The majority of ITAD security failures aren’t the result of strategic cybersecurity attacks but rather of human error. Human error is even more dangerous because it can happen to anyone, anywhere, and at any time. In 2024, approximately 95% of data breaches were caused by human error inside the facility. Data risk during ITAD is highest, especially when many companies are handing off devices to an ITAD partner. Let’s explore some of the top human errors that we see causing data leaks and how you can prevent them from happening within your company.
What Is ITAD?
ITAD, or IT asset disposition, is the process of retiring old devices by recycling, reselling, or destroying them based on the type of device. This poses a unique risk, as these devices hold large amounts of personal data that can result in a data breach, leaking company, employee, and even customer information. During the ITAD process, this data is literally changing hands as it gets transferred from the company to the vendor, which is why documentation is extensive and important. During this process, one small mishap can expose personal and confidential data, resulting in customer loss, a bad reputation, and legal trouble. Understanding these common mishaps can help you put a strategy in place to avoid them in your company.
Common ITAD Security Failures
Implementing strategies, plans, and procedures that help avoid common human errors will help eliminate or significantly reduce the risk of a data leak. Let’s explore the most common types of security failures we see happen during the ITAD process.
Deletion vs Data Sanitization
This is the most common and most dangerous security failure we see in this industry. There is confusion between deletion and data sanitization: many think that deleting a file or factory resetting a device will erase all data, but that’s not the case. Deleting a file or resetting it will still allow the previous materials to be accessed using readily available software and tools. To properly delete the data, the device must undergo a NIST 800-88 data sanitization process. The process includes three levels:
Clear: A basic overwrite. Suitable for low-risk devices.
Purge: This is a more rigorous process that renders the data unrecoverable with lab-grade tools.
Destroy: Physically destroying the devices will make all data unrecoverable. The devices can be destroyed by shredding, incinerating, or disintegrating.
This guideline exists so that companies have an auditable process that makes data recovery infeasible, even at the most extreme levels. All organizations should have a data sanitization policy that includes NIST 800-88 qualifications.
Overlooking Devices That Have Data
There are times when someone may not know that a device contains data. Some only think about laptops or servers, but today, many different devices store data, such as mobile phones, USB drives, and network equipment. Having a device inventory list can help you keep track of what devices you have and the destruction and sanitization methods or processes used. This can help you stay organized and compliant with documentation.
Chain of Custody
Chain-of-custody tracking is one of the most important parts of the ITAD process because it records everything the device has been through. If there has been a discrepancy within the ITAD process, the chain of custody is where you will find it, as it shows all the people and vendors who have had the devices in their possession. This documentation must be official, with signatures and timestamps for accuracy and compliance.
Choosing an Unqualified Vendor
Choosing an ITAD vendor should be a detailed process, as ensuring that they are certified and qualified is essential. Letting these devices get into the wrong hands could lead to catastrophic data leaks that will destroy a company’s reputation. For example, the Morgan Stanley case explains that Morgan Stanley hired a moving company to decommission hard drives and services that contained patient information. This was done to save about $100,000; however, it led to fines totaling over $163 million. Organizations should choose only vendors that are qualified as ITAD vendors and have the required certifications.
No ITAD Policy
Every organization should have a detailed ITAD policy that lays out every step of the process. Organizations that don’t have an ITAD policy in place can lead to massive clear-outs, which are more likely to result in human error when going through all the devices. You should have a formal, recurring schedule for IT asset disposition, with timelines and documented procedures to keep things on track and ensure compliance with documentation and tracking requirements. Assigning ownership to each step in the process can maintain accountability and help you track who is doing what.
Your ITAD Process Is More Important Than You Think
The IT asset disposition process is extremely important, as it is the riskiest area for security breaches. These breaches typically don’t happen because of hackers, but they are instead caused by human error, making it even more dangerous. According to IVBM, the average cost of a data breach is about $4.88 million in 2024, and ITAD breaches tend to incur even higher costs due to the fines and litigation involved. To keep your organization in compliance and avoid security risks, it’s important to have an ITAD plan that addresses security, processes, documentation, and compliance. If you don’t have a process in place, now is the time to establish one so you can avoid costly security breaches.
