Cyber risks confront ITAD work, contracts, coverage

Data risk does not end when a device is unplugged or loaded onto a truck, and the confusing middle ground between office closet and shredder line carries cyber exposures, warned insurance and IT asset disposition experts at the 2025 E-Scrap Conference.

Moderated by Jennie Gift of i-SIGMA, the session brought together insurance producer Daniel Mackarevich of Marsh, and Greentec founder and CEO Tony Perrotta to examine how cyber crime, contracts and insurance intersect with day-to-day ITAD work.

Gift told attendees that “data doesn’t just disappear when electronics are recycled, whether it’s a laptop, a server or a mobile device,” and she said retired technology can still hold valuable and sensitive information that must be managed carefully.

Perrotta described how risk often begins on the customer side, long before a certified processor gets involved. Clients let obsolete equipment pile up in storage rooms because internal IT teams are focused on deploying new hardware instead of retiring old gear, he said, and Greentec staff may find mixed pallets of electronics that include laptops, hard drives and USB sticks that have not been inventoried. 

He said clients “typically don’t want to put more resources into it, so it’s often left and it’s piled up,” which can leave organizations unaware of what data-bearing devices they still hold.

Mackarevich said some of the insurance claims he has seen do not come from the data destruction room itself but from what happens between the client dock and the ITAD facility. He described incidents where trucks carrying high-value equipment were robbed after leaving secure sites and said theft can also occur inside plants when employees or visitors remove devices before they are wiped.

Beyond physical loss, Mackarevich said ITAD operators face the same “quintessential” cyber issues as other businesses, including ransomware and business email compromise attacks that target corporate networks and generate ancillary costs. 

From an insurance standpoint, he said carriers are currently more focused on cyber hygiene such as multi-factor authentication, backups and software patching than on the specifics of data destruction workflows. For ITAD firms, he recommended integrated professional and cyber liability policies that treat service errors and cyber incidents within a single structure, to avoid a dispute over where each part of a claim is covered.

Both speakers said certifications can help answer underwriters’ questions in advance about controls and documented procedures. Perrotta pointed to NAID AAA, R2 and e-Stewards as frameworks that require companies to show how they manage background checks, secure areas, video surveillance and locked, monitored trucks. 

“If you can get certified, get the [NAID] AAA,” he said, calling the certification “a really good foundation” that helps companies identify data security risks on the physical side. 

He added that operators need to understand the exact scope of their certificates, since different categories cover on-site destruction, plant-based shredding and data erasure work.

Contracts were another major focus, and Mackarevich urged ITAD providers to scrutinize service agreements and business associate agreements, particularly in health care, for indemnification language that pushes broad breach costs onto vendors. He added that operators should be wary of contractual demands for high cyber limits. 

Perrotta said some public sector customers have asked for cyber limits as high as $10 million and advised companies to have brokers review those demands so they do not take on disproportionate liability for relatively small jobs.

Both speakers encouraged attendees to have their own business associate agreement templates and limitation of liability clauses, rather than relying entirely on customer forms. Clear wording around when assets transfer into ITAD custody and which party is responsible for technical safeguards can help avoid disputes after an incident, they said.

When a breach does occur, Perrotta said, operators need a written response plan that accounts for legal timelines. In his jurisdiction companies have 30 days to identify, investigate and report a breach. Mackarevich added that cyber policies typically allow firms to bring in counsel early, establish attorney-client privilege and coordinate the forensic investigation.

Looking ahead, Mackarevich said the industry’s growing interest in automation could create new types of business interruption risk, and heavily automated operations could be forced to halt work if a ransomware attack takes control systems offline. 

Perrotta said that as companies deploy tools such as artificial intelligence and automated lines, they should perform risk assessments and expand staff training so technicians understand they cannot use or share any information they see when devices are powered up for testing and wiping.

More stories about data security

• ERI and ReElement partner on rare earth magnet recovery
• News from Dynamic Lifecycle Innovations, Precision E-Cycle
• The Re:Source Podcast Episode 1: E-Scrap look-back and 2026 outlook