Search the hub — topics, titles, terms… ⌘K
ASK & LOOK UP · Q&A + DICTIONARY

Straight Answers

The questions IT, compliance, and procurement teams actually ask — answered directly — plus the full ITAD Dictionary below: every term the industry throws around, translated. Jump to the Dictionary ↓

Nothing matched. Try a different word — or ask us directly.

Compliance

Do data-disposal and breach-notification laws vary by state?

Yes — and the gap between the two is where disposal-stage risk hides. Most states regulate two separate things: how you physically dispose of electronics (e-waste handling, and in some states a landfill ban or manufacturer take-back program), and what you must do if data is exposed (breach-notification timelines, attorney-general notice, sometimes credit monitoring). The data-security duty usually attaches to the records, not the device — so a drive that leaves your building unsanitized can trigger the same obligations as a hacked database.

The specifics shift at the border: notification deadlines, who you tell first, landfill bans, and recycling fees all change by state. We keep plain-English breakdowns of the disposal law and the breach rules state by state — see, for example, Pennsylvania, Texas, or California — plus metro overlays for regions like Philadelphia.

Do all states have e-waste recycling laws?

No. About 25 states plus the District of Columbia have laws that specifically regulate electronics recycling — how covered devices like computers, monitors, and televisions are collected and recycled at end of life. The rest have no state-level e-waste recycling mandate, though federal hazardous-waste rules and local programs can still apply.

This is separate from data-disposal and breach-notification laws, which are far more widespread — nearly every state regulates those. So an organization can operate in a state with no e-waste recycling law and still face strict data-disposal obligations there. The Compliance Map lays out which of the three — electronics recycling, secure data disposal, and breach notification — apply in each state you select.

Do I need a BAA with my ITAD vendor?

If you're a HIPAA covered entity and your vendor takes custody of devices containing protected health information, yes — handling PHI on your behalf makes them a business associate, and that relationship requires a Business Associate Agreement. Health systems reliably execute BAAs with billing and cloud vendors and routinely forget the company hauling the drives.

Without a BAA, a disposal-stage breach lands on you: the notification, the OCR scrutiny, the penalties. Put disposal under a BAA, and demand NAID AAA-certified destruction with serialized certificates as the operational backbone behind it. More in our healthcare ITAD overview.

Does CMMC apply to my company if we've never held a government contract?

It can, through flowdown. When a prime contractor's DoD contract carries a CMMC requirement, that requirement flows down to every subcontractor tier that handles federal contract information or CUI — receive a drawing, a spec, or a technical data package, and Level 2 obligations follow it.

Primes verify their supply chain before CUI moves downstream, which is why machine shops and engineering firms with no government contracts are receiving questionnaires and contract amendments now. The encouraging part: the disposition controls are among the fastest of the 110 to satisfy. Start with the flowdown section of our field guide.

What does a certificate of destruction need to include?

To function as audit evidence rather than a receipt: every device listed by make, model, and serial number; the sanitization or destruction method identified against NIST 800-88; verification that the operation succeeded; and the operator, facility, and date. The test is reconciliation — any serial in your inventory should trace to a certificate line.

An aggregate letter ('one lot of assorted drives, recycled') can't reconcile to anything, and reconciliation is exactly what assessors and auditors sample. Run the ten-serial test from our one-page checklist before someone runs it for you.

Are retired computers still in scope for security audits if they're powered off?

Yes. An asset that processed sensitive data exits scope when its media is sanitized or destroyed — with documentation — not when it's powered down. Until then, the storage room is an unmonitored collection of data-bearing assets, and facility walk-throughs find it reliably.

Three fixes: locked, access-limited storage with a sign-out log; disposition states in your asset inventory; and a standing destruction cadence so the backlog never re-forms. The scoping section covers the full lifecycle view.

Data Destruction

Is deleting files or formatting a drive enough before disposal?

No. Deletion removes the pointer to the data — the map — and leaves the data itself untouched until something overwrites it. Off-the-shelf recovery tools read 'deleted' data in minutes, and a quick format often just writes a new, empty map over the same territory.

Real sanitization works at the data level: verified overwriting where the media supports it, firmware purge commands, cryptographic erase, or physical destruction — the NIST 800-88 hierarchy. Our Method Picker gives you the right answer per media type in under a minute.

Does degaussing work on SSDs?

No — and this is the most consequential myth in disposal. Degaussers destroy data by eliminating magnetic fields; flash memory stores data electrically and has no magnetic fields to eliminate. A degaussed SSD is fully intact.

Overwrite software is also unreliable on flash, because wear leveling and overprovisioning hide cells the software can't reach. What works: firmware sanitize/block-erase commands with verification, cryptographic erase with evidence encryption was enforced, or shredding at a flash-appropriate particle size.

What is NIST 800-88 and why does everyone reference it?

NIST Special Publication 800-88 Rev. 1, 'Guidelines for Media Sanitization,' is the de facto U.S. standard for destroying data on every media type. It organizes sanitization into three levels — clear, purge, and destroy — and maps which methods achieve which level on which media.

It's referenced everywhere because nearly every framework (CMMC, HIPAA guidance, state data-disposal laws) points to it rather than reinventing the wheel. If your sanitization SOP names its methods against 800-88, you speak the language every auditor expects.

Do copiers and printers really store documents?

Yes — virtually every networked copier and multifunction printer built in the last two decades contains a hard drive or flash storage that caches scans, prints, and faxes, often for years. If sensitive documents have crossed the glass, that drive is a data-bearing asset.

The risk concentrates at lease return: the unit disappears into a refurbishment chain nobody can audit, with the cache aboard. Negotiate a data clause into the lease (our Vault has ready language) and make drive handling a step in every equipment return.

Cost & Value

How much does ITAD cost?

It depends on volume, media mix, location, and service level — but the honest answer is that for many organizations, a well-run program costs less than they expect and sometimes nets positive. Remarketing value from equipment with resale life offsets destruction and logistics costs, and value-share structures return proceeds to you with settlement reporting.

The expensive version of ITAD is the deferred one: storage costs, depreciation loss every quarter equipment sits, and the risk carried the whole time. Send us a rough inventory and we'll give you a real number for your situation.

Is my old IT equipment actually worth anything?

Often, yes — more than the line item suggests. Equipment is typically written off on the books years before it loses secondary-market value, and enterprise gear three to five years old still trades actively. The catch is decay: resale prices fall continuously, and each refresh generation that ships pushes yours down the curve.

Per-unit assessment (warranty status, diagnostics) separates the remarketable half from the recycle half, and the remarketable half funds the program. The Value-Share program covers how proceeds come back to you.

Why is 'free' e-waste pickup a red flag?

Because the economics have to work somehow. A hauler who charges nothing, asks nothing about your data, holds no certifications, and offers no paperwork is monetizing the equipment itself — resale is the business model, and whatever data is on the drives rides along.

One document tells you nearly everything: ask any vendor for a sample certificate of destruction before signing. If it doesn't list serial numbers, you've learned what you needed to know. Our vendor-selection criteria covers the full question set.

Process & Logistics

Where does ITAD fit in hardware asset management?

ITAD is the final stage of the hardware asset lifecycle — disposition. Hardware asset management (HAM) tracks a device from acquisition through deployment, operation, and refresh; ITAD is what happens when it reaches end of life. Most programs run the early stages well and let the last one happen informally, which is how a retired device becomes a ghost asset: still on the books, still depreciating, and — if it held data — an unsecured endpoint nobody is watching.

Done as a managed stage, disposition closes the loop: recover the device under chain of custody, sanitize or destroy the media to NIST 800-88, and feed the serialized certificate back into the asset record so it finally reads retired, destroyed, certificate on file. Start with the Hardware Asset Management field guide, score your program with the Maturity Toolkit, or watch the 90-second lifecycle film.

What happens to my equipment after pickup?

In a certified process: assets travel in sealed, tracked containers with signed transfer manifests. At intake, each asset is scanned, photographed, and serialized into inventory, then reconciled against the outbound manifest. Data-bearing media is sanitized to NIST 800-88 or physically destroyed, with per-device verification.

What returns to you is the point: serialized certificates, settlement reporting on remarketed assets, recycling documentation, and a chain-of-custody record that survives audit. The process page walks every stage.

How do we handle laptops from remote employees?

Mail-back. A prepaid, trackable return kit ships to the employee's address; they pack the device and drop it off or schedule a pickup; custody is documented in transit; and certified sanitization or destruction happens on arrival, with a serialized certificate posted back to the asset record.

It scales from a single offboarding to a full distributed refresh, and it closes the open items that accumulate when departure devices sit in closets across the country. Details on the mail-back page.

Can ITAD integrate with ServiceNow or our ITAM system?

Yes. API integration turns disposition into a workflow state instead of an email thread: an asset marked for retirement in ServiceNow triggers the pickup, status syncs both directions as the asset moves through processing, and the serialized certificate posts back to the individual asset record automatically.

Every manual step removed is a place the evidence chain can't fray. See ServiceNow & ITAM integrations for what syncs and how it deploys.

Can we watch our drives being destroyed?

Yes — witnessed destruction is a standard option, either in person at our Pennsylvania facility or via documented video evidence, with certificates issued immediately following. Some organizations require it by policy for their most sensitive media; for others, the serialized certificate and chain-of-custody record carry the evidentiary weight.

Either way, the destruction event is verified and recorded per device. Ask about witnessing when you scope an engagement.

Vendors & Certifications

What do NAID AAA and R2v3 actually certify?

They certify different halves of the problem. NAID AAA certifies the destruction operation itself: vetted personnel, audited procedures, verified destruction methods per media type, and unannounced audits. R2v3 certifies the recycling and reuse chain: responsible downstream handling, data security requirements, focus materials management, and chain-of-custody through every downstream tier.

A vendor holding both — plus liability insurance and a willingness to document downstream partners — covers both the data risk and the environmental risk. Single-certification vendors leave one of those doors open.

What questions should I ask before hiring an ITAD vendor?

The non-negotiables: Which certifications, with current certificates? Serialized certificates of destruction as standard? Documented chain of custody from our dock? Who are your downstream partners, and will you disclose them? What insurance do you carry? Can we see a sample certificate right now?

The differentiators: value recovery with settlement reporting, witnessed destruction options, API integration, mail-back capability, and one evidence format across all 50 states. Our due-diligence questionnaire packages all forty questions, ready to send.

Should we do data destruction in-house instead?

You can — the question is whether the full cost makes sense. In-house destruction means buying and maintaining equipment rated for your media mix (flash-appropriate shredding is not cheap), training and verifying personnel, building the serialized evidence pipeline, and carrying the liability when something is missed.

For most organizations below data-center scale, certified outsourcing costs less than the loaded internal cost and produces stronger evidence — third-party certificates carry more audit weight than self-attestation. The build-vs-buy section works the math honestly.

How can I verify a vendor's R2 or NAID AAA certification is legitimate?

Don't trust the logo on the website — verify the certificate in the public registry. R2v3 certifications are listed by SERI (Sustainable Electronics Recycling International), the body that owns the standard; NAID AAA certifications are listed by i-SIGMA, the trade association that runs the program; and recycling permits are listed by the state environmental agency. Search the vendor's legal name, confirm the certificate is current rather than expired, and check that the scope actually covers the work you need — logical data sanitization, physical destruction, or downstream recycling are listed separately.

A real certification has a number you can look up; a graphic does not. Ask for the certificate and the registry listing, not the badge. Our vendor due diligence guide walks through how to read each credential, and the credentials packet collects CyberCrunch's certificate numbers so you can verify them yourself.

What insurance should an ITAD vendor carry?

The coverage that matters most for data risk is cyber and technology errors-and-omissions insurance — it responds if a data exposure traces back to the vendor's handling of your media. General liability, automobile, and workers' compensation cover the physical operation; an umbrella or excess layer raises the ceiling; and pollution coverage applies to the recycling side. Ask for a certificate of insurance (a standard ACORD form) naming the actual entity you're contracting with, and confirm the carriers are rated. Coverage that exists only on paper, or names a different company, is a gap.

For reference, CyberCrunch carries cyber and tech E&O up to a $10M limit, alongside general liability, umbrella, automobile, pollution, and workers' compensation — the full tower is itemized in the credentials packet.

What's the difference between a certificate of recycling and a certificate of destruction?

They prove two different things, and a complete program produces both. A certificate of data destruction documents that the data-bearing media was sanitized or physically destroyed — the method, the standard (NIST 800-88), and ideally the specific assets — which is the evidence that satisfies auditors and breach-notification defenses. A certificate of recycling documents that the physical equipment was responsibly recycled or reused through a certified downstream chain rather than dumped or illegally exported, which is the environmental side.

A serialized destruction report — a line-by-line list tied to each asset's serial number — is a stronger form of the destruction record, available on request when your compliance program needs asset-level traceability. CyberCrunch issues both certificates on every project; serialized reporting is offered on request.

Does destroying a drive remove breach-notification risk?

Largely, yes — that is the point of it. Media sanitized or destroyed to NIST 800-88 standards, with documentation, is not exposed data, so a lost or retired device that was properly handled generally does not trigger breach notification. The serialized certificate of destruction is the practical proof. The risk lives in the gap: devices that left without being sanitized, or destruction you cannot document.

Is there a federal law that governs IT asset disposition?

There is no single federal ITAD statute. Federal law sets a floor — the FTC Disposal Rule under FACTA for consumer-report data, HIPAA and GLBA by sector, and RCRA for the hazardous-material side — but most disposal and recycling requirements are state law. Your actual obligation is the combination of the states you operate in and the federal frameworks your industry falls under.

Is full-disk encryption (BitLocker or FileVault) enough to skip sanitization?

No. Encryption enables a fast sanitization method — cryptographic erase, where you destroy the key — but it does not replace the erase event. You still need to actually trigger the key destruction, evidence that encryption was enforced for the device’s entire data-bearing life, and a record of it. Encryption is the enabler, not the disposal.

Is a multi-pass overwrite safer than a single pass?

On modern drives, no. The multi-pass ritual descends from guidance written for long-obsolete media. NIST 800-88 recognizes a single verified overwrite at the Clear level, and firmware-based purge commands surpass host-side overwriting entirely. On SSDs and flash, pass count is irrelevant because overwriting is the wrong tool regardless — use the drive’s built-in sanitize command or destroy it.

Can a lost or improperly disposed device count as a data breach?

Yes. Under most state breach-notification laws and frameworks like HIPAA, a data-bearing device that leaves your control without being sanitized — lost in transit, tossed in the trash, or sold without a wipe — can be a reportable breach if the data on it was not rendered unreadable. The defense is sanitizing or destroying media before it leaves custody and holding the documentation that proves it.

Which CMMC controls actually cover IT asset disposal?

The core one is media sanitization — NIST 800-171 control 3.8.3 — which requires sanitizing or destroying media containing CUI before disposal or reuse. The broader Media Protection (MP) family covers marking, handling, and access along the way. An assessor sampling disposition will look for sanitization records and serialized certificates of destruction tied to specific assets.

How long should we keep certificates of destruction?

Keep them at least as long as the compliance obligation behind the data — your own record-retention schedule should drive it, not the vendor. Many regulated programs retain destruction records for years; HIPAA-covered entities, for example, commonly keep related documentation for six years. When in doubt, keep the serialized certificate for the life of the audit or contractual requirement it supports, and confirm the period against your retention policy.

Can we just throw old computers in the dumpster?

Usually not. About half the states have e-waste landfill bans that prohibit putting computers, monitors, and televisions in the trash, and even where no ban exists, electronics with enough lead, mercury, or cadmium can be regulated as hazardous waste under RCRA — a stack of old CRT monitors is the classic example. On top of that, any drive in the dumpster is unsanitized data walking out the door. The defensible path is a certified recycler with a chain of custody and a certificate of destruction.

Does RCRA apply to my company’s old electronics?

It can. Electronics become regulated under the federal Resource Conservation and Recovery Act when they contain enough toxic material — lead, mercury, cadmium — to fail the EPA’s toxicity tests; not every laptop triggers it, but a volume of old CRT monitors almost certainly does. In practice most businesses manage retired electronics under their state’s universal-waste or e-waste program — a streamlined path RCRA allows — using a certified recycler rather than handling them as full hazardous waste. Household disposal is exempt; this is a business obligation.

What’s the difference between e-waste recycling laws and data-disposal laws?

They regulate two different risks. E-waste recycling laws are environmental — they govern how the physical electronics are collected and recycled, and often ban them from landfills. Data-disposal and breach-notification laws are about the information on the device — requiring you to render data unreadable before disposal and to report exposures. A state can have strict data rules and no e-waste law, or the reverse, so a complete program has to satisfy both tracks. The Compliance Map separates them so you can see each.

Does the FTC Disposal Rule apply to my business?

If your business uses consumer-report information — credit reports, background checks, tenant or employment screening — then yes. The FTC Disposal Rule, under FACTA, requires reasonable measures to dispose of that information so it cannot be read or reconstructed, which for hardware means sanitizing or destroying the media that held it. It is one of the few federal disposal mandates that reaches across industries rather than a single sector.

Do privacy laws like CCPA affect IT asset disposal?

Yes. California’s CCPA and CPRA — and the growing list of similar state privacy laws — require businesses to protect residents’ personal information with reasonable security and not keep it longer than needed. When hardware holding that data is retired, those obligations follow it: the data has to be securely disposed of, and you should be able to show it was. Disposal is the last place personal information lives, and these laws do not stop applying because a device is leaving.

What are the penalties for improper IT asset disposal?

They come from more than one direction, which is what makes disposal mistakes expensive. Environmental agencies can pursue fines for illegal e-waste disposal under RCRA and state law; data-protection regulators and state attorneys general can act under HIPAA, GLBA, and state privacy and breach laws; and a single improperly disposed device can become a reportable breach with notification costs and civil liability. Dollar figures vary widely by law and severity — the larger point is that the cost is usually not one fine but the combined environmental, regulatory, and breach exposure. (Informational only, not legal advice.)

Do EU data protection laws like GDPR apply to a US company’s IT disposal?

They can. GDPR reaches any organization, anywhere, that handles the personal data of people in the EU — so a US company with EU customers or employees can be on the hook. Its storage-limitation and security principles extend to disposal: data you no longer need should be removed, and devices that held EU residents’ personal data have to be securely sanitized or destroyed, with evidence. The penalties are among the steepest in privacy law, which is why multinational programs treat EU data the same at disposal as at any other stage.

What is the WEEE Directive, and does it affect us?

The WEEE Directive (2012/19/EU) is the EU's e-waste law. It makes producers responsible for collecting, treating, and recycling electronics placed on the EU market, much like producer-responsibility e-waste laws in US states. If your organization sells electronics into the EU or operates facilities there, you likely have WEEE obligations; if you operate purely in the US, your e-waste duties run through federal RCRA and state law instead. It is the EU counterpart, not an extra US requirement.

Can we export old electronics overseas for recycling?

Carefully, and with eyes open. International e-waste shipments are governed by the Basel Convention, and as of 2025 nearly all e-waste — hazardous and non-hazardous — is controlled through a prior-informed-consent process. The US signed but never ratified Basel, so it is a non-party, which actually restricts trade: Basel countries generally cannot accept covered e-waste from US firms without a special agreement. Reputable recyclers handle this through certifications like e-Stewards and R2v3 that police downstream export; the risk is a vendor that quietly ships your equipment somewhere it should not go, which becomes your exposure.

Does international compliance matter if we only operate in the US?

Often less than you would think — but not never. If your operations, customers, and data are entirely domestic, your obligations run through US federal and state law, and the EU frameworks do not directly apply. Two things pull international rules back in: handling the personal data of people in the EU (GDPR can reach you regardless of where you sit), and where your retired equipment ends up downstream (overseas export touches the Basel Convention). For a purely domestic operation with a certified recycler, the US layer is the one that matters; the international layer becomes relevant the moment your data or your hardware crosses a border.

How do government agencies have to handle IT asset disposal?

Federal agencies fall under FISMA, which requires them to secure their systems using NIST SP 800-53 controls — including media sanitization (control MP-6), which points to NIST 800-88 methods. Disposal records become part of the agency’s annual security authorization, so gaps show up in inspector-general audits. Law-enforcement agencies and their vendors carry an additional layer under the FBI’s CJIS Security Policy, which requires sanitizing or destroying media that held criminal justice information and generally bars reselling that hardware. Many states have adopted NIST 800-53 as well, extending similar expectations to state-issued devices. The practical thread through all of them is the same: sanitize or destroy to NIST 800-88, and keep serialized documentation.

Can data be recovered from a “wiped” SSD?

Often, yes — if the “wipe” was an overwrite, a quick format, or a factory reset. An SSD’s controller spreads writes across the chip and keeps a large over-provisioned reserve plus remapped cells outside the addresses the host can reach, so those methods leave recoverable data behind. Forensic recovery from exactly those regions is a documented, commercially available service. Reliable sanitization on flash means verified cryptographic erase or physical destruction. See the SSD, SED & NVMe field guide →

Is cryptographic erase accepted for compliance?

Yes — cryptographic erase is the one technique NIST SP 800-88 Rev. 2 still describes in detail, and it qualifies as Purge when its preconditions hold: encryption was active from first use, the cipher is sound, the key is genuinely destroyed (with no escrowed copy surviving), and the result is verified. Frameworks like HIPAA, GLBA, PCI DSS, and CMMC inherit NIST’s methods, so a verified crypto-erase meeting those conditions satisfies them. When the preconditions can’t be established, fall back to destruction. See the SSD, SED & NVMe field guide →

How should soldered or embedded flash be handled at end of life?

When NVMe flash is soldered to the board, or a device uses embedded eMMC/UFS storage that can’t be removed or verifiably erased, physical destruction is usually the only method that meets Purge — and for soldered storage that means destroying the board, not just wiping the device. The practical key is to identify embedded and soldered flash at intake, by serial, so each device routes to the right method before processing. See the SSD, SED & NVMe field guide →

CHAPTER TWO · LOOK UP

The ITAD Dictionary

Every term the industry throws around, defined in plain English — with one line on why it matters and a link to go deeper.

A

ACORD certificate of insurance (COI)

A standardized one-page summary of a vendor's insurance coverage, issued on a form from ACORD (the insurance-industry standards body), listing carriers, policy types, limits, and effective dates.

Why it matters: It's the document you request to verify an ITAD vendor's coverage during due diligence — confirm it names the entity you're actually contracting with, the limits are adequate, and the policies are current. Go deeper →

Advance recovery fee

A point-of-sale fee some states (e.g. California) add to covered electronics to fund the state’s e-waste collection and recycling system, instead of charging manufacturers directly.

Why it matters: It changes how end-of-life electronics are funded and routed in those states — a detail worth knowing when you operate across state lines. Go deeper →

Asset tag

An organization-assigned identifier affixed to equipment for inventory tracking, distinct from the manufacturer serial number.

Why it matters: Disposition records should capture both — auditors reconcile against whichever your inventory uses.

Attorney general notification

A requirement in many state breach-notification laws to notify the state attorney general (and sometimes consumer-reporting agencies) when a breach affects residents — often on a fixed deadline, and in some states before individuals are told.

Why it matters: A disposal-stage exposure can trigger AG notice just like a network breach; thresholds and timing vary by state. Go deeper →

B

BAA (Business Associate Agreement)

A HIPAA-required contract between a covered entity and any vendor that handles protected health information on its behalf.

Why it matters: An ITAD vendor taking custody of PHI-bearing drives is a business associate — disposal belongs under a BAA. Go deeper →

Basel Convention

An international treaty controlling cross-border shipments of hazardous waste, including e-waste, through a prior-informed-consent process. The United States signed it but has not ratified it, so it remains a non-party.

Why it matters: Because the US is a non-party, Basel countries generally cannot trade covered e-waste with US firms outside special agreements — and as of 2025 the treaty controls nearly all e-waste shipments, so where retired equipment goes overseas is tightly constrained.

Breach notification law

A state law requiring organizations to notify affected residents (and often regulators) when personal information is exposed. Deadlines, thresholds, and who must be told first differ by state.

Why it matters: These duties attach to the data, not the hardware — an unsanitized drive that leaves your control can put you on the hook. Go deeper →

C

C3PAO

Certified Third-Party Assessment Organization — an entity authorized by the Cyber AB to conduct CMMC Level 2 certification assessments.

Why it matters: Phase 2 of the CMMC rollout puts C3PAO assessments into new CUI contracts; they sample your disposition evidence. Go deeper →

CCPA / CPRA (California privacy laws)

The California Consumer Privacy Act and its amendment, the California Privacy Rights Act — state laws giving California residents rights over their personal information and requiring businesses to protect it with reasonable security, including at disposal.

Why it matters: If retired hardware held California residents’ personal information, these laws expect it to be securely disposed of and not retained longer than needed; a growing list of states have passed comparable privacy laws.

CDI (Covered Defense Information)

Unclassified information a Department of Defense contract requires to be protected or controlled — the category DFARS 252.204-7012 governs. In practice it overlaps heavily with CUI.

Why it matters: Devices and drives that held CDI inherit handling and sanitization obligations through end of life. Go deeper →

CDRA (Covered Device Recycling Act)

Pennsylvania's electronics recycling law (Act 108 of 2010), which keeps covered devices like computers and televisions out of landfills and assigns manufacturers responsibility for recycling them.

Why it matters: It's the statute behind “no electronics in the trash” for Pennsylvania organizations; other states have their own equivalents. Go deeper →

Certificate of destruction (CoD)

A document attesting that specific media was sanitized or destroyed, identifying each device, the method, verification, operator, and date.

Why it matters: Serialized CoDs are audit evidence; aggregate 'one lot' letters are receipts. Go deeper →

Certificate of recycling

A document attesting that retired equipment was responsibly recycled or reused through a certified downstream chain rather than landfilled or illegally exported. It is the environmental counterpart to a certificate of destruction.

Why it matters: The certificate of destruction proves the data risk was handled; the certificate of recycling proves the environmental and downstream-export risk was too. A complete program produces both on every project. Go deeper →

Chain of custody

The documented, unbroken record of who controlled an asset at every point from your dock to final disposition.

Why it matters: Any undocumented gap is a window where anything could have happened — and assessors treat it that way. Go deeper →

CJIS (Criminal Justice Information Services Security Policy)

The FBI security policy governing how criminal justice information (CJI) is protected by law-enforcement agencies and their vendors, including secure sanitization or destruction of media before disposal or reuse.

Why it matters: Agencies and contractors that handle CJI must sanitize or destroy retired media and keep documentation; the policy maps to NIST 800-53 and references NIST 800-88 methods, and it generally bars reselling hardware that held CJI.

Clear (NIST 800-88)

The lowest sanitization level: logical techniques like overwriting that protect against simple, non-invasive recovery.

Why it matters: Clear alone is insufficient for media leaving your control — purge or destroy instead.

CMDB (Configuration Management Database)

A repository of an organization's IT assets and their relationships, used mainly for IT service management. It overlaps with, but isn't the same as, an ITAM system.

Why it matters: A CMDB tracks configuration for operations; ITAD reconciliation needs asset-level disposition records a CMDB often doesn’t carry, which is how ghost assets form.

CMMC

Cybersecurity Maturity Model Certification — the DoD's framework for verifying contractor protection of federal contract information and CUI.

Why it matters: Two of its five-point controls live in media protection; your disposal program is assessment material. Go deeper →

Crypto erase (cryptographic erase)

Sanitization by destroying the encryption key on media whose data was encrypted, rendering ciphertext permanently inaccessible.

Why it matters: Valid purge only if encryption was actually enforced from deployment — and you can evidence it. Go deeper →

CUI (Controlled Unclassified Information)

Government-created or -owned information requiring safeguarding per law, regulation, or policy — the data CMMC Level 2 exists to protect.

Why it matters: CUI on retired media is still CUI; controls follow it to destruction.

Cyber & tech E&O insurance

Cyber liability and technology errors-and-omissions coverage — the insurance that responds when a data exposure or service failure traces back to a vendor's handling of your information or equipment.

Why it matters: It is the coverage that matters most when vetting an ITAD vendor, because it backs the data risk specifically rather than just the physical operation. Confirm the limit is adequate and the policy names the contracting entity. Go deeper →

D

Data-bearing asset

Any device containing storage media that holds or held data — laptops, servers, drives, copiers, phones, network gear, tapes.

Why it matters: Disposal programs fail by under-counting these; copiers and network gear are the classic misses.

DDTC (Directorate of Defense Trade Controls)

The U.S. State Department body that administers ITAR, including the registration required of companies that manufacture or export defense articles and technical data.

Why it matters: A frequent ITAR misconception: DDTC registration is required to manufacture or export defense articles, but routine domestic destruction of ITAR-covered media by a U.S.-based provider is generally not itself an export and does not, on its own, trigger a registration requirement. Confirm your own obligations with counsel.

Degaussing

Sanitization by eliminating magnetic fields with a powerful magnet, erasing data on magnetic media like HDDs and tape.

Why it matters: Does absolutely nothing to SSDs and flash — the most consequential myth in disposal. Go deeper →

Destroy (NIST 800-88)

The highest sanitization level: physical destruction (shredding, disintegration, incineration) rendering media unusable and data irretrievable.

Why it matters: The default answer at end of life; particle size matters for flash media. Go deeper →

DFARS

Defense Federal Acquisition Regulation Supplement — the rules governing Department of Defense contracts. Clause 252.204-7012 requires safeguarding Covered Defense Information and flows NIST SP 800-171 (and in turn CMMC) down to contractors and their vendors.

Why it matters: It's why disposal-stage controls aren't optional in the defense supply chain — the obligation is written into the contract and flows down to whoever destroys the media. Go deeper →

Disposition

The end-of-life pathway assigned to an asset: redeploy, remarket, donate, recycle, or destroy.

Why it matters: Every retired asset should carry an explicit disposition state — limbo is a decision nobody made.

Downstream vendor

Any party that receives materials after your primary recycler — smelters, brokers, parts harvesters.

Why it matters: R2v3 exists largely to govern this chain; ask vendors to disclose theirs.

E

EHR (Electronic Health Record)

A digital patient-record system used by healthcare providers. The workstations, servers, and storage that touch it hold protected health information (PHI).

Why it matters: Retired equipment from an EHR environment must be sanitized or destroyed under HIPAA before disposal. Go deeper →

Embedded flash (eMMC / UFS)

Soldered, non-removable flash storage used in laptops, tablets, and IoT devices. eMMC and UFS are the common embedded standards.

Why it matters: Embedded flash often can’t be removed or verifiably erased, so physical destruction of the board is frequently the only method that meets Purge. Identify it at intake, by serial. Go deeper →

EOL (End of Life)

The point at which a device is retired from active service — obsolete, off-lease, failed, or refreshed. It's the trigger for the disposition stage.

Why it matters: EOL is where data risk peaks and value recovery is still possible; how an asset is handled at EOL determines both outcomes.

EPR (Extended Producer Responsibility)

A regulatory model that makes electronics manufacturers responsible for funding and operating the collection and recycling of their products at end of life.

Why it matters: It is the structure behind most state e-waste laws; the main alternative is an advance recovery fee paid at purchase. Which model a state uses shapes who pays and how collection works. Go deeper →

ESG (Environmental, Social, and Governance)

A framework for measuring an organization’s environmental, social, and governance performance. Responsible IT asset disposition contributes to the environmental side through reuse, recycling, and avoided emissions.

Why it matters: Enterprises increasingly report ESG metrics, and certified ITAD provides the documented reuse, recycling, and carbon-avoidance data that supports the environmental and governance pieces of that reporting.

e-Stewards

A certification standard for responsible electronics recyclers, known for stricter limits on exporting hazardous e-waste to developing countries. It is an alternative or complement to R2v3.

Why it matters: Where your retired equipment ends up downstream is part of your liability; an e-Stewards or R2v3 certified recycler is how you keep it out of illegal export streams.

E-waste

Discarded electrical and electronic equipment.

Why it matters: Several states regulate its disposal; certified recycling addresses both the environmental and the data risk inside it.

F

FACTA / FTC Disposal Rule

The federal rule, under the Fair and Accurate Credit Transactions Act, requiring reasonable measures to dispose of consumer-report information so it cannot be read or reconstructed.

Why it matters: It's one of the few federal disposal mandates that applies broadly across industries handling consumer data, alongside sector laws like HIPAA and GLBA.

FERPA

Family Educational Rights and Privacy Act — the federal law protecting the privacy of student education records at schools and higher-education institutions.

Why it matters: Retired computers, drives, and copiers from a school can hold education records; FERPA protections extend to how that data is disposed of, making sanitization and documented destruction part of compliance. Go deeper →

FISMA (Federal Information Security Modernization Act)

The federal law requiring U.S. government agencies to secure their information systems. Agencies implement NIST SP 800-53 controls, including media sanitization (MP-6), which references NIST 800-88.

Why it matters: For federal systems, disposal is not optional housekeeping — compliant media sanitization is part of the annual security authorization, and gaps surface in inspector-general audits and FISMA reporting. Go deeper →

Flash Translation Layer (FTL)

The firmware inside every SSD that maps the logical addresses the operating system sees onto constantly-moving physical flash cells, enabling wear leveling and bad-block management.

Why it matters: The FTL is the reason overwriting an SSD doesn’t sanitize it: your writes never reach the physical cells directly, and over-provisioned and remapped cells stay out of reach. Go deeper →

Flowdown

The contractual propagation of a prime contractor's compliance requirements to its subcontractors.

Why it matters: How companies with no government contracts end up needing CMMC. Go deeper →

G

GDPR (General Data Protection Regulation)

The European Union's data-protection law. It applies not only to EU-based organizations but to any organization, anywhere, that processes the personal data of people in the EU — including its storage-limitation and secure-disposal expectations.

Why it matters: A US company with EU customers or employees can be subject to GDPR; when devices holding that data are retired, the same protect-and-dispose-securely obligations follow, backed by some of the steepest fines in privacy law.

Ghost asset

A device that has left active service but was never formally dispositioned — still on the asset register, still depreciating, and, if it held data, an unaccounted-for endpoint nobody is securing. Industry estimates put ghost assets at roughly 10–30% of fixed assets.

Why it matters: The record only closes when a serialized certificate of destruction feeds back into it; until then the device is both a security exposure and a depreciation leak. Go deeper →

GLBA

Gramm-Leach-Bliley Act — the federal law governing how financial institutions protect customer financial information. Its Safeguards Rule requires reasonable measures to protect that data, including through secure disposal.

Why it matters: Banks, lenders, and insurers must account for data on retired hardware; GLBA disposal expectations make sanitization and chain-of-custody documentation part of the control set. Go deeper →

H

Hardware Asset Management (HAM)

The lifecycle discipline of tracking physical IT assets from acquisition through deployment, operation, refresh, and disposition — keeping one authoritative record of what you own, where it is, and what state it’s in. It is the physical-device side of IT asset management (ITAM).

Why it matters: Most programs manage the early stages well and neglect disposition — the stage that actually closes the record and retires the data risk. Go deeper →

HDD (Hard Disk Drive)

A storage device that records data magnetically on spinning platters. Data on an HDD can be sanitized by overwriting, degaussing, or physical destruction.

Why it matters: HDDs and SSDs sanitize completely differently — degaussing and overwriting work on an HDD but not reliably on flash. Go deeper →

HIPAA (Health Insurance Portability and Accountability Act)

The federal law governing the privacy and security of protected health information (PHI). Its Security Rule requires safeguarding PHI through the disposal of the media that held it.

Why it matters: Healthcare organizations must sanitize or destroy retired data-bearing devices and keep documentation; a business associate agreement (BAA) covers the vendor that performs it. Go deeper →

HITECH Act

The Health Information Technology for Economic and Clinical Health Act — a federal law that strengthened HIPAA, expanding its enforcement and adding breach-notification requirements for protected health information (PHI).

Why it matters: It is why a healthcare data breach — including one caused by improperly disposed media — carries mandatory notification and steeper penalties than before; it raised the stakes on disposal documentation. Go deeper →

I

IEEE 2883

The 2022 IEEE standard for storage sanitization that defines which techniques meet Clear, Purge, and Destroy for each media type. NIST SP 800-88 Rev. 2 now defers to it for technique selection.

Why it matters: Since NIST 800-88 Rev. 2 (2025) removed its own technique recipes, IEEE 2883-2022 is the operative reference — and under it, only verified crypto-erase or destruction meets Purge on flash. Go deeper →

i-SIGMA (International Secure Information Governance & Management Association)

The trade association that owns and administers the NAID AAA certification program and publishes the registry of certified firms. NAID is its information-destruction division.

Why it matters: It's where you verify a vendor's NAID AAA claim. Search the firm in the i-SIGMA registry to confirm the certification is real, current, and scoped to the destruction service you need — the logo on a website is not the certificate. Go deeper →

ITAD

IT Asset Disposition — the discipline of retiring IT equipment securely: data destruction, logistics, remarketing, recycling, and the evidence trail.

Why it matters: The thing this entire site is about. Go deeper →

ITAM

IT Asset Management — the practice and tooling for tracking IT assets through their lifecycle.

Why it matters: Disposition states belong in your ITAM system; API integration posts certificates back automatically. Go deeper →

ITAR

International Traffic in Arms Regulations — U.S. State Department regulations (22 CFR 120–130) controlling the export of defense articles and related technical data.

Why it matters: Drives and media holding ITAR technical data carry handling and access restrictions; destruction is typically performed by U.S. persons on U.S. soil, and the data must not be exposed to foreign nationals during the process. Go deeper →

L

Landfill ban (e-waste)

A state prohibition on landfilling or incinerating certain electronics, requiring recycling or recovery instead. Some states (e.g. Illinois) pair the ban with manufacturer-funded collection; others (e.g. Texas) run take-back programs with no ban.

Why it matters: Where a ban applies, landfilling covered devices is a violation independent of any data question — disposition has to route through compliant recycling. Go deeper →

Lease return

Returning leased equipment (commonly copiers/MFPs) to the lessor at end of term.

Why it matters: The classic forgotten-drive moment — negotiate data clauses before signing, not at return. Go deeper →

M

Mail-back ITAD

Disposition via prepaid, tracked return kits shipped to remote locations or employees, with certified destruction on arrival.

Why it matters: The answer to laptops in departed employees' closets. Go deeper →

Media Encryption Key (MEK)

The key a self-encrypting drive uses to encrypt and decrypt everything it stores. It lives inside the drive’s controller.

Why it matters: Cryptographic erase works by destroying the MEK. If a backup or escrowed copy survives — in an MDM, a key-management system, or a BitLocker recovery store — the erase isn’t complete. Go deeper →

Microsoft Registered Refurbisher (MRR / TPR)

An authorization under Microsoft's refurbisher programs that lets a qualified processor reinstall a genuine, properly licensed Windows operating system on eligible used PCs before they are resold.

Why it matters: It's how reused machines leave with legitimate, transferable software licenses rather than unlicensed installs — a signal that a vendor's value-recovery and remarketing chain is above-board. It speaks to reuse legitimacy, not data security, so weigh it alongside the destruction credentials.

MSP (Managed Service Provider)

A firm that manages IT systems and services for client organizations. Many MSPs offer or resell ITAD as part of their lifecycle services.

Why it matters: An MSP's disposal offering is only as defensible as the certified downstream vendor behind it; ask who actually sanitizes and destroys the media, and what certificate you receive.

N

NAID AAA

The International Secure Information Governance & Management Association's certification for information destruction operations, including unannounced audits.

Why it matters: Certifies the destruction operation itself — pair with R2v3 for the recycling chain. Go deeper →

NIST SP 800-53

The NIST catalog of security and privacy controls for federal information systems and organizations. Its media-protection family includes MP-6, the media-sanitization control, which references NIST 800-88.

Why it matters: It is the broader control catalog that CUI-focused 800-171 derives from; for federal and many state systems, media disposal sits inside the MP-6 control and is assessed as part of the system’s security posture. Go deeper →

NIST SP 800-88

'Guidelines for Media Sanitization' — the de facto U.S. standard mapping sanitization methods (clear, purge, destroy) to media types.

Why it matters: The reference your SOP should name; nearly every framework points here. Go deeper →

NIST SP 800-171

A NIST standard defining 110 security controls for protecting Controlled Unclassified Information (CUI) in nonfederal systems. It is the control baseline that CMMC assessments verify.

Why it matters: Where 800-88 governs how you sanitize media, 800-171 governs the broader security program that media disposal sits inside; CMMC builds directly on it. Go deeper →

NVMe (Non-Volatile Memory Express)

The high-speed interface modern solid-state drives use to connect over PCIe, replacing the older SATA interface. NVMe drives carry their own sanitize command set.

Why it matters: NVMe drives are sanitized with the NVMe Sanitize command (crypto or block erase), which reaches the over-provisioned area a host overwrite can’t. Many are soldered to the board, forcing destruction. Go deeper →

O

Overprovisioning

Spare flash capacity in SSDs invisible to the operating system, used by the controller for wear management.

Why it matters: One reason overwrite software can't fully sanitize SSDs — it can't see all the storage.

P

PA DEP (Pennsylvania Department of Environmental Protection)

Pennsylvania’s environmental regulator, which permits and oversees waste and recycling operations in the state, including electronics recycling and the handling of regulated materials.

Why it matters: A PA DEP permit is part of how a Pennsylvania-based recycler demonstrates it is authorized to handle and process regulated electronic waste lawfully — one of the credentials behind a compliant ITAD chain of custody.

PCI DSS

Payment Card Industry Data Security Standard — the security standard for organizations that handle branded payment-card data. It requires rendering cardholder data unrecoverable when media is retired.

Why it matters: Any business that stored payment data must securely destroy the media that held it; PCI DSS makes documented destruction part of staying compliant. Go deeper →

POA&M

Plan of Action and Milestones — a documented plan to remediate unmet requirements post-assessment.

Why it matters: Under CMMC, only one-point requirements qualify; the five-point media controls cannot ride on one. Go deeper →

Purge (NIST 800-88)

Mid-level sanitization using techniques (firmware sanitize commands, crypto erase, degaussing where applicable) that defeat laboratory recovery.

Why it matters: The minimum bar for media leaving your control that you intend to reuse or resell. Go deeper →

R

R2v3

The current version of the Responsible Recycling standard, certifying electronics recyclers on data security, downstream accountability, and environmental handling.

Why it matters: Certifies the recycling/reuse chain — pair with NAID AAA for destruction.

RCRA (Resource Conservation and Recovery Act)

The federal law governing hazardous-waste management. Electronics contain materials such as lead, mercury, and cadmium that can bring them under RCRA and state hazardous-waste rules.

Why it matters: It's the federal floor for the environmental side of e-waste; certified recyclers manage RCRA obligations so retired equipment isn’t handled or dumped illegally.

Reconciliation

Matching disposition records (certificates, manifests) against asset inventory, serial by serial.

Why it matters: The audit exercise your program must survive; run the ten-serial test before they do. Go deeper →

Remarketing

Reselling retired equipment into the secondary market after sanitization, recovering residual value.

Why it matters: Value decays quarterly — remarket on a schedule, not when the closet is full. Go deeper →

RIOS (Recycling Industry Operating Standard)

An integrated quality, environmental, and health-and-safety management-system certification for the recycling industry. It is one of the three certifications CyberCrunch holds, alongside R2v3 and NAID AAA.

Why it matters: Where R2v3 governs responsible-recycling practices and NAID AAA governs data destruction, RIOS certifies the management system behind them — consistent processes, environmental controls, and worker safety across the operation.

RMA (Return Merchandise Authorization)

The process of returning equipment to a manufacturer or supplier for repair or replacement.

Why it matters: Drives leave your control during RMAs — sanitize first or contract for media retention.

RoHS

The European Union's Restriction of Hazardous Substances directive, which limits substances like lead, mercury, and cadmium in electronics sold in the EU. It governs what goes into equipment, complementing WEEE, which governs what happens at end of life.

Why it matters: It is a product-composition rule rather than a disposal rule, but it is why EU-market electronics contain fewer of the hazardous materials that complicate recycling — and it is frequently named alongside WEEE.

S

Sanitization

Any process that removes data from media such that recovery is infeasible at a defined level (clear, purge, or destroy).

Why it matters: 'Wiped' is a claim; sanitization is a verified, recorded process.

Scope 3 emissions

Greenhouse-gas emissions from an organization's value chain, including end-of-life treatment of its products and equipment.

Why it matters: Your disposition choices become reportable data; reuse beats recycling in the arithmetic. Go deeper →

Secure Erase / SANITIZE

ATA/NVMe firmware commands that instruct a drive to sanitize itself internally, reaching areas software overwrites can't.

Why it matters: The right purge tool for drives — with verification and a record.

Self-Encrypting Drive (SED)

A drive that automatically encrypts everything it stores using a key held inside its own controller (the media encryption key). The data is always ciphertext; only the key makes it readable.

Why it matters: SEDs make near-instant cryptographic erase possible — destroy the internal key and every cell becomes unrecoverable noise in seconds. The guarantee only holds if encryption was on from first use and the key is truly destroyed. Go deeper →

SERI (Sustainable Electronics Recycling International)

The non-profit that owns and administers the R2 (Responsible Recycling) Standard and publishes the public registry of R2-certified facilities.

Why it matters: It's where you verify a vendor's R2 claim. Look the facility up in the SERI registry to confirm the certification is real and current, and that its scope covers data sanitization — not just general recycling. Go deeper →

Serialized reporting

Disposition documentation that identifies every individual device by serial number.

Why it matters: The difference between evidence and a receipt. Go deeper →

SOX

Sarbanes-Oxley Act — the federal law governing financial reporting and record integrity for public companies. It requires controls over the retention and disposal of records, including electronic ones.

Why it matters: Hardware retired from finance and accounting functions can hold records subject to SOX retention rules; disposal has to respect those before destruction. Go deeper →

SPRS

Supplier Performance Risk System — the DoD database where contractors post NIST 800-171 self-assessment scores.

Why it matters: Where the point values (1/3/5) of each control cash out as your score.

SSD (Solid-State Drive)

A storage device that records data on flash memory chips with no moving parts. Wear leveling spreads writes across cells, so traditional overwriting and degaussing don’t reliably sanitize it.

Why it matters: The single most consequential disposal myth is treating an SSD like an HDD; sanitize with the drive’s built-in cryptographic or secure-erase command, or destroy it to a flash-appropriate particle size. Go deeper →

SSP (System Security Plan)

The document describing how an organization implements each security requirement in its environment.

Why it matters: Your media-protection SSP statements should describe your real process and point to real evidence. Go deeper →

State disposal & breach laws

The two distinct bodies of state law that govern IT asset disposal: physical-disposal rules (e-waste handling, landfill bans, take-back or recycling-fee programs) and data-security rules (breach notification, attorney-general notice, secure-disposal duties). They operate independently and vary state to state.

Why it matters: Compliant ITAD has to satisfy both at once, in every state you operate — the device rules and the data rules. Go deeper →

T

TCG Opal

The Trusted Computing Group’s “Opal” standard for self-encrypting drives — the common specification enterprise SSDs and laptops use for hardware encryption and managed cryptographic erase.

Why it matters: Many drives are Opal-capable whether or not anyone turned encryption on. Whether Opal was actually active decides whether crypto-erase is a valid Purge or whether you need physical destruction. Go deeper →

TPM (Trusted Platform Module)

A hardware security chip on a device’s motherboard that stores cryptographic keys, including the keys protecting full-disk encryption such as BitLocker.

Why it matters: When a device is retired, keys held in the TPM must be accounted for; clearing the TPM and confirming no escrowed recovery key survives is part of a clean cryptographic erase. Go deeper →

U

Universal Waste Rule

An EPA program (40 CFR Part 273) that streamlines how businesses manage common hazardous wastes — batteries, lamps, mercury-containing equipment, and, in many states, used electronics — under lighter requirements than full hazardous-waste regulation, as long as the material is recycled or sent to an authorized facility.

Why it matters: It is the practical path most businesses use to handle e-waste under RCRA without triggering full hazardous-waste obligations; miss its rules, like the one-year storage limit, and you fall back into full RCRA regulation.

V

Value recovery

Recouping residual asset value through remarketing or parts harvesting to offset disposition costs.

Why it matters: Done well, it makes the program self-funding; done late, the value melts. Go deeper →

W

Wear leveling

SSD controller logic that distributes writes across cells to extend lifespan, remapping data invisibly.

Why it matters: Why overwrite tools miss data on flash — the controller, not the software, decides where bits live. Go deeper →

WEEE Directive

The European Union's Waste Electrical and Electronic Equipment directive (2012/19/EU), which makes producers responsible for collecting, treating, and recycling electronics placed on the EU market and sets recycling targets.

Why it matters: Organizations that put electronics on the EU market — or operate facilities there — inherit WEEE obligations the way US firms deal with state e-waste laws; it is the EU counterpart to producer-responsibility recycling rules.

White-label ITAD

Partnership model where a provider (MSP, VAR) sells ITAD under its own brand while a certified operator performs the work.

Why it matters: How channel partners add a disposition line without building a facility. Go deeper →

Witnessed destruction

Destruction performed in the client's presence (on-site or via documented video), with certificates issued immediately.

Why it matters: An option for the most sensitive media, or when policy requires eyes-on verification.

CYBERCRUNCH · NAID AAA · R2v3 · RIOS · PA DEP

Question not answered? Term not defined?

Ask it directly — a specialist answers, not a chatbot. Good questions and missing terms both earn a permanent spot on this page.