From data and brand security to ESG and value recovery, these questions will help you select the right IT asset disposition (ITAD) provider for your needs.
Executive Summary
When working with a major IT asset disposition (ITAD) vendor, e-waste is defined as any equipment, cell phones, desktops, laptops, servers, networking equipment, televisions, and computer parts.
Finding the right ITAD vendor will protect you from data breaches, increase return to your bottom line, align with and enhance your ESG program, and keep you out of litigation for improper disposal.
These items typically carry chemicals such as lead, barium, mercury, beryllium, cadmium, sulfur, and hexavalent chromium, just to name a few. There are many aspects that need to be considered when finding the right vendor to reuse or recycle your assets. Data and brand security, environmental and legislative compliance, and maximizing asset value recovery (ROI) are three primary considerations that need to be addressed. In the long run, finding the right vendor will protect you from data breaches, increase return to your bottom line, and keep you out of litigation for improper disposal.
This document details the critical, must-ask questions when evaluating ITAD providers. By focusing on the responses to these key questions, you can ensure that your ITAD vendor will meet or exceed your expectations for data and brand security, compliance, and value recovery.
Data and Brand Security
The majority of resources used to protect data are focused, and rightfully so, on cyber threats. However, organizations often forget one very critical threat – data breaches that occur after your assets are no longer deployed. To ensure you are working with an ITAD provider that keeps this threat top-of-mind, be sure to ask the following questions:
NAID AAA certification, among other guidelines and standards, help to ensure that your ITAD provider is taking the necessary precautions when handling and disposing of potentially sensitive client data.
What security certifications do you hold? What standards do you apply for data sanitizing?
While numerous standards exist, the premier certification for ITAD vendors is National Association of Information Destruction (NAID) AAA. All companies that have received NAID AAA Certification are subject to regularly-scheduled onsite audits by trained, accredited security professionals. In addition, random, unannounced audits are conducted.
The NAID AAA Certification Program reviews employee background screening and training, compliance with written procedures, access controls, operational security, destruction equipment, and confidentiality agreements. It also ensures transparency amongst certified companies. NAID AAA Certification audits are available to clients, as will as to the public, at no charge. Clients may subscribe to emails alerting them to a provider’s status (renewal, lapse, and audits).
In addition to NAID AAA Certification, there are other guidelines and standards that, while not certifications, help ensure ITAD vendors are committed to data security.
Ensuring that confidential data is not released outside the company is the main concern when embarking on a digital media sanitization project. The National Institute of Standards and Technology (NIST) has developed Guidelines for Media Sanitizations (NIST 800-88) to help organizations determine the best method for sanitizing hard disk drives. This standard provides recommendations based on your company’s required data confidentiality level to help you choose from these three methods for hard drive destruction: 1) erasing, 2) degaussing, and 3) shredding.
The Department of Defense standard for sanitization (DoD 5220-22m) exists to counter digital data remanence. Digital remanence is residual data left after at least one attempt has been made to degauss, overwrite, or encrypt data. Digital media is difficult to erase, and these procedures will prevent all softwarebased, and most (if not all hardware-based, file recovery methods from retrieving information from a hard disk drive.
Do you carry cyber liability insurance?
Cyber liability insurance covers the first- and third-party risks associated with doing business online or the disposal of sensitive information. A company should have at least $10 million in coverage to keep the business functioning in the event of a data breach due to the disposition process. You should inquire if your ITAD vendor is adequately covered by this insurance.
Do you background screen all employees?
Understandably, you depend on your ITAD provider to protect the security of your information. One critical component in securing your data is ensuring that your vendor conducts criminal background checks, which review the history of its potential employees over the last 7 years. Two key benefits of working with an ITAD company that performs background checks are:
Protection from liability – In the unlikely event of a data breach, you would want to be able to tell your lawyer that your ITAD vendor had an extensive employee screening process to protect against this occurrence.
Protection against a data breach – The last place you want your data to end up is in a criminal’s hands. Employee background checks provide extra protection against a data breach and demonstrate that your data destruction vendor is committed to security when dealing with sensitive information.
Physical facility security play a major role in protecting your data. Make sure your provider requires proper employee screening and video surveillance.
How many surveillance cameras are in your facility? How long do they store information? How often do you audit footage?
When evaluating a vendor, find out if its facility has enough video surveillance to ensure adequate security. A good rule of thumb is one camera for every 2500 square feet. Following that guideline, a 250,000 square-foot facility should have a minimum of 100 cameras to cover almost every angle in the building.
Most inbound shipments are weighed, processed, and reconciled within a month. Therefore, shortages, missing inventory, or any other discrepancies should be discovered within 30 days. To be safe, your ITAD vendor should keep all video surveillance footage for at least 90 days. Additionally, all footage should be audited for theft, accidents, etc. at least every month.
How long does it take to schedule a pick-up and for the pick-up to occur? Do you have a secure area for the initial delivery?
The two most vulnerable times for a data breach to occur are once equipment is designated for disposition and when it first arrives at your ITAD vendor’s facility. Your provider should be able to schedule a pick-up within 24 hours and execute the pick-up within 72 hours. Once the equipment is delivered to the facility, it should be stored in a secure area specifically designated for new deliveries to ensure its safety until it’s processed.
Does your company provide a secure chain of custody?
Your ITAD vendor should accept responsibility for your equipment once it is loaded onto their trucks and take it directly to the processing facility. If this is not the case, you may want to request reasoning as to why your material is not being delivered directly to the processing facility.
A completely secure chain of custody means that your vendor conducts pick-up, receipt, reconciliation, and end-of-life processing, refurbishment, data destruction, and commodity harvest all under one roof. The more your vendor subcontracts services to other vendors, the weaker the chain of custody is on your material from shipment to final disposition.
The more your vendor subcontracts services to other vendors, the weaker the chain of custody is on your material from shipment to final disposition, leaving your brand and data vulnerable.
Can I take a tour of your facility?
Be wary of an ITAD vendor that refuses to let you tour its facility. When selecting a vendor, you should always tour the facility and look for these warning signs:
- Are there large, unorganized stockpiles of IT equipment lying around? This could be a sign of a company in financial trouble.
- Are all employees wearing security badges? Identification of strangers in the facility is paramount to security.
- Is the facility highly organized? There should be designated areas for each step of the process.
- Are the workers willing to discuss their experiences? Does your vendor promote a respectful culture?
- Are multiple stakeholders involved during the tour? Your vendor should have multiple subject matter experts from operations, data security, value recovery, and brand protection.
Environmental Compliance and ESG
Proper disposition of IT assets can be confusing. There are hundreds of ITAD vendors in the United States, and unfortunately, the instances of improper disposition have skyrocketed. Please keep in mind, if your ITAD provider illegally disposes of your IT equipment, you are responsible and can be fined by the EPA. By asking the following questions, you can help lower your risk and ensure you select a vendor that either meets or exceeds all applicable environmental regulations.
The two major environmental industry certifications are R2v3 and e-Stewards. If your ITAD vendor doesn’t hold at least one of these certifications, you are putting yourself, your business, and your brand at risk.
What are your certifications?
There are dozens of environmental certifications, but the two major ones are R2v3 and e-Stewards. If your ITAD vendor doesn’t hold at least one of these certifications, you are putting yourself, your business, and your brand at risk. It is important to note that some providers will state that they “follow,” “adhere to,” or “are compliant” with R2v3 and e-Stewards certifications. This doesn’t make them certified, and again, you are exposing yourself to risk.
R2v3 – This certification establishes responsible recycling (R2) practices for the recycling of electronics globally. It was developed by a multi-disciplinary group created by the EPA and is managed by the non-profit organization Sustainable Electronics Recycling International (SERI). The R2v3 standard:
- Requires annual audits
- Incorporated environmental, health, safety, and security factors surrounding materials that contain mercury, CRT glass, barium, etc., into specific procedures
- Does not allow toxic dumping in incinerators or landfills, or within non-Organization for Economic Cooperation and Development (OECD) countries
e-Stewards – The e-Stewards Standard for Responsible Recycling and Reuse of Electronic Equipment was developed by the Basel Action Network (BAN), a non-profit organization focused on eliminating toxic trade.
The e-Stewards Standard:
- Forbids transboundary movements for non-functioning IT assets to underdeveloped countries
- Prohibits forced labor (this issue is not covered in the scope of the R2v3 Standard)
- Requires annual audits
Other certifications
ISO-14001 – This certification, developed by the International Organization for Standardization (ISO), establishes an environmental management plan as a part of an organization’s Integrated Management System (IMS). The certification combines a commitment to the adherence of all environmental laws and proper end-of-life disposition of IT equipment with workplace safety and procedures.
ISO-9001 – Typically more well-known than ISO-14001, the ISO-9000 family addressed various aspects of quality management. ISO-9001 sets out the criteria for a quality management system based on a number of principles including a strong customer focus, the motivation and implication of top management, the process approach, and continual improvement. According to ISO, this standard helps ensure that customers get consistent, good quality products and services.
Certification in IT Asset Disposition (CITAD) – This individual certification prepares your vendor’s account managers to oversee the IT asset disposal process within an organization. CITAD educates individuals on best practices for IT asset disposition, security, and resale. This certification is governed by the International Association of Information Technology Managers (IAITAM).
An ITAD provider with a strong ESG program will have conducted a benchmarking assessment of their practices relative to the industry as well as current trends, regulations, and initiatives.
What is your ESG strategy and how do you ensure alignment with your customers’ goals and values?
For a broad range of organizations, ESG goals are increasingly rigorous and complex. Not surprisingly, the pathway forward may seem unclear. This can be especially true when choosing a partner to provide electronics and materials lifecycle management, including ITAD and e-waste recycling. Do the vendor’s ESG values align with those of your organization? Do they make it easy to obtain accurate, up-to-date data on potentially avoided scope 3 emissions from the materials they process for you? How transparent and comprehensive is their ESG reporting?
Look to partner with an ITAD provider who has identified which factors are crucial to both their ESG performance and their customers’ performance in accordance with widely accepted standards such as SASB, TCFD, or GRI. An ITAD provider with a strong ESG program will have conducted a benchmarking assessment of their practices relative to the industry as well as current trends, regulations, and initiatives. They should have a robust and readily available ESG report that covers:
- Environmental impacts — encompassing management of hazardous materials, greenhouse gas emissions, and energy management
- Social impacts — including data security, workforce health and safety, labor and employment practices, human capital strategy, and community engagement
- ESG governance — a multifaceted strategy, involving an ESG task force, corporate responsibility team, and/or sustainability committee, to effectively manage environmental and social risks
- ESG performance metrics and indices — comprehensive reporting on hazardous waste management, greenhouse gas emissions, energy management, data security, and other indicators
Who are your downstream vendors?
Processing facilities often send a portion of certain types of IT assets and materials to downstream vendors for processing, including copper, some plastics, and circuit boards. Your ITAD provider should be able to provide a list of every downstream vendor by location and type of material processed. These downstream vendors should also carry their R2v3 and/or e-Stewards certification.
Only one-third of businesses make it past their tenth anniversary. Select an ITAD vendor that can demonstrate longevity and are well-positioned for the future.
Do you have a landfill policy?
If you are working with an R2v3 or e-Steward-certified company, this shouldn’t be an issue. But your ITAD vendor should always be able to assure you that no electronics are going into landfill or being sent to developing countries.
How long have you been in business?
It is a sobering fact that only 50% of businesses will exist after five years. Only one-third make it past their tenth anniversary. This is particularly important to consider when looking for an IT asset disposition provider. For this reason, we recommend selecting an ITAD vendor that has been in business at least 5 years, preferably with annual revenues greater than $25 million.
Maximizing Resale Value
When working with an ITAD provider to properly dispose of your IT assets, your items will be evaluated to determine which assets retain value for sale in secondary markets. Each vendor has different evaluation guidelines and procedures. Here are a few key questions you should ask to ensure the best possible return on investment (ROI) for your assets.
It is important to make sure your provider offers a revenue sharing program that maximizes value recovery for your assets while allowing a fair margin for the disposition of non-resale IT equipment.
What type and percentage of profit share do you offer?
Most major ITAD vendors offer profit sharing on items that have value. The company’s share with the clients can range from 50% – 75% of the net sale price. The most common items that retain value for profit share are laptops, desktops, servers, networking equipment, and mobile devices.
It is important to make sure your provider offers a revenue sharing program that maximizes value recovery for your assets while allowing a fair margin for the disposition of non-resale IT equipment.
What is the minimum value you will profit share?
ITAD vendors often establish a minimum value threshold in order for an asset to be eligible for-profit sharing. The minimum usually ranges from $50 to $100 per item and will impact the amount of money you will receive. Keep in mind that the value is always assessed after labor, processing, and fees are paid to retail channels.
What types of sales channels do you use and how much annual revenue is generated from these channels?
An effective ITAD company will evaluate assets to select the sales channel with the highest return. The ability to remarket assets through multiple channel types (retail, wholesale, B2B/direct, broker) will maximize the ROI. Newegg, eBay, Amazon, and internal e-commerce sites are common retail channels. Obviously the more retail channels your vendor employs, the better your potential ROI. Look for ITAD companies with an established retail department and minimum annual revenues of $2 million to get the best price for your assets.
Data and Reporting
When working with an ITAD vendor, it’s critical to have complete visibility into the asset disposition process through customized reporting capabilities.
Ensure your ITAD provider can meet or exceed your requirements when it comes to reporting and accessibility of those reports.
What types of reporting do you offer and how can I access it?
Ideally, your ITAD vendor should provide a web-based customer portal for access to information regarding your historic and current assets, as well as robust report generation capabilities. Specifically, your vendor should offer:
Reporting
- Settlement statements that include customer name, pick-up location, lot number, date received, incoming weight, weight by commodity/product, processing charges, date completed, and credit or charge information
- Certificates of Recycling and Data Destruction that include total weight of recycled material and serial numbers
- Audit reports that include manufacturer name, model number, serial number, asset tag number, weight, and the resale value of qualified units
- Remarketing settlement summaries that include manufacturer name, model, serial number, weight, product type, and resales value
Customer portal
- Self-service transactions including online scheduling and report generation
- Automated communications such as email notification of scheduled, received, and finalized material processing
- Analytic reports providing detailed data including equipment information, process tracking, and transaction details (dates, weights, and categories)
- Access to audit documentation (Certificate of Recycling and Data Destruction)
Environmental, social, and governance (ESG)
- Alignment and commitment to helping you achieve your scope 3 and broader ESG goals
- A published, verifiable ESG report that follows widely accepted frameworks, such as SASB, TCFD, and/or GRI
- Access to accurate potential avoided scope 3 emissions calculations and reporting using a verified method of calculation
Pricing and Transportation
The question everyone wants answered is “how much?” There are several factors to consider when evaluating pricing. The answer is that there are a variety of pricing structures out there dependent on specific ITAD vendors. One thing is for sure, if it seems too good to be true as more questions as that very well could be the case.
It’s important to select an ITAD vendor that updates pricing annually. Remember, if a quote seems too good to be true, your data and branch could be at risk for a breach.
How much do you charge per pound and how often do you update pricing?
All IT assets that are ready for recycling are not created equal. Some items such as laptops, desktops, and servers might be too old for resale, but may maintain value from a commodity level (precious metals, nonferrous, ferrous), helping to lower the cost per pound. Items such as CRT monitors, LCD monitors, keyboards, and computer peripherals have very little intrinsic value and will be more expensive to properly dispose of than other IT equipment.
Prices vary based on the commodities market, as well as the amount and condition of equipment. Your ITAD vendor should supply you with a very specific rate card for your assets. It is also important to select a provider that updates its pricing annually. If you provide an itemized list of equipment, your vendor will be able to generate a more accurate cost estimate for proper disposition.
What are the transportation costs? Do you have an internal logistics team?
Based on location, required level of security, and the number of IT assets, transportation can vary greatly. There is no clear-cut way to accurately quote cost unless you can provide very specific answers to questions such as:
- What is the distance from pick-up to processing facility?
- Do these items need to be pre-packaged prior to pick-up?
- Can I dedicate labor to palletize instead of the vendor?
- How many pallets can I store prior to pick-up?
- Can I allow use of a loading dock?
- Is pick-up accessible by tractor trailer or semi?
Whatever the case, given this information, a reputable ITAD company will be able to supply a quote within 24 hours.
If your vendor has an internal logistics team, this will save you money as well as increase your options. With an internal logistics team, you will have access to regional and nationwide networks, as well as “White Glove Service” for companies that need onsite equipment removal and packaging. Due to the sensitive nature of the equipment, it will be removed directly from a desk, office, or warehouse by an agent of the vendor under the supervision of the client.
Conclusion
In today’s fast-paced environment, companies are often making critical business decisions in less time and with less experience and guidance than ever before. When it comes to selecting a vendor for the disposition of your IT assets, the process is often more reactionary than proactive, which can ultimately compromise your organization’s data and brand security, environmental and legislative compliance, and value recovery.
This document has provided you with a list of the must-ask questions to consider when selecting an ITAD provider. If you take the time to gather responses to these critical questions from potential ITAD vendor(s), you can ensure you will make the right selection that will meet or exceed your company’s expectations. By knowing the right questions to ask before you even begin, you can still expect to accelerate your vendor selection process.
About Dynamic Lifecycle Innovations
Dynamic Lifecycle Innovations is a sustainability-centric full-service electronics and materials lifecycle management corporation specializing in IT asset disposition, data and brand security, electronics recycling, legislative compliance, product refurbishment, remarketing and resale, and material recovery. The company creates customized service packages designed to safeguard customers’ sensitive data and protect the environment from e-waste and other pollutants.
Dynamic strives to foster authentic, meaningful partnerships with clients, maximize their value recovery, ensure their organizations’ assets and data are properly disposed of, and deliver the security they need to know the job is done right. For more information, visit the Dynamic website at ThinkDynamic.com.