Arc ITAD

Secure IT asset disposition, data destruction, and electronics recovery for businesses, schools, healthcare, and public sector organizations.

06/01/2026

A vendor's certifications page lists ISO 9001, ISO 14001, and ISO 45001, and most reviews check the box and move on. The badges are real and audited. They're also not about your data.

Those three certify how a facility is run: quality management, environmental management, and worker health and safety.

None of them describes how a drive is sanitized or how custody is documented after a device leaves your building.

That is a separate question with its own standards. NIST SP 800-88 covers sanitization and R2v3 covers the partners a device routes through after the facility.

When you evaluate a vendor on data handling, those are the standards to check.

05/28/2026

A leased fleet reaches end of term and goes back to the lessor.

The lease closes and the hardware comes off the books. At this point, the asset side of the transaction is settled.

The data side usually is not. A lessor's obligation is the return condition of the equipment, not the record of how the data on it was handled. Whatever sanitization happens after the return happens on their timeline, under their documentation.

Very little of it comes back to you in a form you can put in an audit file.

So the fleet is gone and the paper trail went with it. Months later a cyber-insurance renewal or an FTC Safeguards Rule review asks how a specific serial was sanitized, and the honest answer is that the organization handed that question to a third party and never got it back.

A defensible return keeps the data trail on your side of the line.

05/26/2026

Corporate hardware does not leave through one door.

Upgrades, leased returns, offboarding boxes, and the storage closet that nobody has opened in two years are all disposition events, whether or not they were treated as one.

Each is a device that held corporate data leaving the organization's control.

A real program treats them the same way: verified sanitization per device, a certificate tied to the serial, and a reconciliation file matching what left against what was processed.

05/20/2026

Verizon just released the 2026 Data Breach Investigations Report. Headline: 48 percent of breaches now involve a third party, up 60 percent year over year.

Most of that number is software supply chain risk. Some of it is physical. An ITAD vendor is a third party with access to the drives that came out of production hardware, and a drive that leaves the building without verified sanitization is the same data exposure as a drive still inside it.

Defensible disposition produces a sanitization certificate per device, a reconciliation file matching pickup to processing, and R2v3 downstream accountability for what happens after the device leaves the facility.

Third-party risk dashboards usually do not include disposition. The 48 percent does not care.

05/11/2026

Two healthcare IT vendors have signed identical BAAs. One wipes every drive to NIST SP 800-88 Purge with a per-device certificate, while the other runs a factory reset and ships the laptops to a recycler. Both have a signed BAA on file but only one has a defensible disposition.

A defensible disposition for PHI-bearing devices needs three things the BAA does not contain:
→ The sanitization standard the vendor follows
→ A per-device certificate that names the method and tool
→ A chain of custody from the facility to verified destruction.

The BAA covers the responsibility and the closeout package covers the rest.

05/07/2026

A Chromebook closeout and an iPhone closeout do not produce the same sanitization certificate. The implementation is different.

Chromebook storage is eMMC. Sanitization runs through the device's verified factory reset, which performs a cryptographic erase while preserving the OS. The certificate names the device serial and the method.

iPhone and iPad storage is NAND with a hardware-backed Secure Enclave. The Purge method here is also cryptographic erase. The Secure Enclave destroys the media encryption key, and the data on the flash chip becomes ciphertext. The certificate names the IMEI or serial and the method.

Both paths meet NIST SP 800-88 Purge. They look different on paper because the work is different.

A closeout package that shows the same certificate for a laptop and a phone has not actually documented the work.

05/04/2026

Every arcITAD project ends with the same four-part closeout: reconciliation, sanitization certificates, disposition record, and financial closeout.

Clients and device types change from one project to the next. The deliverable structure does not.

The closeout package is what an auditor will read six months later, without our process notes and without our team on the phone. Everything they need should already be in the documents.

04/30/2026

30 to 40 percent of enterprise Windows 10 devices cannot upgrade to Windows 11 without hardware replacement. TPM 2.0, processor generation, and secure boot requirements drew a bright line.

For state and local government IT leads, this changes the shape of the conversation. Public sector procurement runs on a tighter clock than private sector, and audit bodies expect the disposition record to match the asset register.

What leaves with those devices on paper?

A certificate of sanitization per device. A disposition record that names where each asset went. A reconciliation file oversight bodies can read without annotation.

04/29/2026

A certificate of sanitization is the artifact a compliance team reads after a project closes. Eight fields make it defensible. Device serial, manufacturer and model, media type, sanitization method, tool and version, standard cited, operator and timestamp, verification hash.

If any one of these is missing, the certificate is just a template. If you are reviewing a vendor's sample, this is what to look for.

04/28/2026

A new long-form piece from arcITAD on what end of life actually means for your documentation. Working backwards from the record, not forward from the pickup.
Article is on arcITAD's LinkedIn page (link below)

https://www.linkedin.com/pulse/what-windows-10-end-life-means-your-compliance-kevin-chau-sepue

Address

Warminster, PA
18974

Website

https://arcitad.com/

Alerts

Be the first to know and let us send you an email when Arc ITAD posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Shortcuts

Want your business to be the top-listed Computer & Electronics Service in Warminster?