“Our first concern is always data, data, data, data,” said Sean Magann, chief commercial officer for Sims Lifecycle Services.

Magann was emphasizing a primary focus of Sims and other IT asset disposition, or ITAD, providers, whose business is managing end-of-life, used and discarded IT equipment, such as smartphones, computers, servers, hard drives and certain medical devices — and the yottabytes of data gathered and stored on them.

Regardless of whether that equipment is pulverized to bits, refurbished for resale or recycled for spare parts and critical materials, one way or another the data on it needs to be erased. Although that’s an increasingly vital role of ITADs — primarily for corporate, government, academic and health care customers — they’re also contracted by municipalities and private waste-disposal companies to remove data from consumers’ devices.

Think swapping out an old smartphone for the latest model at a cellular-service store or recycling unwanted data-storing electronics at the town dump. And don’t forget about modern “smart” cars and trucks, loaded with data-capturing systems, being traded in at dealerships and returned to leasing companies and rental agencies.

Data privacy and protection is the crux of cybersecurity — overseeing how and by whom data is collected, retained and disseminated, as well as ensuring that it doesn’t fall into the wrong hands. Yet despite cybersecurity laws, sophisticated data-wiping software and user safeguards such as identity authentication and encryption, costly data breaches routinely occur.

That’s the dirty work of cyber criminals who keep devising surreptitious ways to hack into improperly handled IT assets, extract data and use it to fuel identity theft, phishing or espionage schemes. A recent report found that stolen devices and drives are a more common method of data loss than either ransomware or stolen credentials.

Nonetheless, there’s often less diligence around data security when it comes time to dispose of electronic devices and IT equipment. Research has shown that it’s difficult to completely delete data from a smartphone or a hard drive, for instance, without some remnants of information left behind — even after the requisite deleting of files and performing a factory reset. That reality has motivated the ITAD industry to not only invest in developing more robust data-erasure tools and standardized processes but also to certify their work to customers.

“ITAD is not anything new,” said Joe Marion, president of the Association of Service, Communication, Data, and ITAD Providers, a nonprofit that represents 250 companies worldwide, 70% of them in the U.S. “There’s been an industry and market for buying and selling used technology for years. Now it has a lot to do with data protection and data privacy,” he said.

“Can you assume that when you turn in your used product that the data is going to be erased? No, you can’t,” Marion said. “You need to get it verified.” Trust, but verify, as the adage goes.

It helps to understand the sheer volume of end-of-life or unwanted IT assets, referred to as electronic waste or e-waste. In 2022, a record 62 million metric tons of e-waste were produced globally, up 82% from 2010, according to the most recent estimates from the United Nations’ International Telecommunications Union and research arm UNITAR. That number is projected to reach 82 million metric tons by 2030.

The U.S., the report said, amassed just shy of 8 million tons of e-waste in 2022. Yet only about 15-20% of it is properly recycled. The domestic e-waste recycling industry generated $28.1 billion in revenue in 2024, according to IBISWorld, with a projected compound annual growth rate of 8%.

That equates to megatons of e-waste piling up in landfills, where it threatens to leach various types of toxins, but also presents a potential treasure trove for scavengers who rummage for electronics to sell online. As of January 1, 2025, the Basel Convention initiated international restrictions on global e-waste shipments, in part to prevent improper recycling practices.

The U.S. is not among the 190 nations who signed onto the Convention, even though it will have an impact as trading partners implement the new amendments. Many domestic ITADs, however, abide by the e-Stewards certification that aligns recycling practices with the Convention’s principles.

The U.S. ITAD industry as a whole is lightly regulated, though some states monitor e-waste disposal. “I think there’s going to have to be, at some point, government intervention to prevent landfilling of e-waste in our country,” said John Shegerian, CEO of Electronic Recyclers International, a leading ITAD.

ITADs employ three types of data-erasure processes: physical destruction with heavy-duty shredders; specialized wiping software; and degaussing, a method using powerful magnets to demagnetize storage devices. All three can be performed either on-site or at an ITAD’s facilities, and the software option can be done remotely. They each produce verifiable results, based on a several different industry certifications, including NIST 800 88, R2v3, NAID AAA, ISO 27001 and e-Stewards. Experts advise that ITAD clients should ask for formal documentation that equipment and data have been destroyed to standards set by one or more of those certifications.

“If done properly, [wiping software] almost 99.999% guarantees that the data is gone,” Magann said. But for some clients, such as data centers and cloud-service providers, “that 0.001% uncertainty is just too much risk. It’s not necessarily their data, but someone else’s. So more often than not, they choose to have it physically destroyed. There’s a certainty in seeing things in little pieces,” he said.

Blancco Technology Services is a provider of data-erasure software and services to major ITADs like Sims and ERI, as well as large OEMs and enterprises that handle sensitive personal, corporate, government and health care data. There are a number of tools embedded in OEMs’ operating systems, like Microsoft’s Autopilot and Intune, that in-house IT teams can use to do some erasure, said Maurice Uenuma, general manager of North American business at Blancco.

“Many of those, though, have been shown to not be complete, because there are in some cases hidden parts of a drive that are not exposed to the end user, but retain some residual data,” he said. “The challenge is being able to erase permanently to a given standard, verify and then provide an audit trail.”

Those steps mitigate the risk of nefarious actors getting access to a physical device, leading to serious, and reputation-harming, incidents, Uenuma said. Without naming names, he referred to two separate breaches involving Morgan Stanley that resulted in $163 million in SEC fines. He also alluded to a 2023 case in which a driver working for a well-established ITAD, Wisetek, stole federal government devices containing sensitive data and resold them.

Uenuma understands the mindset of companies’ IT chiefs who insist on physical destruction as the best way to delete data. “As a fellow paranoid security guy, I get why there’s something visceral, tactile, satisfying about watching a drive being pulverized,” he said. But remnants of data can be retrieved even from shards, so smelting shredded equipment is a final step that customers might prefer — although that process is criticized for emitting toxic fumes.

Concerns about the environmental hazards of shredding and landfilling e-waste are driving the ITAD industry to promote its role in the so-called circular economy and its emphasis on reusing, repairing or recycling IT assets. The rush to build AI data-centers has created a scarcity of hard drives and other memory components, Magann said. “So we’re seeing a lot of companies say, If we can’t get new stuff, let’s harvest what’s out there. It’s like going to a junkyard. You can get parts off an old car and it still works,” he said.

Circularity is behind the growing market for recycled metals and rare earths stripped from obsolete electronics. It’s also boosting demand for refurbished smartphones, tablets, computers and smart watches marketed by Verizon, AT&T, Apple, Samsung, Dell, HP and other electronics OEMs, as well as e-commerce resellers such as Back Market, Amazon Renewed, Gazelle and Best Buy’s Geek Squad Certified Refurbished program.

While keeping those devices out of smelters and landfills is laudable, buyers need to be sure that previous owners’ data has been erased. That’s why, for example, when consumers and businesses trade in or upgrade smartphones — even encrypted ones — they’re instructed to back up data, log out of accounts and apps and perform a factory reset to wipe data and disable activation locks.

To provide another layer of data erasure, responsible resellers work with certified ITADs, either shipping them IT assets or having them run remote wiping software from vendors such as Blancco, Phonecheck and Certus. Businesses are usually provided with a certificate of data destruction, though consumers are not.

Waste Management, Republic Services and other waste-disposal companies recycle electronics for their residential and commercial customers. They partner with ITADs for data erasure, though customers are encouraged to perform self-wiping steps prior to pickup. “After we process collected e-waste, residential and commercial customers receive a Certificate of Recycling,” Republic Services said in a statement. “This document confirms compliance with environmental regulations and certifies that all data has been securely destroyed.” 

Automakers are adding an array of data-collecting features to today’s cars and trucks, from infotainment to navigation systems. They’re capable of storing data. often unencrypted, from drivers’ and passengers’ paired phones, including contacts, call logs, text messages, voice recordings, photos, banking information and health-monitoring stats.

Protecting against access to that data by bad actors can be an afterthought. And there are no federal statutes mandating data deletion from returned rental cars — although the General Services Administration has implemented a requirement for data erasure from its fleets — and states’ data-privacy laws don’t specifically cover vehicles.

There are commercially available tools for businesses and consumers to address this vulnerability, however, adoption has been mixed, according to a recent report from Privacy4Cars, a provider of software and solutions exclusively designed to wipe data from vehicles. Fleet management companies, aligned with major automakers and big banks, that administer large corporate fleets do a good job, said Andrea Amico, founder and CEO of Privacy4Cars. “But once you get to smaller fleets or businesses, none of those really follow this process.”

Car rental companies are especially egregious in lacking data-wiping processes, instead putting the onus on customers in agreement paperwork. “If you ask me,” Amico said, “that is nonsense.” Privacy4Cars has documented cases where rental cars were resold or rented again still containing previous renters’ personal information.

Privacy4Cars offers consumers a free data-erasure app, though it’s not as comprehensive as the software it sells to businesses. The company also markets data-erasure solutions to auto dealerships, including a certification for buyers similar to a Carfax or AutoCheck damage report.

Consumer Reports suggests tips for clearing data when selling a vehicle or returning a rental. A critical step is to unpair your phone from the infotainment system, and then remove your personal information from any apps, accounts or cloud-based software associated with the vehicle.

No matter where data is collected and stored, its security — and erasure — is a very serious issue that companies and consumers need to make a priority, Shegerian said. “And now with AI, data is even more important than ever before. It’s very dangerous if the wrong actors get this information.”