Corporate IT departments play a critical role in managing the entire lifecycle of a company’s technology assets, including ensuring the secure disposal of outdated or end-of-life (EOL) equipment. While many IT teams and sustainability experts recognize that reusing or reselling unused IT assets is the most eco-friendly approach, the disposal process can have potential risks. For instance, some companies turn to electronics brokers or platforms like eBay to sell EOL equipment. While these methods may seem convenient, they can pose significant risks if sensitive data is mishandled or disposal practices fail to comply with regulations. Let’s delve into why businesses should exercise caution before listing their IT assets on sites like eBay or selling to brokers.

The Risks of Selling IT Assets on eBay

Several examples highlight businesses that have not exercised due care when disposing of end-of-life IT electronics.  The result can be fines, reputation loss, and significant loss of shareholder value.

A NAID AAA (now iSigma) study found that 40% of used devices sold on platforms like eBay contained personally identifiable information (PII). PII includes everything from customer records to internal communications to passwords. Any of this information becoming public could easily be costly and cause your company to be fined or endure reputational damage.   Read more about the study here.

Additionally, Rapid7, a leading cybersecurity company, conducted an experiment in which they purchased medical infusion pumps from online resellers and uncovered sensitive authentication data from several healthcare facilities. If exploited by malicious actors, this data could have severe consequences for hospitals and medical providers who previously owned the equipment. Read more about their findings here.

These examples highlight the significant risks companies face when they fail to properly sanitize data before reselling or disposing of their old IT assets. A company may assume its IT Assets will be properly sanitized, but if it does not work with a properly credentialed ITAD company, it can still face severe consequences for mishandling its data disposal processes.

Take Morgan Stanley, for instance. In 2023, the financial institution was fined $163 million after a moving company they hired to decommission their data center failed to properly wipe sensitive data from devices. Instead of adequately sanitizing the data before reselling, the moving company worked with an unnamed ITAD company that sold the equipment online, exposing the personal information of 15 million people. Read more about this case here.

These cases and many others are stark reminders of why selling used IT equipment outside of the channels of a NAID-certified ITAD vendor is fraught with risk and can result in devastating data breaches, regulatory fines, and reputational damage.

How to Mitigate Risks Associated IT Asset Disposal

While it’s clear that selling IT equipment online can be risky, there are significant benefits to working with a certified IT asset disposal (ITAD) provider. Partnering with an ITAD vendor like Securis offers several advantages:

1. Certified Secure Data Sanitization or Destruction

A reputable ITAD vendor will ensure all device data is fully sanitized and/or destroyed. Certified vendors use NIST 800-88 to guide sanitization methods.  Certifications like NAID AAA and R2v3 ensure that the vendor follows rigorous data security and environmental sustainability standards. These certifications are open to spot checks on certified facilities, so high standards must be constantly maintained. Securis also has a trained Secure Data Destruction Specialist on staff to ensure we use the best, most current, and most secure data sanitization methods. 

2. Environmental Responsibility

E-waste is a growing concern, and responsibly recycling or reselling IT equipment helps prevent harmful pollution. A broker’s goal is to sell used computers for top dollar. Electronics with no value may end up in a landfill, resulting in environmental fines for the company that asked them to sell the equipment.  Companies can be liable for knowingly hiring an unqualified or unreliable ITAD vendor and for any environmental damage caused by improper disposal. If the company fails to conduct due diligence on the ITAD vendor’s practices, it may share some responsibility. There have been several cases where the EPA or states fined companies after their ITAD vendor left the business.   The EPA, OCC, or other government agencies may investigate a company’s practices for selecting and monitoring ITAD vendors. If the company is found to have inadequate oversight, it could face enforcement actions, even if the primary responsibility lies with the bankrupt ITAD vendor.

Companies should have contractual agreements that require their vendors to follow NAID AAA (information security) and R2v3 (environmental) best practices. They should also review third-party audits of their vendors and ensure that their ITAD vendors maintain liability insurance. R2v3-certified ITAD vendors are equipped to handle the environmentally safe disposal and recycling of electronic waste, ensuring that devices are reused or recycled in a way that meets EPA guidelines. By partnering with a trusted ITAD provider, companies can confidently meet their sustainability goals while reducing their carbon footprint. 

3. Compliance with Regulations

Disposing of IT assets improperly can lead to severe legal and financial consequences. Regulatory bodies like the SEC, OCC, and EPA have stringent requirements for data privacy and environmental impact. Working with a certified ITAD vendor mitigates the risk of non-compliance with these regulations. Additionally, ITAD vendors provide complete documentation and audit trails demonstrating compliance with data destruction laws and environmental standards. Certificates of Destruction are issued by certified ITAD vendors, which prove your data was properly destroyed. 

4. Vendor Accountability

When you work with a certified ITAD vendor, you are establishing a partnership with a company that you must ensure is held to high standards. Reputable ITAD vendors with certifications such as NAID AAA and R2v3 are regularly audited to ensure they meet industry benchmarks and comply with relevant regulations. Furthermore, by conducting thorough reference checks, scrutinizing online reviews, or even visiting an ITAD vendor’s facility, you can ensure that you have exercised due care and oversight of your ITAD vendor.

Why eBay Shouldn’t Be Your First Choice for IT Asset Disposal

In conclusion, selling end-of-life IT equipment on eBay or to the highest bidder may seem tempting, but the risks far outweigh the potential benefits. The possibility of exposing sensitive data, facing compliance penalties, or harming your company’s reputation is not worth the seemingly easy fix of an online sale.

By partnering with a certified ITAD vendor like Securis, you can ensure your company meets its data security, environmental, and compliance obligations. Our team of experts will securely wipe your devices, recycle e-waste responsibly, and provide you with complete documentation to ensure compliance with industry regulations. When it comes to IT asset disposal, it’s better to be safe than sorry. Partner with a trusted ITAD provider to ensure your end-of-life IT equipment is disposed of securely, responsibly, and compliantly.