FTC Safeguards Rule — what it means for ITAD and device disposal

Retired laptops, desktops, servers, and drives can contain customer information. The Safeguards Rule pushes organizations to manage that risk deliberately—especially when devices leave the building for transport, processing, resale, or recycling.

In practice, the highest-risk moments are: unmanaged storage closets, ad hoc drop-offs, and vendor relationships without clear expectations or paperwork.

If a third party touches devices that could contain sensitive data, the relationship should be treated like a service provider relationship—not like a scrap pickup. That means:

• Clear expectation of sanitization outcomes (wiping vs destruction, verification, exceptions).
• Chain-of-custody and handoff controls (who had access and when).
• Documentation you can file and retrieve later.

The custody layer is explained in chain of custody importance.

Many programs use NIST SP 800-88 as the sanitization vocabulary. It gives teams a way to say “this device was cleared/purged/destroyed” in a consistent, outcome-oriented way.

Factory reset is a user-facing feature. It is not, by itself, a reliable information security control—especially when you cannot verify the outcome or reconcile it to an asset record. If leadership asks “how do you know?” a factory reset story usually falls apart quickly.

Read why factory reset is insufficient for the practical reasons.

If you’re implementing a disposal program, start with services overview and the operational detail on hard drive destruction & wiping.