The Overlooked Risk of Returning Leased Equipment
Leasing IT equipment is a common practice for Australian businesses. It provides access to current technology without large capital outlays and simplifies hardware refresh cycles. However, when leased equipment is returned to the lessor at the end of the term, many businesses fail to consider what happens to the data stored on those devices. The equipment goes back to the leasing company, which typically refurbishes and resells it, meaning your business data could end up in the hands of a completely unknown third party.
The leasing company’s interest is in the physical asset, not the data. While some leasing agreements include data destruction provisions, many do not, and even those that do may not specify the standard of destruction required. Assuming that the leasing company will handle data destruction on your behalf is a risky assumption that could leave your organisation exposed.
What Data Remains on Leased Equipment
Leased equipment accumulates the same data as any owned device. Laptops, desktops, and servers used during a typical three to five year lease term will contain years of business documents, email databases, cached credentials, browser histories, and application data. For leased servers, the data exposure can be enormous, potentially including entire databases, backup files, and system logs spanning the full lease period.
Leased multifunction printers and copiers are an often-forgotten risk. Modern MFPs contain internal hard drives that store copies of every document scanned, copied, or printed. A leased copier returned after three years of use could contain images of thousands of sensitive documents including contracts, personnel files, financial statements, and customer correspondence.
Network equipment including routers, switches, and firewalls retains configuration data, VPN settings, access control lists, and potentially cached authentication credentials. Returning this equipment without clearing its configuration could provide the next user with a roadmap to your network architecture.
Legal Responsibility for Data on Leased Equipment
Regardless of what the lease agreement says, the responsibility for personal information stored on leased equipment rests with the organisation that collected and stored that information. Under the Australian Privacy Act, the entity that holds personal information must take reasonable steps to destroy it when it is no longer needed. Returning equipment to a lessor without wiping it does not transfer this obligation.
If personal information from your leased equipment is subsequently accessed by an unauthorised party, your organisation bears the liability, not the leasing company. The fact that you no longer possessed the equipment at the time of the breach does not absolve you of responsibility for failing to destroy the data when the equipment was still in your control.
PCI DSS compliance adds another dimension for businesses that process credit card payments on leased POS terminals or computers. The PCI DSS requires that cardholder data be rendered unrecoverable on media leaving the organisation’s control, which explicitly includes leased equipment being returned.
What Lease Agreements Typically Cover
Many standard IT lease agreements include minimal or no provisions about data destruction. The lessor is focused on the condition and functionality of the physical asset for resale purposes. Data security is treated as the lessee’s responsibility, which it legally is, but this is not always explicitly stated.
Some leasing companies offer data destruction as an additional service, either included in the lease or available for a fee at return. If this service is offered, it is worth understanding exactly what it involves. Questions to ask include what standard of data destruction is applied, whether certificates of destruction are provided, and whether the destruction occurs before or after the equipment enters the refurbishment process.
When negotiating new leases, consider including specific data destruction provisions in the agreement. These should specify the standard of destruction required (such as NIST 800-88), require certificates of destruction, and establish timelines for when destruction will occur after return.
Best Practices Before Returning Leased Equipment
The safest approach is to perform data destruction yourself before the equipment is returned to the lessor. This keeps control of the process entirely within your organisation and eliminates reliance on third-party assurances.
For laptops and desktops, software-based data sanitisation using NIST 800-88 compliant tools should be performed before the device is packed for return. The sanitisation process should be verified, and a certificate or log should be retained as evidence that the process was completed.
For servers being returned, ensure that all drives are sanitised, including any drives in RAID configurations. RAID arrays should be destroyed at the individual drive level, not simply by deleting the RAID configuration, as the data on individual drives remains recoverable even after the array is broken.
For printers and copiers, access the device’s administrative interface and perform a full disk overwrite of the internal storage. Most enterprise MFPs include a data security option for this purpose. If the device does not support secure erasure, consider engaging a professional to remove and physically destroy the internal drive before returning the unit.
For network equipment, perform a factory reset and verify that all configuration data, stored credentials, and log files have been removed. Check that no custom firmware or configuration files remain on the device.
Managing the Lease Return Process
Build data destruction into the lease return workflow rather than treating it as a separate activity. When equipment is flagged for return at the end of its lease term, the first step should be data destruction, followed by functional verification (to confirm the device still meets return condition requirements), and then physical return.
For organisations with large lease portfolios, staggering returns to avoid overwhelming the IT team helps ensure that every device receives proper attention. Returning 200 laptops in a single batch creates pressure to cut corners, while processing them in groups of 20 or 30 allows thorough handling.
Working with a certified ITAD provider can bridge the gap between your organisation and the leasing company. The ITAD provider can perform certified data destruction on leased equipment before it is returned, providing your organisation with certificates of destruction while ensuring the equipment meets the lessor’s return condition requirements.
Retain all data destruction documentation for at least the same period you would retain records of data that was stored on the equipment. If a question arises years later about how specific data was handled, having the certificate of destruction for the relevant device provides clear evidence of compliance with your data protection obligations.