Erasing personal data from devices discarded is a booming business

Our first concern is always data, data, data, data," said Sean Magann, chief commercial officer for Sims Lifecycle Services. Magann was emphasizing a primary focus of Sims and other IT asset disposition, or ITAD, providers, whose business is managing end-of-life, used and discarded IT equipment, such as smartphones, computers, servers, hard drives and certain medical devices — and the yottabytes of data gathered and stored on them. Regardless of whether that equipment is pulverized to bits, refurbished for resale or recycled for spare parts and critical materials, one way or another the data on it needs to be erased. Although that's an increasingly vital role of ITADs — primarily for corporate, government, academic and health care customers — they're also contracted by municipalities and private waste-disposal companies to remove data from consumers' devices. Think swapping out an old smartphone for the latest model at a cellular-service store or recycling unwanted data-storing electronics at the town dump. And don't forget about modern "smart" cars and trucks, loaded with data-capturing systems, being traded in at dealerships and returned to leasing companies and rental agencies.

Data privacy and protection is the crux of cybersecurity — overseeing how and by whom data is collected, retained and disseminated, as well as ensuring that it doesn't fall into the wrong hands. Yet despite cybersecurity laws, sophisticated data-wiping software and user safeguards such as identity authentication and encryption, costly data breaches routinely occur.

That's the dirty work of cyber criminals who keep devising surreptitious ways to hack into improperly handled IT assets, extract data and use it to fuel identity theft, phishing or espionage schemes. A recent report found that stolen devices and drives are a more common method of data loss than either ransomware or stolen credentials.

Nonetheless, there's often less diligence around data security when it comes time to dispose of electronic devices and IT equipment. Research has shown that it's difficult to completely delete data from a smartphone or a hard drive, for instance, without some remnants of information left behind — even after the requisite deleting of files and performing a factory reset.

That reality has motivated the ITAD industry to not only invest in developing more robust data-erasure tools and standardized processes but also to certify their work to customers. "ITAD is not anything new," said Joe Marion, president of the Association of Service, Communication, Data, and ITAD Providers, a nonprofit that represents 250 companies worldwide, 70% of them in the U.S. "There's been an industry and market for buying and selling used technology for years. Now it has a lot to do with data protection and data privacy," he said.

Can you assume that when you turn in your used product that the data is going to be erased? No, you can't," Marion said. "You need to get it verified." Trust, but verify, as the adage goes.

The amount of e-waste is only growing

It helps to understand the sheer volume of end-of-life or unwanted IT assets, referred to as electronic waste or e-waste. In 2022, a record 62 million metric tons of e-waste were produced globally, up 82% from 2010, according to the most recent estimates from the United Nations' International Telecommunications Union and research arm UNITAR.

That number is projected to reach 82 million metric tons by 2030. The U.S., the report said, amassed just shy of 8 million tons of e-waste in 2022. Yet only about 15-20% of it is properly recycled.

The environmental impacts of dealing with IT assets

The domestic e-waste recycling industry generated $28.1 billion in revenue in 2024, according to IBISWorld, with a projected compound annual growth rate of 8%. That equates to megatons of e-waste piling up in landfills, where it threatens to leach various types of toxins, but also presents a potential treasure trove for scavengers who rummage for electronics to sell online.

As of January 1, 2025, the Basel Convention initiated international restrictions on global e-waste shipments, in part to prevent improper recycling practices. The U.S. is not among the 190 nations who signed onto the Convention, even though it will have an impact as trading partners implement the new amendments.

Data erasure — a critical step

Many domestic ITADs, however, abide by the e-Stewards certification that aligns recycling practices with the Convention's principles. The U.S. ITAD industry as a whole is lightly regulated, though some states monitor e-waste disposal.

"I think there's going to have to be, at some point, government intervention to prevent landfilling of e-waste in our country," said John Shegerian, CEO of Electronic Recyclers International, a leading ITAD. ITADs employ three types of data-erasure processes: physical destruction with heavy-duty shredders; specialized wiping software; and degaussing, a method using powerful magnets to demagnetize storage devices.

All three can be performed either on-site or at an ITAD's facilities, and the software option can be done remotely. They each produce verifiable results, based on a several different industry certifications, including NIST 800 88, R2v3, NAID AAA, ISO 27001 and e-Stewards.

Experts advise that ITAD clients should ask for formal documentation that equipment and data have been destroyed to standards set by one or more of those certifications. "If done properly, [wiping software] almost 99.999% guarantees that the data is gone," Magann said.

The role of ITAD in the circular economy

But for some clients, such as data centers and cloud-service providers, "that 0.001% uncertainty is just too much risk. It's not necessarily their data, but someone else's. So more often than not, they choose to have it physically destroyed.

There's a certainty in seeing things in little pieces," he said. Blancco Technology Services is a provider of data-erasure software and services to major ITADs like Sims and ERI, as well as large OEMs and enterprises that handle sensitive personal, corporate, government and health care data.

There are a number of tools embedded in OEMs' operating systems, like Microsoft's Autopilot and Intune, that in-house IT teams can use to do some erasure, said Maurice Uenuma, general manager of North American business at Blancco. No matter where data is collected and stored, its security — and erasure — is a very serious issue that companies and consumers need to make a priority, Shegerian said.

Protecting against access to vehicle data

Automakers are adding an array of data-collecting features to today's cars and trucks, from infotainment to navigation systems. They're capable of storing data. often unencrypted, from drivers' and passengers' paired phones, including contacts, call logs, text messages, voice recordings, photos, banking information and health-monitoring stats.

Protecting against access to that data by bad actors can be an afterthought. And there are no federal statutes mandating data deletion from returned rental cars — although the General Services Administration has implemented a requirement for data erasure from its fleets — and states' data-privacy laws don't specifically cover vehicles.

Consumer data protection is key to car security

There are commercially available tools for businesses and consumers to address this vulnerability, however, adoption has been mixed, according to a recent report from Privacy4Cars, a provider of software and solutions exclusively designed to wipe data from vehicles. Fleet management companies, aligned with major automakers and big banks, that administer large corporate fleets do a good job, said Andrea Amico, founder and CEO of Privacy4Cars.

"But once you get to smaller fleets or businesses, none of those really follow this process." Car rental companies are especially egregious in lacking data-wiping processes, instead putting the onus on customers in agreement paperwork. "If you ask me," Amico said, "that is nonsense."

Erasing personal data — a simple yet complex task

Privacy4Cars has documented cases where rental cars were resold or rented again still containing previous renters' personal information.

Privacy4Cars offers consumers a free data-erasure app, though it's not as comprehensive as the software it sells to businesses. The company also markets data-erasure solutions to auto dealerships, including a certification for buyers similar to a Carfax or AutoCheck damage report.

Data security is the responsibility of all

Consumer Reports suggests tips for clearing data when selling a vehicle or returning a rental. A critical step is to unpair your phone from the infotainment system, and then remove your personal information from any apps, accounts or cloud-based software associated with the vehicle.