$100 million. That's about what Morgan Stanley paid for trusting the wrong partner with their old servers.
In October 2020, Morgan Stanley agreed to pay a $60 million civil fine to resolve U.S. Office of the Comptroller of the Currency accusations concerning the incidents, including that its information security practices were unsafe or unsound. Then, in 2022, the SEC fined Morgan Stanley $35 million after discovering their decommissioned servers, complete with unencrypted data from 15 million customers, ended up for sale on internet auction sites. The financial giant had hired a moving company with no electronics handling experience to decommission their data centers. That company then hired another unqualified subcontractor, who sold the equipment to a third party. The servers, still containing wealth management client data, eventually appeared online with Morgan Stanley's data intact.
For now, you can breathe a sigh of relief that it wasn't your company. But what about those old laptops in your storage closet? The servers scheduled for decommissioning next quarter? The returned devices piling up in your warehouse? How do you know they won't become your $35 million headline?
YOUR DATA. YOUR BRAND. YOUR BOTTOM LINE.
The chain of mishandling in the Morgan Stanley case is just one example of the risks businesses face in managing their IT assets. It's not limited to financial services, and the stakes go far beyond regulatory fines. Every mishandled device puts real people at risk, including your customers, clients, employees, partners, and anyone else whose data is in your possession, not to mention proprietary information that could torpedo your entire business.
You're responsible for decommissioning your pharma company's lab computers, and your CISO expects bulletproof data security. How do you know those research formulas and clinical trial data won't surface on an auction site next year?
You're tasked with finding the most cost-effective disposal solution for your hospital's old servers. Your CFO wants the lowest bid. How do you know patient records won't end up exposed online?
You're reviewing disposal contracts for your law firm's retired hardware. The managing partner wants to cut costs. How do you know the $10,000 you saved won't become a $10 million breach when client files are compromised?
You're implementing your company's green initiatives for electronics disposal. The board wants impressive sustainability metrics. How do you know your "zero landfill" vendor isn't just shipping problems overseas with your asset tags attached?
You're signing off on your company's ITAD contract renewal, and your CEO expects both cost savings and risk mitigation. How do you know your vendor isn't subcontracting to the lowest bidder to pad their bottom line?
No matter your role or industry, having answers to these questions is critical. When it comes to electronics disposal, what you don't know absolutely can hurt you.
Let's examine three key areas where working with an R2 Certified facility makes all the difference: data security, brand protection, and balancing value recovery with risk management.
HOW DO YOU KNOW YOUR DATA IS TRULY SECURE?
Every electronics recycler can hand you a certificate of data destruction. It's a piece of paper that says your data is gone. But how do you know what happened between pickup and that certificate? And more importantly, are they choosing the right method for your equipment?
For starters, the gap between paperwork and practice can be enormous. Your ITAD partner might have the best intentions, but without verified processes and accountability, intentions don't protect data. Are they using software that creates an auditable trail? Are their data sanitization methods verified against industry standards? Is every device accounted for with serial-number-level tracking?
This is where R2 Certification makes the difference. R2 Certified facilities certified to Appendix B for data security don't just promise data protection, they prove it. They use NIST-compliant sanitization methods, maintain detailed logs, implement quality control checks, and undergo regular audits to verify that their processes work. It's the difference between "trust us" and "here's exactly how we protect you."
One thing that really sets R2 apart is that the framework prioritizes reuse over recycling whenever possible. Through verified data sanitization processes, R2 Certified facilities (with Appendix B) can securely wipe devices and return them to productive use rather than destroying perfectly functional equipment. This means you get data security AND value recovery, protecting your information while extending the life of electronics that still have years of service left in them.
HOW DO YOU KNOW YOUR BRAND WON'T BE TOMORROW'S HEADLINE?
Imagine opening your news feed to see your company's asset tags clearly visible on electronics in an overseas landfill. Or receiving a call from regulators about your equipment illegally exported to a country with strict e-waste import bans. These aren't hypotheticals—they're real scenarios that damage brands and trigger investigations.
The challenge is that once your electronics leave your facility, they might pass through multiple handlers before reaching their final destination. Each handoff is a risk point. Each downstream vendor is a potential liability.
R2 Certification addresses this through rigorous chain-of-custody requirements. R2 Certified facilities must qualify, audit, and regularly verify their downstream vendors. They track materials through the entire processing chain. They maintain records that prove proper handling. When you work with an R2 Certified facility, you're not just trusting one company—you're leveraging an entire vetted network committed to responsible practices.
And these transparent layers of risk reduction don't just protect against negative headlines, they create opportunities for positive stories as well. In fact, SERI is working directly with all R2 Certified facilities to develop impact reporting that shows exactly how retired electronics are creating value while minimizing waste and other negative impacts in a responsible way.
HOW DO YOU KNOW YOU'RE MAXIMIZING VALUE WHILE MINIMIZING RISK?
Let's talk about a costly misconception: that the cheapest disposal option saves you money. That "free" pickup service? They're making money somewhere, and it might be at your expense—through cherry-picking valuable items, cutting corners on data security, or selling your equipment to the highest bidder without regard for your reputation.
Smart electronics disposition balances value recovery with risk mitigation. Many devices have significant reuse value if properly processed. Even end-of-life equipment contains valuable materials that can be recovered. But maximizing this value requires expertise, proper facilities, and established remarketing channels.
R2's reuse hierarchy prioritizes extending whole device lifecycles whenever possible, then reusing any components, and finally recovering materials responsibly when reuse isn't viable. R2 Certified facilities have demonstrated they have the processes, expertise, and downstream relationships to maximize legitimate value recovery while maintaining security and compliance throughout.
THE POWER OF INDEPENDENT VERIFICATION
Everyone says they follow best practices. Everyone claims they comply with regulations. But how do you know?
Let's be clear: no certification creates an impenetrable shield against bad actors. Individual people can still make poor choices, and no system is perfectly airtight. The real value comes when a rigorous standard is paired with robust, ongoing certification. Together, they create multiple layers of accountability that give you confidence in outcomes.
This is what sets R2 apart. More than just a standard, it includes an independent Certification program and a comprehensive assurance program with:
- Independent third-party audits that verify facilities actually do what they claim
- Unannounced spot inspections that catch problems between scheduled audits
- Witness inspections where SERI assessors evaluate both the facility and their auditors
- Continuous review of audit packages to ensure consistent, high-quality assessments
When you choose an R2 Certified partner, you're not just trusting their word. You're leveraging a multi-layered system designed to give you confidence that promises match practices.
MOVING FORWARD
Your electronics disposal partner should give you confidence, not questions. Start by asking your current processor:
- Can you provide serial-number-level tracking for wiped data-bearing devices?
- How do you verify your downstream vendors' practices?
- What happens during an unannounced inspection at your facility?
- What quality control checks are in place for data sanitization?
- How do you balance value recovery with security requirements?
They should be able to show you their Data Sanitization Plan, their Focus Materials Management Plan and their Process for tracking materials through to final disposition.
If the answers are vague, it's time to find a partner who can provide real assurance.
The R2 Directory helps you find certified facilities that have proven they meet rigorous standards for data security, environmental protection, and responsible recycling. These facilities don't just talk about best practices—they demonstrate them through independent verification.
Because when it comes to protecting your data, your brand, and your bottom line, "trust us" isn't enough.
R2 Certification: It's how you know.