509.586.6090
Request a Free Quote

LOGIN

What Happens to Your Data After You Throw Away a Computer? 

Download our PDF Whitepaper: “What Happens to Your Data After You Throw Away a Computer?”

Throwing away a computer, cellphone, or other media device isn’t the true end of its lifespan. When a device leaves your possession, your data often follows. Data can be easily recovered if proper disposal techniques are not utilized. Unfortunately, most individuals and businesses assume that deleting files, reformatting, and even recycling means their previously held data is safe; that’s not true. The reality is that data persists unless properly destroyed.  

In this paper, we are going to share with you the journey of a discarded computer, why “deleting” files doesn’t delete data, real case studies of data that were recovered after it was supposedly deleted, hidden data storage areas that often go unnoticed, and the proper way to dispose of a media device when you are done with it.  

This data risk is one that many individuals and organizations don’t even realize that they have, leaving them vulnerable to countless threats. To get started, let’s discover what actually happens to your data once a device leaves your control.  

The Journey of a Discarded Computer 

When a computer leaves an individual or organization, most assume its lifecycle ends there, along with all that data stored on it. In reality, disposal is not an endpoint but the beginning of a new journey. Understanding where devices go and what happens to them after they leave your control is critical to understanding the true risk of improper data destruction. 

Common Device Disposal Paths 

Individuals and organizations dispose of media devices through a variety of methods. Here are a few common options: 

  • E-waste recyclers, which collect and process devices for material recovery. 
  • IT asset disposition vendors, who specialize in refurbishing, reselling, or recycling IT equipment. 
  • Donation programs, where devices are given to nonprofits, schools, or community organizations. 
  • Employee resale or internal reuse, allowing staff to purchase or repurpose old equipment. 
  • Direct resale, including secondary markets such as eBay or other online platforms. 

While each of these paths seems like a viable option, all of them can lead to data security risk unless the data is properly destroyed beforehand. 

The Next Stage of the Journey  

When a device enters the secondary market, several actions can occur.  

First, the device may be dismantled for parts. For example, memory, processors, and hard drives are separated and resold as individual components; they are often used to repair similar devices.  

Second, they may be refurbished. This is where the device is cleaned, repaired, and resold to new users. This could be locally or internationally.  

Throughout either of these processes, there is a high likelihood that the hard drive devices remain intact, meaning no one verifies whether the data has been securely erased or destroyed. In many cases, the device may change hands multiple times, increasing the likelihood that sensitive information is eventually accessed. 

Overall, this means that neither individuals nor organizations can prove that the data was properly handled, or even destroyed at all, leaving them vulnerable to legal and compliance issues, which we will cover later in this paper.  

Why “Deleting Files” Doesn’t Actually Delete Data 

One of the most common misconceptions about data protection is that deleting files permanently erases the information. When you “delete” a file from a media device, it actually only removes the path your operating system uses to retrieve the file.  

You can think of it like a bridge over a river. On one side of the river is the data, and at the other side is you. When you “delete” the file, you aren’t deleting the data; you’re breaking the bridge, making your path to the data harder but not impossible. For example, someone with technical expertise could “swim” to the other side and retrieve the data. Alternatively, there is readily available software that could “repair the bridge” and make that path accessible once again.  

At the end of the day, deleting files doesn’t get rid of them; it just makes them harder to access. Unfortunately, bad actors are well-versed in this aspect of data retrieval and can make quick work of compromising data you thought had been removed.  

Real Examples of Data Found on Used Computers 

These theories aren’t just hypotheticals meant to scare you into proper action. There is real-world evidence that shows how your personal data can easily leak into the world. Let’s look at two studies: 

Case Study: i-SIGMA 

International Secure Information Governance & Management Association® (i-SIGMA), the industry trade association for secure data destruction and records & information management service providers, provided a press release in 2017 discussing the results of a large study performed by The National Association for Information Destruction® (NAID®)​ (Martínez, 2017)​. This study investigated the presence of personally identifiable information (PII) on electronic devices sold on the second-hand market, the largest study performed by 2017.  

The study extracted this information not through sophisticated training or advanced technology, but through readily available downloadable software. Technicians utilized only basic measures, ones that an average individual could employ. The results of this study demonstrated that 40% of devices resold through publicly available resale channels contained PII. It is not a jump to conclude that had they employed advanced forensics, this number could have been substantially higher.  

Of the PII recovered, it included credit card information, contact information, usernames and passwords, company and personal data, and tax details.  

Overall, this study concluded that a large amount of PII is making its way into the hands of others, often due to individuals who “feel like they can do it themselves” or to service providers who use improper sanitization techniques.  

Case Study: Blancco Technology Group 

Blancco Technology Group, a software-based data sanitization company, released a 2019 report investigating residual data left on used storage drives​ (Blancco, 2019)​. While similar to the i-SIGMA study, this study focused solely on devices purchased on eBay. Conducted with their partner, Ontrack, the study analyzed 159 drives purchased in the U.S. and three European countries.  

From their investigation, they discovered that 42% of devices still contained sensitive data, including 15% that contained PII. Some of this PII included scanned images of family passports, internal office email from a major company, shipping details from a cargo business, student information and photos from schools, and further sensitive and possibly compromising information.  

The worst part? Each seller of these devices claimed that proper data sanitization procedures had been followed and that no data would remain. Obviously, that was not the case: either due to intentional negligence or ignorance of proper procedures.  

Case Study Conclusion 

What we can derive from these case studies is simple: real-world personal information is not being properly disposed of and is making its way into the world. If professionals can recover data intentionally, bad actors can recover it opportunistically. This puts individuals, small businesses, and large enterprises at significant risk. Essentially, every improperly disposed device is a potential data breach waiting to happen. 

Hidden Hard Drives Businesses Forget About 

The i-SIGMA press release put it perfectly, stating, “The current state of electronic storage has made it possible for nearly every adult to carry a form of data storage device.” This is now even more true than it was in 2017. Most individuals over the age of 12 years old ​(Digitale, 2022)​ have a phone in their pocket. From there, the list expands quickly: tablets, computers, external drives, and countless other devices that store or process sensitive information every day. 

For businesses, this proliferation of devices creates a hidden risk: data is no longer confined to obvious systems like desktops or servers. Instead, it exists across a wide range of equipment, much of which is often overlooked during disposal or replacement. Without a clear inventory and destruction strategy, sensitive data can remain embedded in devices long after they leave an organization’s control. 

Commonly Overlooked Devices 

  • Copiers and multifunction printers 
  • Servers 
  • External hard drives 
  • Point-of-Sale (POS) systems 
  • USB drives 
  • Network-attached storage (NAS) 
  • Backup systems 
  • Laptops and desktops 
  • Employee-issued mobile devices 

Shadow Data Risk 

One of the most overlooked threats in data security is not the data you actively manage; it’s the data you’ve lost track of. Often referred to as “shadow data,” this risk exists outside formal IT systems and security protocols, making it particularly difficult to monitor, control, or secure. 

For example, not all devices that store data are managed by IT departments. In many companies, equipment is purchased, used, and retired at the department level without ever being formally tracked. 

One of the most common problems we see is with copiers. Copiers can hold a wide array of information, from scanned documents to print jobs to email attachments. Essentially, anything sent to the copier for scanning or printing, including its sender origin, is stored.  

What makes it so problematic is that copiers are often rented equipment. They are returned at the end of the lease, often without data removal. Unless the equipment leasing company includes data removal as part of their return policy, that information could be easily accessible to the next person who rents the equipment.  

Other problematic devices include department-issued laptops, external hard drives, and employee-issued mobile devices. These devices are often left to departmental management rather than company-wide IT protections, leading to inadequate disposal procedures.  

Lastly, there is the ever-present issue of forgotten storage locations. File rooms, storage closets, off-site storage units, and even employee homes can contain outdated, legacy, or backup media that still contain sensitive information. They are placed there by someone with the intention to “get back to it later,” only to be forgotten about for who knows how long. Without a comprehensive approach to tracking, managing, and securely destroying all data-bearing devices, organizations leave themselves vulnerable to breaches originating from the least expected places. 

Legal and Compliance Risks with Data Protection Failure 

What happens when data destruction is overlooked, and PII is exposed to bad actors?  

In the case of individuals, it can range from the inconvenience of a compromised credit card to the far more serious and long-lasting effects of identity theft. Stolen information can be used to open fraudulent accounts, file false tax returns, or gain unauthorized access to financial systems. Unfortunately, the victim will usually not realize their position until significant damage has already been done. 

For businesses, the stakes are even higher. It is important to remember that organizations are legally responsible for protecting any data that they collect, store, and process, even when the transaction is complete. Even if the organization retires, recycles, or sells a media device, if sensitive information is later recovered from a discarded device, the originating organization may still be held accountable for failing to properly secure and destroy that data. Therefore, when sensitive data is improperly handled, the consequences are immense.  

That is why regulatory frameworks are in place. For example, an organization may be under the jurisdiction of one or more of the following regulatory bodies.  

  • HIPAA (Health Insurance Portability and Accountability Act) – Protects patients’ medical records  
  • FACTA (Fair and Accurate Credit Transactions Act) – Requires businesses to securely dispose of consumer information  
  • GLBA (Gramm-Leach-Bliley Act) – Mandates financial institutions to protect customer data 

To put it simply, each of these regulatory bodies has specific rules on how to secure sensitive information, on proper disposal practices, and on protection against unauthorized use. Should there be a data breach, the organization at fault may face regulatory fines and lawsuits. This, in turn, can lead to a spiraling downfall of an organization. The fallout can often include: 

  • Financial Loss related to incident response, forensic investigations, legal defense, customer notification, credit monitoring services, and system remediation. 
  • Operational Disruption to manage investigations and implement corrective actions. 
  • Brand Damage due to loss of trust from stakeholders, partners, and customers. 
  • Reputational Harm due to reduced customer confidence, increased scrutiny from regulators, and challenges in acquiring new clients or partnerships. 

Overall, the impact of improper data disposal is not limited to just a single ramification. Often, it comes with a ripple effect of damage that will continue to affect every facet of the business for years to come.  

The Only Reliable Solution: Physical Destruction 

To prevent all of this from happening, there is only one reliable solution: physically destroying the device. There are currently two available options for physical destruction: degaussing and industrial shredding, both of which come with a Certificate of Destruction.  

What is Degaussing? 

Degaussing is the process of demagnetizing a storage device to erase the data stored on it permanently ​(Rivera, 2025)​. With magnetic media, information is stored using magnetic particles on the surface of the media. You can think about it like bubbles sitting on top of water. Those bubbles are organized in a very specific fashion.  

A degausser is a powerful machine that uses a magnetic field to scramble those magnetic particles, like popping the bubbles. This, in turn, renders the data stored on them inaccessible or unreadable. It is the only true way to “erase” data without destroying the machine.  

At CI Information Management, we use the Model EMP1000-HS degausser. Approved by the NSA, this model includes built-in verification, enabling technicians to confirm that each degaussing session was successful.  

However, it is important to note that degaussing is only available for magnetic media. It won’t work on solid state drives, optical media, USB flash drives, SD cards, and some cell phones or tablets. If your organization uses these media types, the alternative is industrial shredding.  

What is Industrial Shredding? 

Industrial shredding is the gold standard for data protection across all regulatory bodies, as it ensures the complete and irreversible destruction of any data.  

The process works by placing the media device into an industrial shredding machine. This machine uses high-torque, rotating blades to physically crush, tear, and grind the device into tiny pieces. The pieces are impossible to put back together or reuse. Most commonly, those shredded materials are sent to a trusted recycling partner, where the parts are separated and melted down for reuse.  

Unlike degaussing, which has limitations on the types of devices it can be used on, you can shred any media device at any time. This includes, but is not limited to: 

  • Hard disk drives (HDDs) 
  • Solid-state drives (SSDs) 
  • Backup tapes 
  • USB drives and flash media 
  • External hard drives 
  • Laptops and desktop computers 
  • CDs, DVDs, and optical media 

Due to the wide variety of media shredding options, industrial shredding is the most commonly used form of data destruction, especially in highly regulated industries such as healthcare, finance, legal, government, education, and businesses that handle sensitive data. 

What is a Certificate of Destruction? 

As mentioned above, you can receive a Certificate of Destruction with degaussing or industrial shredding services when you work with a reputable company. A Certificate of Destruction is a formal document provided to you by a professional shredding company to serve as proof that your paper documents, hard drives, and other media have been properly shredded in compliance with state and federal privacy laws.​ (Do I Really Need a Certificate of Destruction for Shredding?, 2023)​ 

The Certificate of Destruction contains critical information, including account details, order number, service type, service date, equipment used, and authorized signatures.  

Why does this matter? If an organization stores sensitive PII, it must maintain a chain-of-custody tracking process for the information, from its initial collection through its destruction at the end of its required retention period.  A Certificate of Destruction is proof that meets this obligation and demonstrates compliance with the requirements. Essentially, if anything goes wrong, this is proof that a business did everything in its power to protect sensitive data to the full extent required by law.  

Control Your Data—Even After It Leaves Your Hands 

Whether you are an individual, a small business, or a major enterprise, data protection is never something to cut corners on. The risk of data exposure and its consequences are simply too great. That is why investing in quality partnerships with trusted data destruction companies is a must.  

When you work with CI Information Management, you are partnering with a NAID AAA Certified organization, the highest industry standard for secure data destruction. Our secure media destruction process includes trained, background-checked employees, strict chain-of-custody controls, bonded and insured operations, documented destruction procedures, and a Certificate of Destruction for every service. 

Secure data destruction is more than a service; it’s a strategy. It requires organizations to take a proactive approach to managing the full lifecycle of their data, from creation to final disposal. This means identifying where sensitive information lives, understanding retention requirements, and ensuring that when the time comes, destruction is handled with the same level of care as storage and use. 

Unfortunately, businesses often invest heavily in cybersecurity systems to protect active data, but overlook what happens when devices are retired or replaced. In reality, the end-of-life stage is one of the most vulnerable points in the data lifecycle. Without proper destruction, even outdated or unused equipment can become a source of exposure. 

With over 20 years of experience, CI Information Management has built a reputation as a leading provider of secure information destruction in Central Washington and Northeastern Oregon. By choosing a certified, experienced provider like CI Information Management, you eliminate uncertainty. You gain confidence that your data is not just deleted or discarded but permanently destroyed, in full compliance with regulatory standards. 

Whether you are looking to perform regular services or a massive company-wide purge, we at CI Information Management can make the entire project seamless. To get started, complete our Request a Quote form. We will get back to you shortly with any follow-up questions, answers to your questions, and to schedule a time to proceed with your service.  

Search
Categories
Contact

Related Posts