Why Remote Wipes Are Not Enough: Lessons from the USAID Device Disposal Failure

May 5, 2025

By Clint Parsons, Director of Strategic Partnerships at SEAM

When thousands of U.S. Agency for International Development (USAID) employees were abruptly dismissed earlier this year, many were left holding onto government-issued laptops, phones, tablets—and even diplomatic passports and ID cards. Instead of collecting the equipment, the agency announced plans to “remotely wipe” the devices and mark them as disposed.

While that might seem like a simple solution, it has created a number of serious data security, environmental, and compliance risks that are now drawing criticism from across the data management and IT asset disposition (ITAD) industry.

This situation provides an important case study for any organization that handles sensitive data and retires IT equipment—whether federal agency or private business.

Why Remote Wiping Alone Is Not Enough

Remote wiping is often used as an emergency measure, such as when a device is stolen or misplaced. It can help reduce the risk of data exposure. But it is not—and never has been—a complete strategy for data destruction or regulatory compliance.

Some key limitations of remote wiping:

  • It requires connectivity. If a device is offline, disconnected, or tampered with, the wipe command won’t execute.
  • It provides no verification. There’s no way to physically confirm that the data has been erased.
  • It allows time for data removal. Employees notified in advance of remote wipes can copy data or remove credentials before the process starts.
  • It offers no chain of custody. Once the device leaves organizational control, there’s no audit trail.

In the USAID case, experts have pointed out that former employees retained access to work accounts and networks, compounding the risk that data could be stolen, leaked, or used to misrepresent the agency.

Chain of Custody: The Core Principle of Secure ITAD

Whether for a federal agency, financial institution, healthcare provider, or school district, the foundation of secure IT asset disposition is chain of custody—knowing where every device is at all times, who has access to it, and what has been done to the data it contains.

Without chain of custody:

  • There’s no way to track or recover devices.
  • There’s no documentation for compliance purposes.
  • Devices (and data) can be lost, sold, or stolen without detection.

In the USAID case, returned devices were reportedly handled without clear documentation, and some were seen discarded in bins without records. Many overseas devices are still unaccounted for.

Why This Matters Beyond Federal Agencies

It’s easy to see this as a government-specific failure. But these same risks apply to any organization that uses and retires IT equipment.

For example:

  • Banks and credit unions must follow strict data disposal rules for customer financial records.
  • Healthcare providers must comply with HIPAA requirements for data destruction.
  • Educational institutions must protect student data under FERPA and state privacy laws.
  • Businesses of all kinds are subject to data breach notification laws that can carry significant costs.

What USAID is experiencing—a breakdown of oversight, accountability, and secure asset handling—can happen anywhere if processes aren’t followed.

Key Takeaways for Organizations Managing IT Assets

  1. Remote wiping is a backup tool, not a disposal strategy.
  2. Physical control of devices is essential. Devices should be collected, tracked, and handled according to documented policies.
  3. Data destruction must be verifiable. Whether through certified wiping or physical destruction, there must be records proving that data was securely removed.
  4. Chain of custody should never be compromised. Every device should be accounted for from the moment it leaves service until final disposition.
  5. Offboarding processes should be clearly managed. Staff changes, equipment returns, and data destruction must be coordinated—not left to individual employees.

The challenges USAID is facing highlight the importance of physical control, chain of custody, and verified data destruction in any organization’s IT asset disposition process. Whether in the public or private sector, overlooking these fundamentals can lead to serious security vulnerabilities, regulatory violations, and operational risks.

For organizations in South Dakota and North Dakota, understanding and following best practices for IT asset disposition is essential. SEAM provides guidance and certified data destruction services to support secure, compliant asset management throughout the region.

Clint Parsons is the Director of Strategic Partnerships at SEAM, specializing in building partnerships with businesses of all sizes. He ensures clients effectively navigate secure data destruction, responsible recycling, and maximize the resale value of their IT equipment while staying compliant with evolving regulations. 

SEAM provides IT recycling and data destruction services including onsite shredding and hard drive wiping to South Dakota, North Dakota, Minnesota, Iowa, and Nebraska.

Schedule a pickup or contact us for more information.

© 2025 SEAM. All Rights Reserved | Privacy Policy | Quality PolicyEOHS PolicyData Security Policy