Data Destruction 101

Posted by Charles Veprek

Oct 18, 2023 8:45:00 AM

Navigating the complexities of IT asset disposition (ITAD) can be challenging, especially when faced with the critical task of data destruction. This process is not only crucial in safeguarding sensitive corporate information but also personal data that could be vulnerable to unauthorized access.

What is Data Destruction?

Data destruction is simply the process of ensuring that unwanted or obsolete data is removed beyond recovery. Two primary methods dominate this realm: logical sanitization (i.e.- Data Erasure) and physical destruction (i.e.- hard drive shredding).

What is Data Erasure?

Data erasure is a deep-cleaning service for your hard drive. Instead of merely deleting files, which can still be recovered, data erasure overwrites existing data, ensuring it's gone for good. One major perk? The hard drives can be reused, promoting sustainability and environmental responsibility.

DALL·E 2023-10-16 13.42.56 - Illustration of a shredded hard drive, with binary code particles dispersing, symbolizing the data destruction process

What is Hard Drive Shredding

Hard drive shredding involves destroying the hard drive entirely. Imagine paper being put through a paper shredder, hard drive shredding will break and cut the drive into much smaller pieces. Very much like document destruction – once it’s done, there’s no going back.

Which data destruction method is the best?

Data destruction is not a one-size-fits-all answer. Factors like the nature of the data, its confidentiality level, and industry regulations play a role. If your company has a well written and robust ITAD management process, those requirements are likely found there based on guidance from the NIST 800-88 r1. If not, check with your IT security team.

The Final Byte on Data Destruction

Ensuring the proper disposal of data shields against unforeseen threats. In our interconnected digital world, the sanctity of data is paramount. Whether you're leaning towards eco-friendly data erasure or the finality of hard drive shredding, each choice reflects a commitment to security.


The Line of Trust in ITAD

Posted by Charles Veprek

Sep 13, 2023 11:54:15 AM

When it comes to IT asset disposition (ITAD), trust is paramount. But where do you draw the line? There are two pivotal questions to ponder:

  • Where is your line of demarcation?
  • What influences the placement of that line?

For many, this line is driven by either fear or comfort. However, it's crucial that this boundary is determined by well-established industry and internal policies. If fear is the driving force, the logic behind the placement can easily crumble.

Consider this: if a mere certificate stating that a hard drive has been destroyed doesn't suffice, what about the paperwork for the printer, CRT monitor, or lithium-ion batteries that were recycled correctly? Does that documentation assure you that all protocols, spanning local, state, and federal laws, were adhered to? Many trust their vendor for end-of-life disposition but hesitate when data security is in question. This dichotomy begs the question: what drives one to trust in some areas but not others?

The Role of Policies and StandardsWhite digital padlock over circuit board ground

The foundation of any ITAD process should be rooted in both internal and external standards. These guidelines should be meticulously documented, offering clear directives that users can adhere to. One of the most recognized standards concerning data security is the NIST 800-88. This document offers invaluable insights on data destruction based on the device's security categorization. Moreover, it outlines recommendations for validation and documentation standards. By leveraging a standard like the NIST 800-88, organizations can adopt a consistent approach to data security, backed by logical reasoning.

Trust, But Verify

While trust is an essential component of any vendor relationship, it's equally crucial not to operate blindly. Due diligence is non-negotiable. Ensure your vendors possess the necessary third-party certifications, have adequate insurance coverage, and can provide robust references. Annual audits, including on-site visits, are highly recommended. Regular spot checks and risk assessments based on vendor feedback are also vital. As the age-old adage goes, "trust but verify."

By amalgamating a comprehensive policy crafted using industry and internal standards, coupled with rigorous vendor due diligence, you can establish not just a compliant program but one that instills genuine trust. In the ITAD world, trust is more than just a piece of paper; it's a commitment to excellence, security, and environmental responsibility.


IT Asset Management Group Joins Podcast Episode of Defense in Depth: Data Destruction

Posted by Frank Milia

Feb 18, 2021 10:56:08 AM

David Spark (@dspark), producer of CISO Series, guest co-host Shawn Bowen, CISO, Restaurant Brands International (RBI), and sponsored guest, Frank Milia, partner, IT Asset Management Group recently did a deep dive into data destruction on the Defense in Depth podcast: Data Destruction.   

The conversation was thought provoking, but we really just scratched the surface over a twenty five minute discussion.  Check it out below and feel free to connect with us to further the conversation.  


You can listen to the podcast here:


on your favorite app like Spotify or Apple Podcasts  


Poorly managed IT asset disposal, lack of due diligence, and a disposal program without clearly defined responsible parties has now resulted in millions of dollars in regulatory penalties.  Is it clear who is responsible for the performance of your data disposition practice?   IT Asset Management Group’s free program guide includes tips for establishing stakeholders at your organization and expectations for all practitioners.      

Download the program guide today at



Topics: IT Asset Disposal, data destruction, ITAD, Information Security

A Big Lesson From a $60M Fine for Poorly Performed Data Disposition

Posted by Frank Milia

Oct 13, 2020 9:59:39 AM

Last week the Department of the Treasury OCC levied a $60 million dollar fine to Morgan Stanley for data breaches that occurred from poorly managed IT asset disposition projects associated to data center decommissioning activities in 2016 and additional disposal events in 2019. 

In a recent consent order the OCC describes that the bank “…failed to effectively assess or address the risks associated with the decommissioning of its hardware; failed to adequately assess the risk of using third party vendors, including subcontractors; and failed to maintain an appropriate inventory of customer data stored on the devices.”

The responsibility to stop unauthorized access to protected data is disproportionately the responsibility of the data controller, in this case Morgan Stanley. Detailing all of the security controls required to lower risk would not be possible in this short article. In reality there is no one tool, vendor, process, method, policy, or procedure that one could point to that would have guaranteed the bank hundred percent security. 

Secure management of data disposition, especially for large enterprises, requires a robust program that includes policies, procedures, assigned accountability, employee training, contracting and vendor due diligence requirements, and a process for strict oversight of activities all working together to minimize the risk of exposure and regulatory non-compliance.  

From a reading of the previously mentioned description from the OCC it would be easy to characterize Morgan Stanley’s management of these data disposition activities as a failure by every measure.   However, it is the following accusation by the OCC that most likely explains why the fine is so high “The Bank failed to exercise adequate due diligence in selecting the third party vendor engaged by Morgan Stanley and failed to adequately monitor the vendor’s performance”.   

Due Diligence on Black-Golden Watch Face with Closeup View of Watch Mechanism.

Typically, regulatory fines are reduced when the organization under investigation is able to prove that reasonable steps to protect private data were taken. In other words, mistakes will happen but if an organization can display that they have formal and documented data disposition procedures that includes vendor due diligences the penalties for an incident will likely be reduced.

At this time Morgan Stanley has yet to disclose the vendors utilized to perform these services. Considering the OCC’s claims that the bank failed to perform due diligence and oversight of the vendor’s practices it is likely that Morgan Stanley is unable to effectively shift the liability and financial responsibility to the contractor. 

Although there is no legal mechanism for Morgan Stanley to be indemnified of their regulatory obligations, they theoretically would be able to recoup some of the financial impact of the fine if there were well written contracts, documented performance testing and due diligence records. 

Performing documented due diligence in vendor selection and ongoing auditing of a vendor’s practices will significantly reduce the financial impact of breach or other regulatory non-compliance by reducing fines and ensuring an effective method for suing vendors that break contractual obligations. Vendor due diligence should include documented investigation of a vendor’s policies, procedures, methods, breach notification systems, training programs, third party certifications and key management system protocols at selection and at minimum on an annual basis. 

In the most simplest terms it appears that Morgan Stanley did little to deter these breaches from occurring, but the impact of the breaches were multiplied by the inability to establish that any care was taken in their approach to data disposition and vendor management. 

Every organization is at a risk of data breach or regulatory fine associated to poor data disposition. The only way to both minimize the likelihood of an exposure and reduce the financial impact if one would to occur is by investing in your data disposition program and ensuring internal and external stakeholders are regularly tested, results are documented, and corrective actions implemented when applicable. 


Looking to reduce your risks from IT asset disposal?

Get the Best Practices Guide Today:

Learn More


Topics: IT Asset Disposal, data breach, education & tips, IT Asset Disposition, Risk Management

Lowering the Carbon Footprint of IT Asset Disposition

Posted by Frank Milia

Feb 14, 2020 9:37:41 AM

We here at IT Asset Management Group (ITAMG) regularly come across regional organizations such as universities, hospitals, media companies and local banks that are engaged with disposal providers that ship their retired IT equipment several hundred or even a thousand miles away to be processed.

Regional businesses and generators can drastically lower their costs and carbon footprint by switching to local, certified, and qualified IT asset disposal providers. National and global enterprises have a more complicated challenge to reducing ITAD related emissions than their regional counterparts (a longer post for another day).

Due to this, I would argue regional organizations have an even higher environmental and social obligation to source local vendors and significantly outperform the environmental impact of their peers that have global footprints.

Truck Pics

Local providers will also likely manage and operate in-house trucking, technicians and moving teams that will be typically perform better and be held more accountable for performance at the client site than providers that exclusively rely on third party transportation resources.

By using local trucking companies you also reduce the risk of a breech event or exposure related to third party transport of the material.     

Simply put, choosing local is good for our environment, improved performance of the disposal program, and is better for your bottom line.

If your firm is a regional organization (or otherwise) please consider reviewing your program to see if lowering carbon footprint through sourcing local vendors is an option available to you.  

Are you evaluating IT asset disposition providers?  Please use the following link to let us know how we can specifically help you: 

Get Customized Help


Topics: IT Asset Disposal, IT End of Life Strategy, ITAD, eWaste Disposal, Green Technology Procurement, IT Asset Disposal NY


ITAD Guidance

Stay informed on important IT asset management topics.

Our posts focus on IT management, data security, and computer hardware from the unique perspective of IT asset disposal experts.

Subscribe and you will stay on top of:

  • IT procurement trends and analysis
  • Data security methods and best practices
  • Compliance tools and updates

Subscribe to Email Updates

Responsible Recycling logo

Recent Posts

Visit our Main Site at: