Data Dangers Most Executives Overlook During Device Disposal

13 May, 2026

Data Dangers Most Executives Overlook During Device Disposal

Ask most executives about device disposal, or what happens to a laptop after it’s retired from service, and you’ll probably get a shrug or an “I don’t know.” That might have been OK in the past, but now, it can be an expensive mistake. 

Take Morgan Stanley, for instance. From 2020 to 2023, the bank settled more than $150 million in combined regulatory fines and legal settlements for decommissioned data center and server equipment that was resold or lost with unencrypted customer data still on the drives. Morgan Stanley had opted for an unknown vendor to reduce decommissioning costs. Unfortunately, that vendor then sold the equipment without properly sanitizing it. Fifteen million customers had personal data exposed, including Social Security numbers, account information, and addresses. 

Device disposal is one of the least regulated and riskiest gaps in corporate cybersecurity. We’ll explain why that is dangerous and can result in the kind of breaches no firewall can stop.

Why This Risk Hides in Plain Sight

Security teams patch, monitor, encrypt, and record active devices in real time. But the minute a laptop is retired, or a server is decommissioned, it often vanishes from the security radar altogether.

Gadgets get packed away and recycled. Sometimes they are donated to schools or resold on auction sites without ever being wiped. But if those devices leave the building without the data being certifiably destroyed, the organization has effectively lost control of the data on the device. And in most companies, no one tracks that handoff with any real rigor because no one owns the process.

It’s not just a hypothetical vulnerability. In a forensic study of 159 secondhand HDDs and SSDs bought on eBay, Blancco Technology Group found that 42% still contained recoverable data, including personal and corporate information.

The Real-World Cost of Getting This Wrong

Three areas show how quickly the costs ramp up.

1. Regulatory Fines and Legal Liability

The most visible example is Morgan Stanley’s case, but it’s not the only one. For instance, in 2021, improper disposal of hard drives at HealthReach Community Health Centers exposed the records of more than 100,000 patients, including Social Security numbers, medical records, and insurance information. HIPAA penalties for improper disposal of protected health information can be up to $50,000 per violation.

2. Reputational Damage and Lost Business

Fines are measurable. While damage to reputation is harder to quantify, it is arguably more expensive in the long run. According to research, about 70% of consumers say they would stop doing business with a company following a data breach. That erosion of trust spills over to partners, investors, and regulators, who begin to ask tougher questions about governance.

3. Operational Disruption

Beyond the fines and the reputational hit, there’s a business cost. According to IBM’s Cost of a Data Breach reports, organizations take an average of 200-280 days to identify and contain a breach, including about 60-73 days after discovery, and breaches with longer life cycles are significantly more expensive. When the breach involves improper disposal, the investigation is often more complex because the chain of custody was never documented.

What Belongs on the Boardroom Agenda

ITAD must be governed with the same level of rigor as active endpoint security. This includes certified data destruction in accordance with NIST SP 800-88 standards, serialized chain-of-custody documentation for each device, and regular reporting to security leadership. 

That also means doing your due diligence on ITAD vendors, just as you would on any other security partner: certifications, audit trails, downstream accountability, and evidence of destruction at the device level, not just a batch receipt for a truckload.

Every executive should ask whether they can prove what happened to a particular serial number after it left their facility. If the answer is no, device disposal is still a vulnerability outside your security perimeter. That’s a risk no board should be comfortable taking, especially with the regulatory and financial implications we’ve seen.

Secure Device Disposal With Close the Loop

Close the Loop treats every retired device as a security incident first. Certified data destruction to DoD and NIST standards provides documented proof that nothing leaves without serialized Certificates of Destruction for every asset. 

Close the Loop maximizes the value of securely wiped devices by refurbishing and remarketing them, with all other components recycled under a zero-landfill guarantee. Our full chain-of-custody reporting gives your security team, compliance officers, and auditors exactly the documentation they need. Contact us today to get started.