Avoid a data breach - government ITAD must-dos

Blogs and Articles

If you don't track your end user tech throughout its lifecycle and the decommissioning process, you are left exposed to costly data breaches.

August 23, 20237 mins
secure asset disposition

A single data breach costs $2 million. Can you afford it?

Many government agencies are unaware of the risks associated with improper IT asset disposition (ITAD). Equipment like laptops, hard drives, phones, and other mobile devices are a vital part of a government agency's larger information management system, containing sensitive government data and citizen PII. If you don’t track your end user tech throughout its lifecycle and the decommissioning process, you are left exposed to costly data breaches.

To mitigate the risks, it is important to have a secure plan to dispose of your old or unused IT assets. Don’t take the risk - here are six must-dos when introducing an ITAD program for your organization.

1. Establish a policy

Sure, this may seem like an obvious first step, but a recent study by Foundry showed more than 40% of organizations do not yet have a formal ITAD strategy in place. Start by establishing a policy that includes a detailed description of the IT assets you currently have and a list of the ones that need to be disposed of.

2. Understand that data security risk is real

Prior to disposition, organizations should securely destroy data on IT assets, including sensitive citizen data, financial information, or intellectual property. The Foundry study also showed that 56% of organizations were disposing of assets in the trash and 79% storing obsolete assets on-premises. The consequences of data breaches can be catastrophic, leaving you open to massive financial losses and security threats. When it comes to your data, consider the level of risk that may be present if any of it falls into the wrong hands.


According to the IBM Cost of a Data Breach Report, each public sector incident costs $2.07 million on average. Is your agency willing to blindly gamble with this level of risk?


4. Require certificates of data destruction

You should receive a certificate of data destruction from your ITAD provider, which will be important to demonstrate compliance with data security regulations. This certificate typically includes details like the make and model of the equipment that was sanitized (a common ITAD term that refers to the complete erasure of all data from a piece of equipment), the date the data was destroyed, and the name of the company that performed the destruction.

5. Monitor and audit your ITAD program

Regular monitoring and auditing of your organization’s ITAD program is crucial. Meeting security and compliance regulations is a big challenge in ITAD but one that cannot be ignored for two important reasons. First, regulatory bodies can impose non-compliance fines and other financial penalties. And second, the consequences of poor ITAD open your organization to reputational damage in a big way – do you want to be responsible for the identity theft of a citizen?

6. Choose a trusted ITAD partner

It’s important to select an ITAD partner that is certified and compliant with industry standards such as the R2 standard for Responsible Recycling and the National Association for Information Destruction (NAID).

Key questions you should be asking a potential ITAD partner include:

  • Do you have a strong reputation with many years of experience?
  • Do you own your own fleet of trucks and processing facilities?
  • Can you generate high levels of cost savings through remarketing or repurposing?
  • Can you grow with my organization?
  • Can you help avoid scandals and liability payouts?
  • Can you help achieve my organization’s ESG requirements?

At Iron Mountain, no data has been recovered from drives we have decommissioned. Ever. The stakes have never been higher. Learn more about what sets our IT asset disposition services apart from the rest.

Elevate the power of your work

Get a FREE consultation today!

Get Started