Editor’s note: Learn more at the “Cybersecurity in ITAD: Insights from Law Enforcement, Insurance and Industry” panel during the 2025 E-Scrap Conference Oct. 27-29 in Grapevine, Texas.
Key Takeaways
- Compliance, sustainability targets driving data security demands
- Nearly half of end-of-life devices are unnecessarily destroyed
- Data explosion and device upgrades are accelerating device turnover
Emerging compliance and sustainability requirements as well as the exponential growth of data generated by artificial intelligence are driving home the role of responsible data destruction, according to an executive from data-erasure firm Blancco.
Alongside data privacy compliance, the environmental aspect plays a significant role. “It is simply not acceptable to destroy valuable functioning IT equipment in today’s world with today’s technology and opportunities,” Fredrik Forslund, vice president and general manager of international business at Blancco, told E-Scrap News.
“We probably have 10 times more data just today than we had a few years ago,” Forslund said. “So the explosion of data and being able to actually manage the data lifecycle and make an active decision, because this data should be removed, is absolutely critical.”
Several technological developments are accelerating device refresh timelines, Forslund said. For example, companies are replacing IT equipment in favor of AI-ready laptops, as well as in response to the end of support for Windows 10, which tech company Dell expects to last into 2026.
“Windows 10 is a perfect platform for some users, but cannot be accepted for other corporate high-end users, because they have to be fully up to date and run with the latest Windows environments,” Forslund said. “So it will also drive the migration of technology reaching new users, new areas, new organizations based on being sort of pushed down from the development in the markets.”
For example, organizations such as Compudopt and PCs for People refurbish and redistribute devices to those in need.
The missed opportunity inherent in premature destruction was significantly shortened device life – shorter by two to six years depending on the device, the report indicated.
Over nearly 30 years, Blancco has seen a billion-dollar market evolve for secondhand IT, including in procurement policies requiring a certain percentage of refurbished equipment, Forslund said.
Industry standards enforce data security principles
Most ITAD certifications include data destruction and security standards, and the most prominent ones provide detailed data security criteria and require regular audits to verify compliance with those standards, said David Daoud, president and principal analyst for the Compliance Standards consultancy. Daoud also is a contributing writer for E-Scrap News.
Some certifications emphasize data destruction, while others have environmental management or broader operational practices as the primary focus and may or may not specify guidelines for handling data.
Industry certifications that explicitly include data destruction and security criteria are iSigma’s NAID AAA, SERI’s R2 and Basel Action Network’s e-Stewards.
In July, a group of ITAD data security stakeholders called for the three industry certifications to investigate whether a data breach represented a violation of certifications held by Wisetek.
Another instance of improper disposal procedures that led to criminal charges: Used electronics from The Ohio State University were artificially undervalued and disposed of as “scrap,” then sold by downstream vendors who paid kickbacks to the manager of the university’s surplus department.
In fact, the Blancco report noted that electronics thefts were responsible for more data loss than ransomware and stolen credentials, for which the response could lead to the destruction of reusable devices.
Blancco also found that up to half of all devices – from smartphones and tablets, to laptops/desktops and data center assets – were destroyed, and up to 47% of those assets were still operational.
The most common method of destruction also varied by device, with smart devices mostly being factory reset rather than destroyed. As a result of the prevalence of the relatively simple process, the destruction rate for smartphones and tablets is far lower than for the other two categories. However, the manual nature of a factory reset limits efficiency, does not provide erasure verification and lacks an audit trail.
Last month the federal National Institute of Standards and Technology (NIST) released updated guidance on a global security standard that builds on the IEEE Standard for Sanitizing Storage (IEEE 2883) released in 2022. Used in tandem, the standards promote secure sanitization practices that reduce overreliance on hardware destruction, the Blancco report said.
But many enterprises still resort to physical destruction when retiring hardware, due to its simplicity and perception as a secure method, Forslund said, adding that most companies are unaware that efficient processes are available to meet compliance requirements but retain device function.
These organizations “are doing a lot of manual work, one-to-one handling, instead of having something that they can just push through their IT policies as part of workflows and automation.”
That awareness of the available technology is of utmost importance for stakeholders. “You don’t have to take out your hammer and your screwdriver, pull out the drive from the computer and then smash it, because you think that’s your only option,” Forslund said.
