Organizations are more confident than ever in their end-of-life data security practices. But according to the newly released 2026 State of Data Sanitization Report from Blancco, that confidence may not match reality.
The report surveyed more than 1,400 IT, compliance, and sustainability leaders across regulated industries worldwide and uncovered a trend we see firsthand at SEAM every day: organizations are increasingly anxious about data security at end-of-life, yet many still rely on inconsistent or outdated sanitization practices. That disconnect is creating unnecessary risk, higher costs, and avoidable destruction of valuable hardware.
As the only certified ITAD provider in the Dakotas, working with highly regulated organizations across healthcare, finance, government, manufacturing, and critical infrastructure, several findings stood out to our team.
Confidence Is High. So Are Data Leaks.
One of the most surprising findings in the report is that 94% of organizations said they were moderately to extremely confident their devices were fully sanitized before disposal.
At the same time:
- 38% reported experiencing a data leak in the last 12 months
- 32% of those leaks were tied to redeployed devices retaining sensitive data
- Additional incidents were linked to lost and stolen devices during the decommissioning process
That gap matters.
In regulated industries, retired equipment is often treated as an afterthought compared to active cybersecurity defenses. But decommissioned devices still contain sensitive information, and weak processes at end-of-life can quietly undermine otherwise mature security programs.
We continue to see organizations assume that formatting a drive, deleting files, or physically removing equipment from service automatically means data is gone. It does not.
The report specifically highlights that reformatting remains common even though data can often still be recovered with widely available forensic tools.
Legacy Practices Are Still Everywhere
One of the more important takeaways for regulated organizations is how fragmented sanitization standards still are. The report found organizations continue to rely heavily on older frameworks and destruction-first approaches, even as newer standards emerge.
That includes continued reliance on older overwrite methodologies, outdated references like DoD multi-pass wiping, and inconsistent software tools that may not verify successful erasure.
Meanwhile, newer guidance such as NIST SP 800-88 Rev. 2 and IEEE 2883-2022 are beginning to reshape what defensible sanitization looks like in modern environments. This is especially important as storage technologies evolve. SSDs, encrypted devices, virtualized infrastructure, cloud-connected assets, and AI-driven data growth all change how organizations need to think about sanitization and verification.
At SEAM, we have been encouraging customers to move away from outdated “check-the-box” assumptions around data destruction and toward documented, standards-aligned lifecycle management practices that emphasize:
- Verified sanitization
- Chain of custody
- Auditability
- Downstream accountability
- Final disposition transparency
The AI Boom Is Quietly Increasing Risk
Another trend worth watching closely is the connection between AI adoption and device destruction. According to the report, 90% of respondents deployed AI tools in 2025 and 99% of those organizations destroyed at least some drives or devices as a result.
Why? Because AI is rapidly increasing the amount of data organizations generate, the sensitivity of stored data, and the anxiety around potential exposure.
At the same time, hardware costs are rising, especially for storage and memory infrastructure. Organizations are now caught between protecting increasingly sensitive data, controlling infrastructure costs, and meeting sustainability goals.
That pressure often leads to premature destruction of still-functional equipment.
Destruction Is Not Always the Safest or Smartest Option
One of the strongest themes throughout the report is that “destroy everything” is often driven more by uncertainty than actual necessity.
The study found many organizations physically destroy devices long before the end of their usable lifecycle:
- Mobile devices at roughly 2 years and 4 months
- Laptops around 3 years
- Data center assets around 3.5 years
In many cases, those assets are still fully functional.
Physical destruction absolutely has a place in certain environments and for certain media types. But destruction alone does not automatically eliminate risk if organizations lack proper chain of custody, verified downstream handling, or visibility into final destruction processes.
This is where certified ITAD programs become increasingly important. For regulated organizations, the goal should not simply be “destroy devices.” The goal should be defensible, auditable risk reduction across the full lifecycle of the asset.
Sustainability Goals Are Colliding with Security Anxiety
The report also highlights an issue many organizations are struggling with internally: sustainability goals are increasingly conflicting with perceived security requirements.
Most organizations want to reuse or redeploy equipment when possible. But many do not fully trust their sanitization processes enough to safely do so. That lack of confidence has real consequences including unnecessary hardware destruction, increased replacement costs,
growing e-waste volumes, and lost recovery value.
The ability to securely sanitize, verify, document, and responsibly redeploy assets is becoming both a cybersecurity issue and a business operations issue. For organizations pursuing ESG initiatives, sustainability reporting, or circular economy goals, this will likely become a larger discussion over the next several years.
What Organizations Should Be Evaluating Right Now
For IT, compliance, and security leaders, this report reinforces several questions worth asking internally:
- Are sanitization practices standardized across the organization?
- Are older destruction assumptions still driving policy?
- Is there documented verification of sanitization outcomes?
- Are chain-of-custody controls consistent across all locations and vendors?
- Are retired devices being stored before sanitization?
- Does your organization understand the difference between formatting, overwriting, sanitization, and final destruction?
- Is your ITAD partner aligned with current standards and independently certified?
In highly regulated industries, those questions are no longer operational details. They are part of enterprise risk management.
At SEAM, we continue helping organizations across the Dakotas navigate these evolving expectations through certified IT asset disposition, secure data destruction, lifecycle management, and documented downstream accountability.
As this report makes clear, confidence alone is no longer enough. Verified process matters.
Clint Parsons is the Director of Strategy and Information at SEAM, specializing in building partnerships with businesses of all sizes. He ensures clients effectively navigate secure data destruction, responsible recycling, and maximize the resale value of their IT equipment while staying compliant with evolving regulations.