Katherine Vines Oct 20, 2021 12:55:57 PM 24 min read

Five Questions to Ask When Contracting an ITAD Company

What are you supposed to do with unused or aged IT Assets? This question will inevitably be asked when retired IT assets are replaced, a Data Center migration is underway, or as devices are circulated to new users within the company. While not always planned, ITAD solutions are necessary to every business in every industry. Do you know what to look for in an ITAD provider? We help you through this process with the following five questions that create an open and transparent dialogue between yourself and your potential ITAD provider. Knowing what to ask and why, is imperative to receiving optimal outcome with minimized risk. 

Question #1 - What ITAD Services Do We Need? 

Before you  start your search for an ITAD vendor, it is important to identify what outcomes you desire. These outcomes will determine the services you need. You might be thinking, “This is obvious. Of course, I know what services I need.” Yet, it goes a lot deeper than simply stating that you need ITAD for a data center or data destruction for corporate laptops. The scope of your project can change the estimated labor, completion time, and overall cost. Depending on the extent of the project, certain ITAD providers will be more equipped to handle the project. When meeting with ITAD companies, come with your:

  • Device Manifest
    • In a perfect world, one could call an ITAD company and receive a simple quote and then have the devices picked up later that day. Unfortunately, we live in a complicated world that has price influxes based on the project scope. Come prepared with a list of assets that need to be serviced and what the desired outcomes are. Do you want to reuse the device in field? Do you want to remarket the devices to regain value? Having this information ready will work in your favor when it comes to ITAD project quotes.
  • ITAD needs and wants
    • Identify what services or outcomes are required for you to feel comfortable signing a contract. If your company has a policy that devices must be sanitized onsite, make sure that the ITAD company offers onsite data destruction. Alternately, your ITAD wants not stuck in stone needs. This is where having a little wiggle room could lower overall costs.
  • Constraints
    • Share any limiting factors you have. These could be time – the project must be complete by January 1st, money – we have a hard budget of $50,000, timing – we only allow access to our building during non-work hours, corporate values – we only contract with companies that have published sustainability policies and guidelines, or government regulations – we must adhere to HIPAA standards for our data handling. 

Question #2 - What Methods of Data Destruction Are Available?  

Data destruction is more complex than simply deleting an account or removing applications. With unsecure or incomplete options, you run the risk of compromising private company and customer data. This leads to public distrust, years of legal battles, and massive fines. Choosing a method of data destruction that is secure and sustainable should be a top priority for an ITAD company. You should always be informed on the method of data destruction used on your devices. Some common methods are:  

  • NIST 800-88 R1 Certified software overwrite
    • The most sustainable method of data destruction uses certified software in accordance with NIST 800-88 R1to overwrite the stored data. With this method, the device can be remarketed and reused. This is the most environmentally sustainable option.
  • The Deguasse Method
    • As a secondary option, The Deguasse method uses magnetic force to rearrange the data such that the data is unreadable and the disk unusable. This method is less sustainable than using certified software to overwrite data, but still allows for limited reuse with refurbishment.
  •  Shred
    • The last option is to physically destroy the hard drive through sheer mechanical force. This is the least sustainable choice, but depending on the age, condition, relevancy, or company policy, may be the most viable option.  

Question #3 - How Are Devices Audited and Tracked?  

Throughout the IT asset disposition process, it is key to know the level of visibility you desire to feel confident of proper device handling. Data bearing devices require a higher level of visibility, as scheduling for decommission, accounting for, and sanitizing the devices is critical. With devices that don’t contain data, less stringent requirements may be appropriate. Auditing, the capture of individual serialized information should always be performed as a best practice, and you should be informed on where, when and how to access this information. Does the ITAD company have: 

  • An Online Portal
    • Will you have access to a self-service portal where you can monitor your devices as they progress through the ITAD process? 
  • Updated tracking methods 
    • How frequently does the company update tracking information? If you have high value devices, a once-a-week update likely won’t cut it. 
  • Certificates of Destruction 
    • Can the company produce certificates of destruction for each device, ensuring proper destruction of data occurred and was audited for completeness? 

Question #4 - What Certifications Are Maintained? 

ITAD is an industry that is self-regulated, meaning that any company can claim to perform ITAD and not need to jump through licensing hoops to practice. This makes it more difficult to weed through data destruction companies, hardware resell agencies, and decommissioning coordinators to find responsible ITAD providers. One way to do this is to look at the certifications maintained. Certifications matter in the ITAD community:  

  • NAID AAA Certification
    • NAID is an international trade association for organizations that provide data destruction services. AAA Certification demonstrates a firm’s commitment to best practices in the sanitization or physical destruction of electronic storage media. This is not to be confused with NAID Membership, which only requires an annual membership fee. To maintain AAA Certification, the provider must pass annual, unannounced audits conducted by independent Certified Protection Professionals® (CPP).
  • R2 Certification
    • The R2 certification, or Responsible Recycling, is a commitment to ensuring the safe disposal of electronic waste both in terms of recycling and reuse. This is a company level certification to ensure strategies are in place for reuse, materials recovery, and disposal. Not only are documented strategies required, but also aligned policies on managing used and end-of-life electronics equipment, components and materials.
  • ISO Certifications 
    • ISO 14001 is considered the international standard for environmental management systems (EMS) and specifies the requirements for the formulation and maintenance to control your environmental aspects, reduce impacts and ensure legal compliance. 
      • ISO 45001 standard for occupational health and safety (OH&S).  

Question #5 - What Reputation Does the ITAD Company Have?  

Wanting a reputable company should come as no surprise for anyone. It is hard to purchase anything now a days without seeing 5 stars on the box or plastered forefront on the company website. Do these hold any merit? While not ethical, lying about positive reviews still occurs. What can you look for to gauge reputation:  

  • Testimonials 
    • Are customers willing to use their company name to show support? What about high-level executives? This gives a review more stability than a nameless, 5-star review. 
  • Gartner Reviews 
    • Gartner is a 3rdparty website that spans across multiple industries and offers review pages for specific companies. Does the ITAD company have a Gartner review page? The reviews posted on Gartner are vetted and cannot be falsified easily.  
  • LinkedIn
    • LinkedIn is a great tool to see who is interacting with the prospective ITAD company. Which companies have employees that follow the LinkedIn page? Are they actively posting about projects underway, sharing collaterals, or responding to comments? 

While not all encompassing, these five questions are meant to guide you in the correct direction for ITAD services. Every company will eventually need ITAD services, but drilling down exactly what you need will be the first hurdle to jump over. Creating a list of assets, identifying your needs/wants, and what constraints you have will make it easier when you first reach out for services. Once you identify your needs and constraints, you can identify which method of data destruction best aligns with your desired environmental and security outcomes. Limiting your search to only companies with up to date certification and a positive public reputation is a last, but crucial step in the process. 

Want to learn more about what makes ITAD services ascend from average to excellent? Email Info@dmdsystems.com to talk to a DMD team member today!