything I could to support this person. They had something, you know, critical coming up customer presentations. I got in my car and I drove four hours with a new, laptop with a fresh image, picked up their old one and took it home because there was nothing more that I could do.

Jeremy Boerger

I had worked Help desk one time and we were able to troubleshoot. the connectivity issue actually came down to the feed line into the, subdivision, buried cable line, and the reason why we were able to figure it out was because I was the first person to ask the guy point blank, the person that we were helping what’s the picture quality on channel two and channel three, which is where the on the old cable modems, that’s where the the data line there on channel three. And I think part of channel 13, he was like, oh it’s terrible. It’s like, how well do you know your neighbors? Can you talk to them? And just that persistence, that systemic thinking of going, okay, we’ve tested every possible issue with the hardware. We know it’s not the software. Then what happens next? That’s systemic thinking about okay, what’s the next device or issue in line that could be causing the problem and then start to troubleshoot it. If I remember right, the cable company came in and replaced all of the wire in that subdivision. It was 20, 30 houses, between the house and the street.

Kurt Greening
Interesting. Some some good, good war stories there. Jeremy. 

Jeremy Boerger

Oh, yeah. That’s. Yeah, that’s the nice thing about helpdesk. Everybody’s got a war story. 

Kurt Greening

Yeah. And, speaking of some of these challenges, why do you think, some companies or maybe even government, organizations might for, outsource laptop logistics, data sanitization, re-imaging imaging repair.

And then eventually, when they’re done with the device recycling that somebody like Securis. 

Jeremy Boerger

Yeah. So, there’s, there’s a couple of reasons why it starts to make sense. The first is scale. as an organization grows, the demands for the disposal, the recovery, the disposal and the, recertification if you’re going to reuse it, all of that starts to become cumbersome and pulls attention and material and resources away from the business’s core focus.Right. If you are, manufacturer, you make airplanes. The last thing you want is people spending their time, hitting laptops with hammers to destroy the platters. Right. So outsource that. the second part is, if you are dealing with very heavily, abused, data, thinking, healthcare, thinking, finance, and government, there are specific regulations that you’ve got to follow and your organization might not be able to keep up with all of those regulations. A dedicated third party service provider, that’s the folks to go to. Finally, off the top of my head and thinking about it, if you are an organization that is in a very heavily congested urban area warehousing becomes a premium and you really want to have, square footage being paid out for devices that are just sitting there because they’re either being prepped or being removed, t hat’s money out the door that, you know, you could redirect somewhere else, especially if you have a, just in time relationship with, third party service provider. 

Kurt Greening

Yeah, there’s a real good point. Yeah. I, I, you know, there’s kind of a space between, you know, a really small company that would outsource everything from an IT perspective to an MSP. And then, you know, I’ve got a customer and it’s a big hotel chain, and they have regionally dispersed helpdesk people, within a two-hour drive of almost, every major, property, so they don’t have a problem, but there’s kind of that in-between space where somebody is like, hey, we’ve got to help desk people, but either they’re not physically close to all those people you mentioned, you know, the warehouse issue or, you know, working for companies. You know, I know of a big company in the software space lab, Gitlab, they don’t have a corporate headquarters so they wouldn’t store the laptops anywhere, so there’s kind of that interesting space where, you know, you’re big enough to have a, you know, your own IT helpdesk to understand your applications, understand your software, but maybe you don’t have somebody in every region or what I’ve been told is that, providing hardware support, you know, shipping stuff out and boxes for somebody who’s got a bunch of, you know, network and helpdesk certifications, they may consider that to be soul-sucking work. 

Jeremy Boerger

Yeah. Yeah. Could be too. Could be too. The other thing to consider is how you’re actually using the technology,  so many of the used to be onboarded software activities are now residing in the cloud or are accessed through a web browser. It doesn’t matter what kind of platform you’re using. All you really need is a consistent connection to that SaaS provider. Apple Mac, however it’s configured, doesn’t matter so long as the connection is secured. Maybe a VPN, some sort of, certificate. You’re off to the races, so go out, pick up something at Walmart and bring it back to your home. 

Kurt Greening

Awesome. Well, good. Good advice. So let’s say the company comes to you and you’re doing some IT asset management consulting to you, and they mentioned this as a problem. And they say hey, I’m going to outsource or possibly outsource some of this. What would you recommend that they look for. What types of questions should they ask of potential providers that will help them figure out what solution might be right for them? 

Jeremy Boerger

So the first question that really needs to be asked is, what kind of a relationship do you want with this third-party service provider? They really, the services break off into two aspects. One is either that just-in-time inventory provision, or they are doing just, dross, haul away the garbage give you a certificate that they’ve destroyed it, and you wipe your hands of it. I’ve seen both. if you are going to go the dross method, then there’s some other sub-questions that you’ve got to ask the people that are doing the inspection. They’re going to be your employees. Are you okay with having someone spend, you know, an hour or two a day for a small organization every once in a while to an entire team of 3 or 4 people going through, examining the usefulness of the device, deciding whether or not it can be reused and put back out into, the computing environment. And then goinging through the activity of wiping it out, doing the DoD five-time wipe. Sometimes that goes for a while on these big, on these big hard drives. Cybersecurity is also starting to poke at some of the persistent memory. So you’ve got to really have some specific tools to break apart the chassis, to get to that memory and make sure that it’s disposed of.

00:20:25:11 – 00:21:01:09

Jeremy Boerger

Is the organization comfortable with having that dedicated team? Now, the last part that I kind of worry about for organizations, if they’re taking on this task on their own, is the sort of, certification of destruction. The insurance companies, especially the ones that are providing cybersecurity insurance, are very twitchy about their documentation. And they want that confirmation that that device has been destroyed.

Jeremy Boerger

Right. if you’re doing it yourself, it’s very easy to break that chain of custody and lose track of that certificate. And then you’re talking some serious money, your insurance. There’s a very real threat that your insurance, policy could be voided, and that’s the last thing you want to have happen if all of a sudden you need it, right?

Kurt Greening

Yeah. I call it thinking of defensible IT asset management or defensible IT asset disposition. Right. Yes. Do you have a policy. would it be considered best practices and do you follow that policy? Right?

Jeremy Boerger

right, right. Well, and I have seen, the, the, TSP’s, they will go so far as to say specifically when they make a run to pick up a lot, they own those devices. Once they obtain custody, they, assume ownership and reliability. Even then, you want that receipt. What did they pick up? When was that date? And you need to store that in your CMBB or, records repository in case anything happens. 

Kurt Greening

All right. Let’s talk let’s talk about systems because you, If you don’t mind, unless you have another thought on that topic, right. So, let’s say and I think you can answer both questions. So you talked about outsourcing IT, asset disposition and data destruction. That’s maybe one relationship. But there’s also the other relationship we talked about where, hey, you’re managing deployment, wiping retrievable redeployment of of IT assets. Talk about some of the systems, whether it’s, ITAMsystems or ITSM systems, that have to be in place, and what do you kind of think that that relationship would be like in both of those scenarios? 

Jeremy Boerger

Right. So when you are talking about just in time, supply, inventory, you own those devices, but you might not necessarily be in physical control of those devices. So the question comes down to where is your stuff? Now, you know, if you’re a small operation, maybe you can take somebody’s word for it that, oh, yeah, that box is sitting on our shelf, and that’s great. But if you’re going to be a large organization and you need to know where that inventory is, especially if you’re going to start doing some automation between your onboarding and procurement and removal and disposal. You have to have, reach into that third-party service provider’s inventory. And in order to do that, the best way is that you both have inventory systems and you’re sharing data back and forth with an API call, or at least some sort of automated report.

Kurt Greening

I’ve actually seen that happen two ways, Jeremy. So I have seen it happen where let’s say there’s, you know, 5 or 10 spare laptops that are inventory. They’re owned by the company, not by the outsourcer, and then all actions are actually done in the company or the customer’s ITSM system, and the IT asset management database. And then there’s various workflows, like hey monthly that outsourcer has to scan and prove that what you know is in the IT Asset Management inventory is actually, you know, still owned, you know, it’s still in, you know, a locked page or whatever the agreement, is that’s, you know, that’s one scenario. And also, you know, that the Outsourcer may get a helpdesk ticket assigned to them. You know, they perform an action that’s updated in the ITSM, system. You know, if there’s tracking numbers, you know, all of those things. I think that that’s that’s another way, right? Is if you are willing to, sign agreements and you would allow that third party to have access to your systems.

00:25:37:00 – 00:26:21:12

Jeremy Boerger

Oh, yeah. No, the, the the visual inspection is costly, but it is necessary for the, “just to be sure”. And let’s remember these are devices that nine times out of ten are not plugged into the network. They’re just sitting there ready to go for the next step. But they’re dark. They’re off the wire. So unless you have really good controls on the, live side, you know, you’ve got, a good tie-in or good reports from bills of lading that say when stuff is getting received in the inventory, you’ve got your discovery tools running full bore, so you know what’s powered on and being used actively. And you’ve got your certificates of destruction being updated regularly, then what should be in that room should be the stuff that you know you own, but you haven’t seen it on the wire yet. But things happen. Things change. Stuff gets moved. I lose track of water bottles all the time. It happens, so I, I really like, I believe if memory serves, the best practice is really once a quarter.

If you’re in a just-in-time inventory relationship, have a visual inspection. It’s a great time to just go and build the, the personal relationships as well with your, service provider. Go. Everything looks fine. Freedom to launch. 

Kurt Greening

Yeah. I mean, I’ve also seen a requirement for monthly scanning of the asset tags and a photograph in addition to the quarterly visual inspection.

Jeremy Boerger

That’s pretty brutal. I mean, but again, if you’re in an organization and you’re uncomfortable with risk, then, yeah, you’re going to make demands like that. 

Kurt Greening

Talk about other demands. We talk about IT Asset disposal. you know, I have some customers that they provide an inventory, we go up on-site, we scan everything that they give us. We cannot leave until there is a 100%, match. You have all the serial numbers, the asset tags and the Securis disposal tags. And then, there are photos taken of what is in the truck. The truck is locked. The truck is sealed. The truck is GPS tracked. It goes to our location. The items are scanned again. That scan is compared to the inventory, the two other inventories,  and if one, item is off, then they start an investigation to figure out, do they have a cyber security incident or not? So to me, that’s what good inventory management, looks like, and I mostly see that from banks. I’d like to see that in some other industries as well.

00:28:46:10 – 00:29:21:01

Jeremy Boerger

It’s certainly, again, with financial and health care, there is so many nefarious activities that are going on. You have to be careful. honestly, between you and me, I would think that that level of chain of custody is pretty extreme. I hope your customer is paying for that level. For most organizations,  the bill of lading is actually plenty to be able to tell you.

You know, here’s the truck, and here is the driver, here’s the expected delivery. Did all of the serial numbers that they said that the the delivery company picked up actually make it? And if that didn’t happen then that specific piece, that delivery driver is going to be in the hot seat. so there’s a range and I and that’s really where it kind of comes down to where you and I can agree. It’s that level of risk and the management of that risk through the collection of the details and the data about where those devices are between you handing the physical custody over to a third party and then saying, you know, providing a receipt that says, yes, we did the needful, this thing is now a small pile of molten metal. You’ll never see it again. 

Kurt Greening

So this is all, good advice. Clearly, Jeremy, you’ve been doing this a long time. you’re an expert in many things. Hardware asset management, many things. Software asset management. So I appreciate you, sharing some things both with me and folks that watch the Securis YouTube channel. I guess the question is, some people are, are thinking about some of the things, some of the problems that you solve and they think that you might be able to help them. Where where can they reach you? 

Jeremy Boerger

Well, you can find us on our website, boergerconsulting.com. weird German spelling though, that’s B o e r g e r, otherwise you end up at McDonald’s. 

Kurt Greening

Now ITAM coaches, does that also get to your company to or…

Jeremy Boerger

ITAM coaches. Yes. So and this might be the right time to talk about that. We’re looking at doing a little bit of expanding and doing a brand name. So the ITAM coaches, URL will point to us as well. 

Kurt Greening

All right. Awesome. Well, hey, thank you again, Jeremy Burger. really appreciate your insight. suggest that, people pick up your book. That ITAM pragmatic Method, or follow your blog because there’s a lot of good advice. I know, I read that it seems like maybe weekly or every other week you’re putting out good content. So I think thats another way to try to keep up to speed with all things I.T Asset management.

Jeremy Boerger

Iit is it is a moving target to keep up with the details and the best business practices. So, you know, we’re happy to help educate where we can, and partner you know that’s really kind of, if there’s a closing thought, having someone help you out, can be very beneficial. So consider it. Gartner already released an article saying it’s a good idea, Forrester followed in suit, as they do. You don’t have to do this alone. 

Kurt Greening

All right? Sounds wonderful. Thank you so much.

Jeremy Boerger

My pleasure. Kirk. Good luck to you.

Transforming Lives Through Technology: Securis’ IT Asset Donation in Africa

Children in Africa

Life-Changing Opportunities

Imagine a world where computers are a distant dream, medical records are scribbled on scraps of paper, and ambition is stifled by the lack of access to technology. For millions across Africa, this isn’t just a scenario—it’s reality. But thanks to a powerful IT Asset donation partnership between Securis, Avalara, and Stanley Nche of Stanley Com, we have turned end-of-life technology into life-changing opportunities for schools, orphanages, and hospitals in Chad and Cameroon.

More Than Recycling—A Mission of Impact

At Securis, sustainability isn’t just about recycling IT assets—it’s about making a real difference. By securely erasing data to NIST 800-88 standards and refurbishing retired technology, Securis ensures that valuable equipment is given a second life.

Donations to the hospital in Chad

This initiative was not just about moving devices from one place to another; it was about delivering hope and opportunity to communities that needed it most.

Avalara, a leading provider of tax compliance software, played a pivotal role in this initiative by donating equipment for refurbishment.  Jeremy Farber, President of Securis, emphasized the importance of Avalara’s donation to making this initiative happen: “Avalara’s support allowed us to take the equipment that still had life, test it, refurbish it, and donate it to communities in Africa.”

Meanwhile, Stanley Nche took this initiative to heart, organizing and personally delivering all donated equipment—ensuring it reached the hands of those who needed it most.

 

 

Empowering Education

The first stop for these donated assets was the Optimum BNP School in Cameroon, where classrooms once lacked access to any digital learning tools. Now, students and teachers are using computers for the first time—unlocking new educational possibilities.

“This is a monumental step,” said Stanley Nche. “This is the first time these kids and even their teachers have had access to computers. Now, they have the chance to learn and grow in ways they never imagined.”

At Saint Arnold Murray Orphanage, donated tablets have opened doors to digital learning and interactive play for children who had never imagined such possibilities. Stanley shared their joy: “When we told them we brought tablets, they were so happy because no one had ever done this for them before.”

 

 

Revolutionizing Healthcare

donated items in african hospitalIn Chad’s Adventiste Hospital, the impact was just as profound.  Previously reliant on paper records, the hospital can now use digital systems to store medical histories, test results, and treatment plans. Clinicians can access online medical research for the first time—a critical advancement in providing quality healthcare. “Before this donation, everything was recorded manually on paper.” Stanley explained. “Now, they can digitize patient information and improve care delivery.” In addition, nursing hospitals will now have computers to enable research and communication with the larger health community, fostering better healthcare outcomes.

A Unified Effort for Change

This initiative underscores the power of collaboration. Jeremy from Securis reflected on the collective effort: “This wouldn’t have been possible without the dedication of our employees, the generosity of Avalara, and the hard work of Stanley Com.”  The joy of giving back resonates deeply with Securis’ mission to be more than just a profit-focused company. Stanley Com and Securis aim to find partners to work with on future initiatives, ensuring that more communities gain access to life-changing technology. 

Stanley Nche donating IT Assets in AfricaSustainability Meets Social Change

By keeping technology out of landfills and placing it where it’s needed most, Securis demonstrates that sustainability can be about more than computer recycling.  It can be about giving back and helping to bridge the digital divide. Every piece of technology has the potential to create opportunities and change lives, and with the right approach, we can turn e-waste into empowerment. 

Join the Movement

Securis’ work in Africa is a testament to what’s possible when businesses and individuals unite for a greater purpose. Retired technology doesn’t have to be discarded—it can be someone else’s future. 

If you want to be part of this transformative journey, contact Securis today. Together, we can ensure that no piece of technology goes to waste and that every piece contributes to a brighter future.

Let’s make an impact—one device at a time.

If your company is interested in donating assets please reach out.

CONTACT SECURIS

Federal Financial Institutions Examination Council (FFIEC) Data Destruction Guidelines

The Federal Financial Institutions Examination Council (FFIEC) provides guidelines to help financial institutions manage risks, including those related to data destruction. Compliance with FFIEC rules is critical for financial institutions to ensure data security, regulatory compliance, and the protection of sensitive information that may reside on their IT Assets.

The key aspects of FFIEC guidelines related to data destruction include:

 

1. Risk Management FrameworkRisk Management

  • Financial institutions must implement a comprehensive risk management program that includes policies for the secure disposal of data.
  • Risk assessments should identify potential vulnerabilities in data destruction processes.

 

Secure Data Disposal Requirements

2. Secure Data Disposal Requirements

  • Institutions must ensure that sensitive customer data, financial records, and confidential information are securely destroyed when no longer needed.
  • Secure disposal methods should align with industry best practices, such as shredding, degaussing, or physical destruction of media.

 

3. Compliance with Privacy and Security Regulations

Compliance with Privacy and Security Regulations

  • Data destruction policies should be aligned with relevant laws, such as the Gramm-Leach-Bliley Act (GLBA), which mandates safeguards for customer information.
  • Financial institutions must follow FFIEC guidelines in combination with the FTC Disposal Rule, which requires proper disposal of consumer information.

 

4. Third-Party Due Diligence and Vendor Selection

Due Diligence in ITAD Vendor Selection

  • The financial institution must conduct thorough due diligence before selecting a vendor to ensure the vendor has the necessary security controls, certifications, and experience in data destruction. The vendor should also clearly define its responsibilities for data destruction, including methods, timing, and acceptable levels of data sanitization.
  • Vendors should comply with relevant regulations, such as:
  • Institutions should assess a potential vendor’s financial stability, reputation, security controls, and data destruction methods.

 

5. Audit and DocumentationAudit and Documentation in ITAD

  • Institutions should maintain detailed records of data destruction activities, including logs of what was destroyed, when, and by whom.
  • Regular audits should be conducted to ensure adherence to data destruction policies and regulatory compliance.

 

6. Physical and Electronic Media DisposalPhysical Media Destruction

  • FFIEC guidelines emphasize the secure destruction of physical documents and electronic storage devices, such as hard drives, USB drives, and backup tapes.
  • Proper methods include overwriting, cryptographic erasure, and physical destruction.

 

7. Employee Training and AwarenessEmployee training on data destruction practices

  • Employees should be trained on the institution’s data destruction policies and the importance of securely handling sensitive information.

 

Adhering to FFIEC guidelines on data destruction helps financial institutions prevent data breaches, maintain customer trust, and avoid regulatory penalties. When a financial institution outsources data destruction services to a vendor, the FFIEC (Federal Financial Institutions Examination Council) requires the institution to ensure that the vendor complies with applicable regulations and security standards.

Key compliance requirements for vendors performing data destruction services include:

Contractual Obligations

FFIEC guidelines stress that contracts with vendors must include provisions to ensure data is securely destroyed. Essential contract elements include:

  • Defined Scope of Services: Specify which types of data and media the vendor will destroy (e.g., paper, hard drives, electronic media).
  • Security Standards: Vendors must follow industry best practices for secure destruction, such as NIST 800-88, NISPOM 32 CRF Part 117 (which has replaced DoD 5220.22-M) data sanitization, and NAID AAA certification standards.
  • Confidentiality and Non-Disclosure: Ensure vendors adhere to strict confidentiality agreements.
  • Chain of Custody: A documented process for handling, transporting, and destroying data to prevent unauthorized access.
  • Audit Rights: The institution must retain the right to audit the vendor’s operations and security controls.
  • Breach Notification: Require vendors to report any security incidents or potential data breaches immediately
  • Indemnification: The contract should include provisions for indemnification in case of data breaches or non-compliance caused by the vendor.

Secure Data Destruction Methods

Secure data destruction with SecurisThe vendor must use approved destruction methods to ensure data cannot be recovered. These include:

  • Secure Handling: Vendors must handle sensitive data securely during collection, transport, storage, and destruction.
  • Access Controls: Strict access controls should limit personnel access to sensitive information.
  • Data Destruction Methods: Vendors must use secure, industry-recognized methods of data destruction that render the data unrecoverable (e.g., Overwriting, degaussing, or cryptographic erasure to comply with NIST standards).
  • Verification: The vendor should provide proof of destruction, such as certificates or reports for each asset. (see section below)

Documentation and Certification

Certificated of Data DestructionVendors must provide detailed documentation to demonstrate compliance, including:

  • Certificate of Destruction (CoD): A formal document certifying the data destruction process was completed securely and in compliance with applicable regulations.
  • Destruction Logs: Itemized records of destroyed data, including dates, locations, and methods used.
  • Audit Reports: Regular internal audits of data destruction processes to ensure ongoing compliance.

Ongoing Monitoring and Compliance Reviews

  • Financial institutions must monitor vendors continually to verify continued compliance with FFIEC guidelines.
  • This includes periodic audits, site visits, and performance evaluations to assess security practices.
  • Vendors should undergo periodic compliance training and updates to meet evolving regulatory requirements.
  • Incident Response: The vendor should have a documented incident response plan for data breaches or non-compliance issues.

Regulatory Compliance Alignment

Vendors should:

  • Be transparent about their processes.
  • Demonstrate their security controls and compliance with regulations.
  • Provide proof of secure data destruction.
  • Cooperate with the financial institution’s ongoing monitoring and audit procedures.

By following these FFIEC guidelines, financial institutions can mitigate the risks associated with outsourcing data destruction, ensure regulatory compliance, and protect sensitive customer information.

Request for Proposal (RFP) for IT Asset Disposition (ITAD) services

Creating a comprehensive Request for Proposal (RFP) for IT Asset Disposition (ITAD) services is crucial for organizations seeking to securely and efficiently manage the retirement of their IT assets. A well-structured RFP clarifies your company’s unique needs and ensures potential vendors can provide tailored solutions that align with your objectives.

Understanding IT asset disposition (ITAD) Services

IT Asset Disposition involves the processes required to responsibly retire outdated or unwanted IT equipment such as computers, phones, storage drives, and other office electronics. These devices often contain sensitive data, so these services should ensure compliance with stringent environmental and data security regulations. Partnering with a qualified ITAD provider helps mitigate risks associated with data breaches and environmental liabilities.  Read on to learn more about what to ask in an RFP for ITAD Services.  

Key Components of an ITAD RFP

  1. scope of workIntroduction and Company Overview:
    • Purpose of the RFP: Clearly state the objective of the ITAD services needed.
    • Company Background: Provide insights into your organization’s size, industry, and IT infrastructure to help vendors understand your needs.
  2. Scope of Work:
    • Services Required: Detail the ITAD services you need, such as data destruction, asset remarketing, recycling, and reporting.
    • Volume and Types of Assets: Specify the quantity and categories of IT assets to be disposed of, including computers, servers, mobile devices, etc.
  3. Vendor Qualifications: E-waste companies have caused horrific environmental disasters.   When fly-by-night companies struggle financially, they have been known to cut corners, resulting in superfund sites and data breaches.   Examples include subcontracting to the lowest-cost downstream vendors and failure to follow strict security procedures.  We recommend checking:
    • vendor qualificationsExperience and Expertise: Request information on the vendor’s history in IT asset disposition services and their expertise in handling similar projects. 
      • Does the vendor have a Certified Secure Destruction Specialist® (CSDS®) on staff?
      • Are they committed to continuous improvement and innovation in their services? 
      • Are they willing to share high-level reports on financial stability?
      • How long has the company been in business?  
    • Certifications: Does the vendor hold relevant certifications, such as: 
      • ESGR2v3 Environmental Compliance:  Ensure the vendor follows environmentally responsible recycling methods and has certification from R2v3. This certification requires the vendor to have an Agreement for Responsible Disposal of Sensitive Materials for all downstream vendors. 
      • Mobile and Plant-based NAID AAA certification: NAID is a third-party association that provides unannounced audits annually to validate media sanitization companies’ security processes and compliance. The vendor should have NAID certification (not just membership in Isigma). 
      • Defense Logistics Agency (DLA): Program managers should require a disposition vendor to be certified by the DLA to transport military critical data. This vetting process helps protect data during transport to minimize data breach risk. The program manager should also confirm that the disposition vendor’s certification is current and has not expired.
      • Department of Transportation: Is the vendor certified to transport e-waste materials?
      • Additional certifications: ISO 14001 (environmental), ISO 9001(QMA), and ISO 45001(safety) certifications.
      • Is the vendor a GSA contract holder?
    • Compliance: Different compliance standards may apply depending on the client industry. Make sure your vendor ensures your compliance with whichever applies to you.
      • Compliance standards that relate to all industries include: NIST 800-88, OSHA, the FACTA Disposal Rule, the Identity Theft and Assumption Deterrence Act, the US Safe Harbor Provisions, the PCI Data Security Standard, and the Basel Action Network.
      • Compliance standards that relate to Healthcare companies: HIPPA, HITECH, FDA Security Regulations (21 C.F.R. part 11).
      • Compliance standards that apply to Financial Services Companies: The Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, the Bank Secrecy Act, and the Patriot Act of 2022.
      • Compliance standards that apply to government agencies or contractors:  NISPOM 32 CRF Part 117 (which has replaced DoD 5220.22-M) data sanitization, DFARS, NIST SP 800-171 (Requirement 3.8.3), and CMMC 2.0. Certificates of Destruction are provided as critical proof for DCMA DIBCAC audits and cybersecurity risk mitigation efforts. GSA Bulletin FMR B-34 e-waste standards.
    • Service Capabilities: Does the vendor cover the regions where your company operates? Do they offer both on-site and off-site data destruction and asset disposal? Is the vendor capable of scaling the service to handle large volumes? Does the vendor have logistics and transportation capabilities for asset collection needs?  Are Secure Storm Cases or lockable bins available for safe asset collection and storage? 
    • Customer Service: Is customer support available and responsive?  Will you be assigned a dedicated project manager? Can site visits be arranged to determine logistic and security requirements?
  4. Data Security Measures:
    • Data Security MeasuresData Destruction Methods: Inquire about the processes to ensure complete data erasure or destruction. Are methods used up to strict NSA standards? Are certifications and compliance standards met and/or exceeded? (see above) Does the vendor stay current with the most technologically advanced methods of destruction? How much experience does the vendor have with classified, CUI or other federal government data?
      • Software Wiping – Is wiping done with certified data erasure software? 
      • Shredding  – Is shredding available for various devices and drives both on and offsite? 
      • Degaussing – Does the vendor have NSA-approved degaussing equipment? Can mass quantities of media be degaussed quickly?
      • DisintegrationIs Vendor able to disintegrate to an NSA approved 2mm? 
      • Incineration – Is incineration available for SAP Classified Data
      • Mobile – Are all data destruction methods available at the client site?
    • Chain of Custody: Seek details on how the vendor secures the handling and tracking of assets from collection to final disposition.
    • Employees: Are employees pre-screened and given background checks with fingerprints and drug testing? Is there Intense and ongoing Employee Security Training?
  5. Reporting and DOcumentationReporting and Documentation:
    • Detailed and Timely Reporting: Does the vendor measure the timeliness of inventory reporting, and do reference checks validate their metrics?
    • Accurate Reporting: Can the vendor prove scanning accuracy or more than 99% and demonstrate a methodology to correct errors
    • Weight and LEED Reporting: Does the vendor provide weight and LEED Reporting?
    • Double Check: Does the vendor provide a two-step verification of captured data?
    • Audit Trail: Does the vendor provide a comprehensive audit trail for all processed assets?
    • Client Portal: Does the vendor provide a client portal for access to inventory reporting, allowing for search by variables such as serial numbers, asset tags, etc?   Does the portal support single sign-on?
    • ITAM Integration: Does your organization require integration with an IT Asset Management system like ServiceNow?
    • Certificate of Destruction: Does the vendor provide a Certificate of Destruction that verifies data destruction and environmentally compliant recycling?
    • Detailed Reporting: Ensure you receive comprehensive reports outlining each asset’s disposition process and outcomes.
  6. Service Level Agreements (SLAs):
    • Performance Metrics: Define the expected service levels, including timelines for asset pickup, data destruction, accuracy, and reporting
  7. Pricing Structure:
    • Cost Breakdown: Request a detailed pricing model, including any fees for transportation, data destruction, and other services.
    • Value Recovery: Inquire about the vendor’s approach to asset remarketing and how recovered value is shared. Evaluate your vendor’s market reach and ability to sell refurbished assets. When assessing value recovery, be sure the ITAD vendor is an experienced NAID AAA and R2v3 certified ITAD service provider who can ensure proper data sanitization and recycling. Ask about the vendor’s capabilities to repair or refurbish sanitized assets to maximize value and minimize e-waste.
  8. References and Testimonials:
    • Client Testimonials: Check reliable sources such as Gartner reviews for references from previous clients, particularly those in similar industries or with comparable project scopes.
    • Interview References: Develop a list of questions in advance, such as those about accuracy, security, volumes, security procedures, etc.
  9. Site Visits or Trial Runs:
    • Conduct a site visit to the vendor facility or schedule a trial project and have your team audit the vendor’s work.

Best Practices for Developing Your ITAD RFP

  • Be Specific: Clearly articulate your requirements to enable vendors to provide precise and relevant proposals.
  • Encourage Transparency: Seek openness from vendors regarding their processes, certifications, and any potential subcontractors involved.
  • Evaluate Sustainability: Consider vendors’ commitments to environmental sustainability and how their practices align with your company’s green initiatives.
  • Assess Flexibility: Determine the vendor’s ability to scale services and adapt to your organization’s evolving needs.

By meticulously crafting your IT asset disposition RFP with these components and best practices, your company can identify a partner that meets your technical and security requirements and aligns with your organizational values and goals. This strategic approach ensures a successful IT asset disposition process, safeguarding data and contributing to environmental sustainability.