01 / THE HONEST ANSWERLegal, sometimes sensible, never just one job
Nothing stops an organization from remarketing its own retired fleet. The mistake is scoping it as a sales project. Done defensibly, DIY resale is three parallel jobs: sanitization — verified, per-device, to a standard; selling — listings, grading, shipping, returns, fees; and evidence — a per-serial record proving every device left clean and every device is accounted for. Most in-house programs staff the middle job and improvise the other two. The rest of this article is about what that improvisation costs, because the public record is unusually specific.
02 / JOB ONEThe data problem: the wipe you believe in
The uncomfortable research finding isn't that people skip wiping — it's that they wipe, believe it worked, and are wrong. In a 2019 study, Blancco and Ontrack bought 159 used drives on eBay across four countries: 42% still contained sensitive data and 15% held personally identifiable information — and every seller they dealt with stated they had properly sanitized the drives first. Quick formats and factory resets remove pointers, not data; SSDs add their own failure modes where ordinary overwrites don't reach all cells. The fix is not effort but verification: a NIST 800-88 purge with a verification step, logged per serial (the standard, explained). Every device that ships without that is a bet — and you're making the bet hundreds of times per refresh cycle.
03 / THE STAKESWhat one missed drive costs
Price the downside against the resale upside. IBM's 2025 Cost of a Data Breach Report puts the average U.S. breach at $10.22 million — a record — against a global average of $4.44 million; disposal-and-resale incidents are a recurring species of exactly this. The canonical case is Morgan Stanley: decommissioned data-center equipment, handled through an inadequately vetted resale path, turned up on the secondary market with unencrypted client data still aboard. The running total across the OCC penalty, the SEC settlement, the class action, and state attorneys general passed $160 million — for equipment whose resale value was a rounding error against the fines (the full case files). The asymmetry is the entire lesson: resale revenue is bounded; breach liability is not.
04 / JOB THREEThe audit problem: prove it, per serial
Auditors, assessors, and incident responders all ask the same shape of question: what happened to this specific asset? A defensible answer is a reconciled trail — this serial, sanitized by this method on this date, verified, then sold to this channel — with the inventory math closing to zero unaccounted devices. That expectation isn't exotic: roughly 32 states have data-disposal statutes requiring reasonable destruction of personal information, the FTC's Disposal Rule covers consumer-report data, HIPAA treats disposal failures as a breach category, and frameworks from GLBA to CMMC expect disposition evidence. Professional programs answer with per-serial certificates and settlement reports; a DIY program has to build the equivalent or accept that, evidentially, it can't account for its own fleet. Missing drives discovered at reconciliation — the ones that never made it to the wipe bench — are how disposal breaches actually begin.
05 / THE REMAINDERWhat doesn't sell is what regulators see
Some of the fleet won't sell — too old, too damaged, wrong spec — and that remainder is regulated waste. 25 states plus D.C. regulate electronics disposal, many with outright landfill bans; enforcement belongs to state environmental agencies — in Pennsylvania, the Department of Environmental Protection — and business penalties in some states range from roughly $1,000 to $50,000 per violation, with federal hazardous-waste rules layering on top for certain components. An organization that can't document where its electronic waste went has a regulator-shaped problem entirely separate from its data problem, and it's the visible one: waste streams get traced back. The state-by-state terrain is mapped in the compliance patchwork article and the interactive map; a documented recycling path for the remainder — through a certified downstream — is the part of DIY resale nobody budgets for and everybody needs.
06 / THE MATHThe economics, without romance
Now the revenue side, honestly. Marketplace and payment fees take their cut; consumer buyers dispute grades and return units; enterprise gear sells slowly at retail; staff hours go to listing, packing, and shipping one device at a time; and resale value decays every month the project drags (what the equipment is worth, and why the number keeps moving). Where DIY genuinely nets out: small lots of consumer-grade, low-risk devices sold by someone who keeps the log. Where it doesn't: fleet scale, regulated data, mixed conditions — the exact profile of a corporate refresh. The professional alternative isn't paying someone to take your money; a revenue-share program returns the resale value with the sanitization, the certificates, the reconciliation, and the documented downstream attached (how those models price). You're not choosing between selling and not selling — you're choosing who carries the three jobs, and what evidence exists when someone asks.
07 / FAQDIY resale FAQ
Is it legal to sell our company's used laptops ourselves?
Generally yes — selling your own property is legal. What the law regulates is the data and the waste. Roughly 32 states have statutes requiring reasonable destruction of personal information before disposal, federal rules like the FTC's Disposal Rule and HIPAA's disposal expectations apply by data type, and 25 states plus D.C. regulate electronics disposal itself. Selling is legal; selling a device that still carries recoverable data, or dumping what doesn't sell, is where liability lives.
Does a factory reset make a laptop safe to sell?
Not reliably, and the research is blunt about it: in a 2019 Blancco/Ontrack study of 159 used drives bought on eBay, 42% still held sensitive data and 15% held personally identifiable information — and every single seller believed they had wiped properly. Quick formats and basic resets remove pointers, not data. Safe resale requires verified sanitization — a NIST 800-88 purge with a verification step — recorded per serial before the device leaves your control.
What records do we need if we sell equipment ourselves?
The same evidence a certified program produces: a per-serial trail showing each device was sanitized (method, date, verification) before sale, reconciled against your asset inventory so nothing is unaccounted for, plus documentation of where non-sellable material went. When an auditor or incident-response team asks about one specific serial two years later, “we sold a batch on eBay” is not an answer. If you can't produce the trail, you carry the exposure.
What happens to the equipment that doesn't sell?
That's the quiet second half of DIY resale: some fraction won't sell, and it becomes a disposal problem with rules attached. Twenty-five states plus D.C. regulate electronics disposal, many ban electronics from landfills outright, and enforcement sits with state environmental agencies — in Pennsylvania, the DEP. Business penalties in some states run from roughly a thousand to fifty thousand dollars per violation. A documented recycling path for the remainder isn't optional; it's the part regulators can actually see.