The petition centers on device theft that occurred during IT asset disposition jobs in the Washington, D.C. area in 2022 and 2023. | ThamKC/Shutterstock
A petition is gathering signatures to compel the e-Stewards, i-SIGMA and R2 certifications to publicly address and investigate an IT asset disposition-connected data breach that came to light early this year. All three certifications responded in statements to E-Scrap News.
The petition – titled “Stop Data Breaches: Hold ITAD Certifiers Accountable!” – comes on the heels of a criminal case in which a former driver for ITAD firm Wisetek pleaded guilty to a federal criminal charge, for stealing and reselling numerous devices during asset retirement jobs for clients that included federal government agencies and contractors. Details released in court records indicated the thefts involved thousands of devices that remain unaccounted for because they entered the resale market before the thefts were uncovered.
The driver, Nikhil Parekh, was sentenced in May to one year of probation and ordered to pay $10,000 in fines and restitution.
With the criminal case closed, a group of ITAD data security stakeholders is calling on the prominent ITAD industry certifications to publicly address the situation, and investigate whether it represented any violations of the certifications held by Wisetek, which has since been acquired by Iron Mountain.
The petition was launched by Retire-IT CEO Kyle Marks, who has been vocal about the various IT asset management failures that were on display in the Wisetek case. In the petition, Marks wrote that the case “exposed shocking failures in the IT asset disposition industry, where a trusted company allowed thousands of data-bearing devices to be stolen and resold, endangering national security and public trust.”
The petition calls on the three certifications to “investigate Wisetek’s misconduct, hold them accountable, and reform flawed certification systems to protect our data.”
It lays out a broad array of concerns, from industry practices like allowing certified companies to pick their own auditor, to an assertion that certifications treat violations differently based on the size and influence of the involved company. But overall, it calls on the certifications to do an impartial investigation of the case, enforce any relevant penalties, require Wisetek to notify potentially affected clients of the data breach, and review their certification auditing and oversight mechanisms.
As of July 2 the petition drew 54 signatures from industry stakeholders at ITAD and data security companies, IT asset managers, certification organizations and more.
Certifications respond
E-Scrap News queried the three certifications for comment and received statements from all three.
Corey Dehmey, CEO of Sustainable Electronics Recycling International (SERI), which administers the R2 standard, noted the petition is “wide ranging, but I can say with confidence that the organizations named within it (SERI, e-Stewards, i-SIGMA) are all focused on creating stronger outcomes.”
“Of course, it was disappointing to learn of this situation and there is no argument that data security is paramount to the work that we are all doing,” Dehmey said. “It is unfortunate that one rogue employee’s actions can erode the credibility of good companies, good people, and formal systems that are working to raise the bar in this industry.”
He added SERI takes due process seriously, and noted that “though we rarely publicly share our assurance work, we can say that this has been on our docket.”
There were a few complicating factors in this case from a certification investigation perspective, Dehmey noted. It centered on Wisetek’s Hyattsville, Maryland, facility, which had closed by the time the information came to public light, having relocated to Winchester, Virginia. Prosecutors noted this fact in court documents. From an R2 perspective, that meant the facility in question had an inactive R2 certificate.
“Additionally, as part of an active criminal investigation, that made it challenging to investigate and find meaningful action that the R2 Certification program could take on an inactive R2 Certificate,” Dehmey said. “Since closure of the criminal case, we are working with Wisetek leadership to ensure the root cause was addressed and corrective actions implemented at a company level to prevent a repeat of this outlier case at other certified facilities.”
Jim Puckett, founder and chief of strategic direction at the Basel Action Network, which administers the e-Stewards standard, said in a statement that the certification was created to set a higher bar for accountability in the electronics recovery industry and that “when serious allegations are raised, we listen and act.”
“We are aware of the recent interest in the incidents involving Wisetek and the potential violations of the e-Stewards standard they may raise,” Puckett said. “In light of these concerns, we have initiated an investigation into the matter through our established procedures, including our critical non-conformity process, which allows for meaningful enforcement if and when serious violations are substantiated.”
Puckett added that e-Stewards itself has now signed the petition, and he commended “the broader community for bringing these issues forward and for holding all parties to a higher standard.”
Nathan Campbell, CEO of i-SIGMA, said the organization recognizes “the significance of the incidents involving data theft at Wisetek facilities and the interest they have generated in the community.”
He noted i-SIGMA’s role “remains to assess conformance with certification requirements and to address credible evidence of systemic non-compliance.”
“Consistent with our established procedures, i-SIGMA will formally review this matter to determine whether any additional action or follow-up is appropriate,” Campbell said. “This review will be conducted impartially, guided by our documented standards and processes, and informed by any verifiable evidence available.”
“Secure data destruction is not achieved through certification alone,” Campbell concluded. “It requires disciplined controls, committed management, and engaged clients working together to maintain a transparent, closed-loop chain of custody. We remain committed to continuous improvement and welcome constructive, evidence-based dialogue to strengthen information governance practices across the industry.”
Iron Mountain currently maintains e-Stewards, NAID AAA (administered by i-SIGMA) and R2v3 certification at the U.S. Wisetek facilities in Northborough, Massachusetts, and Sacramento, California. R2 records indicate the Winchester, Virginia, location closed earlier this year.